Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX Routing Question

I currently have an Exchange server on the private side of my network and had a static route in my PIX so it could be tied to a public IP. Recently I decided that I wanted to take the public IP that I was using for my mail server and direct HTTPs traffic on that IP to my Exchange server and SMTP traffic to a mail relay in the DMZ. Everything was working fine, but some messages were being bounced back. Inbound SMTP traffic was coming in on the correct IP Address, but outbound SMTP traffic was going out on the IP that is used for NAT. Since that IP does not match the IP of the FQDN that is used for mail messages were being kicked back. Anyone know how to fix this?

7 REPLIES
Community Member

Re: PIX Routing Question

It seems that inbound mail is going to the mail relay then to the exchange box but outbound is going out from the exchange box bypassing the mail relay. Can you verify that outbound mail goes from the exchange box to the mail relay box then out?

Community Member

Re: PIX Routing Question

Thank you for your reply! Outbound mail from the Exchange server is going through the mail relay. I had the Exchange server configured to use the mail relay as a smart host.

Community Member

Re: PIX Routing Question

I am more inclined to think that it is a static route issue. Do you have a static route statement inside,outside?

I thought the general rule of thumb on a PIX is that static routes override NAT.

Community Member

Re: PIX Routing Question

Before I started making changes I had a standard static statement, private to a public. Below is the change I made when I added in the relay:

static (dmz,outside) tcp 24.75.xxx.xxx smtp 172.50.1.8 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 24.75.xxx.xxx https 10.10.2.8 https netmask 255.255.255.255 0 0

When I made this change https traffic and smtp traffic came in fine, but when the smtp relay attempted to make an outbound connection, it did not use 24.75.xxx.xxx. Instead it used the IP that is used for NAT. I want it to use 24.75.xxx.xxx and not the NAT IP.

When I took the relay out and opened Exchange to the outside on port 25 I used the following static:

static (inside,outside) 24.75.xxx.xxx 10.10.2.8 netmask 255.255.255.255 0 0

When this is in place all outbound traffic on port 25 appears like it is coming from 24.75.xxx.xxx, which is what I want to happen.

Thanks for all of your replies!

Community Member

Re: PIX Routing Question

Do you have a nat statement on your dmz interface?

We do not nat, but I still have to have the no nat statement on each interface of our PIX. Also, we have 2 dmz's on our PIX and because the dmz is on a lower security level than the inside, we have to route dmz traffic to the inside first, for it to pass out the outside interface.

Community Member

Re: PIX Routing Question

Also, when we implemented the DMZ's, we removed all statics and use the access-group acl's. That was at the advisement of our Cisco tech rep due to how our network is setup. We found it was the best way to make the DMZ's work.

So....basically our config has no static routes and the config looks like this (we do not NAT, that is why there are no_nat statements):

nat (inside) 0 access-list no_nat1

nat (DMZ_WEB) 0 access-list no_nat2

nat (DMZ_VPN) 0 access-list no_nat3

access-group acl-outside-in in interface outside

access-group acl-inside-out in interface inside

access-group acl-DMZ_WEB-in in interface DMZ_WEB

access-group acl-DMZ_VPN-in in interface DMZ_VPN

Community Member

Re: PIX Routing Question

Thank for for the response! I'm going to try to replicate the problem later this week and play with the config. Hopefully I will be able to make some progress.

147
Views
0
Helpful
7
Replies
CreatePlease to create content