Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Port translation question


I'm trying to set PAT for an SMTP server which I'm told only can only run on the standard port 25 on the server, however as this is blocked by many ISPs, I've been asked to set up a translation on the firewall (PIX 525 running software v 8.04) for traffic coming in towards the server on port 225 to 25 which is fine and I'm able to do this however it also needs to accept connections on 25 still also which is where I'm running into problems.

A static translation such as the following stops port 25 being reachable directly because the pix is translating the source port to 225 for return traffic, so although it is reachable on port 225 its not reachable on 25 because of this command.

static (inside,outside) tcp 217.*.1.43 225 217.*.1.43 smtp netmask

Any advise on how to PAT but also not PAT would be appreciated.




Re: Port translation question


As you mentioned this is not going to work, because when the PIX receives the reply back
from port 25 it knows it should send it out using port 225.

If you add another statement for example:

static (inside,outside) tcp 217.*.1.43 smtp 217.*.1.43 smtp netmask

Then, the PIX will not know when returning the traffic from port 25 to which port to send it.
Port 225 or port 25?

The alternatives are not to use PAT, but use a regular static NAT (if posssible):

static (inside,outside) 217.*.1.43 217.*.1.43 netmask

Or make the server listen itself on port 225 as well, so you can have on the PIX:

static (inside,outside) tcp 217.*.1.43 225 217.*.1.43 225 netmask
static (inside,outside) tcp 217.*.1.43 smtp 217.*.1.43 smtp netmask


New Member

Re: Port translation question


Ok, so there is no real way of doing this then on the firewall? with the

real and another port on the outside mapped to the real port on the inside.



On Tue, Mar 16, 2010 at 1:13 AM, coto.fusionet <

Cisco Employee

Re: Port translation question


If you want to allow both ports 225 and 25 to be open at the same time for the server, the best way is to use simple static translation rule:

static(in,out)   netmask

And now if you wish to restrict access to server only on the above mentioned ports, you can make use of extended ACLs with port numbers (25 and 225)



New Member

Re: Port translation question


Thanks but the server only has smtp running on port 25, but I was

trying to allow connections on 25 to get through untranslated, while

connections coming in to port 225 to be translated to port 25 at the

same time.


Chris Gray

On 16 Mar 2010, at 05:22, vijayalaxmi1

CreatePlease to create content