Cisco Pix 506e static nat

acsmtrubee · ‎04-26-2007

Can you help with what seems to be a simple configuration issue?

I am trying to get my static NAT to work from outside to inside.

Cisco 506e v. 6.2(2)

External address x.x.x.x nat'ted to internal address x.x.x.x for SMTP traffic.

Internal address is mail servers and can be accessed on internally on port 25.

This is PIX is also used for some outbound internet access as well.

(though external access testing is being done through a different external link).

Any help would be greatly appreciated.

thanks,

Mike

Here is my running config.

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname XXXFWL001

domain-name XXX.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list internet-in permit ip any any

access-list mkt-out permit tcp host 10.20.20.10 any eq domain

access-list mkt-out permit udp host 10.20.20.10 any eq domain

access-list mkt-out deny tcp any 216.178.32.0 255.255.240.0

access-list mkt-out deny tcp any 204.16.32.0 255.255.252.0

access-list mkt-out deny tcp any 67.134.143.0 255.255.255.0

access-list mkt-out permit ip any any

access-list smtp permit tcp any host 20.20.20.20 eq smtp

pager lines 24

logging buffered debugging

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 20.x.x.18 255.255.255.x

ip address inside 10.20.31.222 255.255.255.224

ip audit info action alarm

ip audit attack action alarm

pdm location 10.20.20.10 255.255.255.255 inside

pdm location 10.20.20.30 255.255.255.255 inside

pdm location 10.20.20.35 255.255.255.255 inside

pdm location 10.20.0.0 255.255.0.0 inside

pdm location 67.134.143.0 255.255.255.0 outside

pdm location 204.16.32.0 255.255.252.0 outside

pdm location 216.178.32.0 255.255.240.0 outside

pdm location 10.20.20.55 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.20.0.0 255.255.0.0 0 0

static (inside,outside) 20.20.20.20 10.20.20.55 netmask 255.255.255.255 0 0

access-group smtp in interface outside

access-group mkt-out in interface inside

route outside 0.0.0.0 0.0.0.0 20.20.20.17 1

route inside 10.20.0.0 255.255.0.0 10.20.31.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 10.20.20.35 xxxxxx timeout 10

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication telnet console TACACS+

http server enable

http 10.20.0.0 255.255.0.0 inside

snmp-server host inside 10.20.20.30

snmp-server location MKT

snmp-server contact chris@xxx.com

snmp-server community acs

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 10.20.0.0 255.255.0.0 inside

telnet timeout 15

ssh timeout 5

terminal width 80

: end

acomiskey · ‎04-26-2007

Looks ok, what's not working? With that config you should be able to access 20.20.20.20 from the outside on tcp 25.

Jon Marshall · ‎04-26-2007

Hi

As Adam said, config looks good. Your smtp server 10.20.20.55 is on a different subnet than your inside interface.

Your pix has a route to 10.20.0.0 network. Does the smtp server know how to route back ie do you have a default route that sends traffic to the pix as the source IP addresses will be public addresses from the internet.

HTH

Jon