Global PAT with static NAT on PIX 6.3

Dustin Harrig · ‎06-08-2012

I am having issues getting this to work. For email, I have mail.xxx.xxx DNS'd to 165.165.165.165. I want it to come in to 10.1.0.31. It needs to go out a cluster of 10.1.0.31, 10.1.0.34, or 10.101.201.31 but look like it came from the 165.165.165.165 address. I have set up static NAT for the inbound. I have set up the global PAT with an ACL group of the 10.xxx addresses. I have set this same method up on an ASA with no issues but it doesn't want to work on the PIX 6.3. What am I missing?

no fixup protocol smtp 25

object-group service NewExchange tcp

port-object eq https

port-object eq smtp

port-object eq 587

access-list inbound remark Exchange

access-list inbound permit tcp any host 165.165.165.165 object-group NewExchange

access-list mail permit ip host 10.1.0.31 any

access-list mail permit ip host 10.1.0.34 any

access-list mail permit ip host 10.101.201.31 any

global (outside) 1 interface

global (outside) 2 165.165.165.165

nat (inside) 2 access-list mail 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 165.165.165.165 10.1.0.31 netmask 255.255.255.255 0 0

access-group inbound in interface outside

If I am on 10.0.0.34 with this set up ... i lose internet connectivity.

If I remove the "nat (inside) 2 access-list mail 0 0" line .... i restore connectivity but it becomes the ip address of the interface in global 1.

any thoughts?

Jennifer Halim · ‎06-08-2012

You can't configure the same global address on static NAT and PAT.

You can however configure static PAT for your mail as follows:

static (inside,outside) tcp 165.165.165.165 25 10.1.0.31 25 netmask 255.255.255.255 0 0

Here is the command reference to confirm the correct behaviour:

http://www.cisco.com/en/US/partner/docs/security/pix/pix63/command/reference/s.html#wp1026694

(--> check out the explaination under "global_ip" column)