Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
0
Helpful
3
Replies

NAT on a PIX501 Firewall

donshawcase
Level 1
Level 1

‎01-23-2007 03:10 AM - edited ‎03-13-2019 03:52 PM

I have a PIX 501, I seem to be having difficulties setting up NAT between my outside and inside interface. I want to pass post 21 and port 25 traffic via the external IP address to an internal server, but when I configure the NAT and policy the firewall freezes or trafic is not passed.

I Use the following process.

1) enter a new policy for say post 25 traffic between outside and inside interface (Specific address)

(outside Any-> inside 192.168.0.5)

2) The wizard in the ADM prompts for the creation of a NAT entry. I enter the interface details and the Nat is created and policy appears.

The ADM offten freezes at this point or if it does not I can not telnet on port 25 to my SMTP server, which is my usual test.

Does any one have any sugestions.

Regards Don.

Labels:
0 Helpful
3 Replies 3

Not applicable

‎01-29-2007 11:08 AM

To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.

For regular dynamic NAT:

nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]

no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]

For policy dynamic NAT and NAT exemption:

nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]

no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]

Try:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

0 Helpful

canowlin
Level 1
Level 1

‎01-30-2007 02:50 PM

Don-

look for the PDF on the CCO. The thing your looking for is Port Forwarding. With that any

inbound traffic headed for those ports will hit your email server. If you need more help email me I think I might have an example somewhere but the PDF will help you more. If you have the address space static nat is best for you.

hope this helps!

cnowlin

0 Helpful

pcauto123
Level 1
Level 1

‎02-09-2007 01:34 PM

Allow the traffic through on the access-list for the outside interface.

access-list 101 permit tcp any host 64.128.161.xxx eq smtp

Setup static for that traffic/host pair

static (inside,outside) tcp 64.128.161.xxx pop3 192.168.5.38 pop3 netmask 255.255.255.255 0 0

I know this work at the CLI. Not sure about the GUI

Let the server inside still participate in the NAT scheme since there will still be outbound traffic.

0 Helpful
Customers Also Viewed These Support Documents