PIX - SMTP Inbound and Outbound From Different Internal IPs

paramanager · ‎11-25-2006

We want to port-forward SMTP traffic from a public IP to an anti-spam appliance on our private network and also allow our internal Exchange server, on the same private network, to send outbound from the same public IP address.

We use a single public IP for SMTP. The Pix 515e is configured to port-forward SMTP traffic to an anti-spam appliance on our private network.

static (inside,outside) tcp 205.x.x.211 smtp 10.x.x.250 smtp netmask 255.255.255.255 0 0

We have a second public IP, using PAT, to route the rest of the network to the Internet at 205.x.x.216. We added a static route to map SMTP outbound from the Exchage server to the 205.x.x.211 outside address.

static (outside,inside) tcp 10.x.x.7 smtp 205.x.x.211 smtp netmask 255.255.255.255 0 0

the problem is that the SMTP traffic from the Exchange server is appearing on the 205.x.x.216 address instead of the 205.x.x.211 address. Can someone point me in the right direction to resolve this issue?

zubairjalal · ‎11-25-2006

A good approach will be to put something like this

nat (inside) 20 10.x.x.7

global (outside) 20 205.x.x.211

--pls rate if useful--

paramanager · ‎11-26-2006

Thanks for the config info. We decided that what we were attempting was too complicated and simplified the arrangement. The Exchange server now uses the spam appliance (10.x.x.250) as a smart host. We used your suggestion and mapped a static NAT between the outside interface (x.x.x.211) and the appliance (10.x.x.250).

static (inside,outside) 205.x.x.211 10.x.x.250 netmask 255.255.255.255 0 0

Then we added a rule to the outside acl to permit only SMTP traffic on the above mapping. It's working very well.