Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT design help for 515E

We have a PIX515E on software 8.0(4).  We are in the process of upgrading our mail gateway and I need to modify our NAT statement to facilitate traffic.  Here is the scenario:  The mail gateway has an inbound and outbound interface on the same private subnet.  Incoming mail-flow will translate from <public address A>:25 to <incoming gateway interface 1>:25.  Outgoing mail-flow will translate from <outgoing gateway interface 2>:25 to <public address A>:25.   Is it possible to create a Dynamic Policy NAT rule to establish communication?  Thanks.

Everyone's tags (4)
3 REPLIES

Re: NAT design help for 515E

Hi,

Since this is a server, I will recommend a STATIC NAT instead than dynamic NAT.

Will this work for you?

Federico.

New Member

Re: NAT design help for 515E

A static NAT using PAT was my original approach.  I could set this up easily for incoming mail.  The problem is dealing with the outgoing interface on the mail gateway.  This interface has a different private IP, but is also using port 25.  I am not sure how the PIX would translate outgoing mail (from this second interface) on the same public IP (as incoming).

Hall of Fame Super Blue

Re: NAT design help for 515E

RegionDist19 wrote:

A static NAT using PAT was my original approach.  I could set this up easily for incoming mail.  The problem is dealing with the outgoing interface on the mail gateway.  This interface has a different private IP, but is also using port 25.  I am not sure how the PIX would translate outgoing mail (from this second interface) on the same public IP (as incoming).

You can't map the same public IP on the same port to 2 different private IPs on the same port because the pix will have no way of knowing which IP to send the traffic to on an incoming connection from the Internet.

It just can't be done that way.

Jon

421
Views
0
Helpful
3
Replies