Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static Policy NAT problems

Hi all,

I've got a problem - a LONG one... Policy (Static) NAT. Pix 515e running 7.2(1)24. Can't really get my head round the ASDM GUI, I use it but find it un-illuminating so I'll decribe this situation using CLI output.

I've got a Svr (unfortunately MS, as I know this problem could be easily fixed on a Linux box) that sits in a DMZ and intended functions are Mail Relay and DNS (SOA). Originally tried a real (for mail) and a sub-interface (for DNS), we could use a secondary NIC but I don't see that fixing this problem.

Real: to xlate to (

Sub: to xlate to (

Obviously need to be accessable from outside so Statics are the way to go. Easily done you say, one-to-one, no probs. But remember I'm dealing with a Windoze Svr and even though you can set up DNS to use a particular address ( when lookups come in they are replied using the primary address.

So someone outside does an nslookup to (, it gets xlated to, so far so good. But the reply from the server has src, which gets xlated to on the way back (sets up it's own connection slot) and the original host doing the lookup says "no thank-you" to the reply.

As I have said this is a Windoze fault but I have to make it work on the FW.

So I use Static Policy NAT because it is said that the same internal host can be xlated to different external addresses based on ACL policy. My thought process being that I just accept that the Windoze box is going to reply from the same real address anyway.

Attached are some relevant snips from my config (IP's changed to protect the innocent), the "sh xlate" output, and the sylog messages for good measure

Thanks for you time and any help much appreciated



Re: Static Policy NAT problems

Sounds like you're making it more difficult than it needs to be. Why not just do...

static (DMZ,outside) tcp smtp smtp netmask

static (DMZ,outside) udp domain domain netmask

access-list OUTSIDE extended permit udp any host eq domain

access-list OUTSIDE extended permit tcp any host eq smtp

New Member

Re: Static Policy NAT problems

Hmm ... Looks like I might have been making it more difficult than it needs to be. Was hoping it would be something like that rather than insufficient complexity - makes documentation easier :)

Reason I got that far was because I'm pretty sure I tried that earlier, but still could not do nslookups to Unfortunately I still can't. But the captures I've been doing look like it is working.

Telneting to ports 25 and 53 from outside work fine, so that is good sign. UDP-53 for nslookups, as I say, looks good on the capture and on the access-lists.

On the syslog when trying an nslookup with as server I do get build and teardown of udp-53 but I also get:

002pix %PIX-6-106100: access-list OUTSIDE denied icmp outside/ -> DMZ/ hit-cnt 1 first hit [0xb74026ad, 0x0]

I then enabled ICMP to and my new syslog msg is:

002pix %PIX-4-313005: No matching connection for ICMP error message: icmp src outside: dst (type 3, code 3) on outside interface. Original IP payload: udp src dst

Nevertheless this is definitely progress and I thank you for that. It's possible there could be residue issues on the Windows DNS side which I'll get those admins to look into tomorrow.

Thanks again,


New Member

Re: Static Policy NAT problems

Back to the same problem: Just to restate


On a PIX-515e running Ver 7.2(1)24

I have one DMZ host - - running mail-relay and DNS (SOA)

I want to NAT smtp traffic to (resolved) mx1.blah and I want to NAT dns (both tcp-53 and udp-53 as zone transfers are invloved) to ns1.blah

Closest I can get is:

static (DMZ,outside) tcp mx1.blah smtp smtp netmask

static (DMZ,outside) ns1.blah netmask

... but this does not work completely. Although from the outside I can connect to mx1.blah on tcp-25 and to nx1.blah on tcp-53, and I can do nslookups using ns1.blah as server, all outbound smtp traffic gets NATed to ns1.blah and not mx1.blah.

I've tried many other options. I won't put them all down here but will let you know if I've tried any suggestions you can offer.

Is it possible? Any help much appreciated



CreatePlease login to create content