I have a PIX 501 running V6.1(2). Im using a DSL line connected to the PIX, then from the PIX i connect 2 servers with 2 LAN cards. The other cards are connected to the inner LAN (172.16.0.0). The first server runs proxy to allow the inner network to surf the internet and the second server is a mail server. Heres a trascript of my configuration:
Mail(192.168.0.3) / Proxy(192.168.0.2)
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 220.127.116.11 eq smtp
ip address outside 18.104.22.168 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 22.214.171.124
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) 126.96.36.199 192.168.0.3
route outside 0.0.0.0 0.0.0.0 188.8.131.52
access-group 100 in interface outside
The problem is when I inject static, access-list, access-group then clear xlate, the mail server will not be able to surf, send and accept email (Proxy still works fine). The email server works fine when given with a public IP and connected directly to the DSL line. Anyone got an explanation to this?
Thanks all for your response. I got it working now. The problem there was that my mail server uses ESMTP (Microsoft Excahange) . I just turn off the Mail Guard (no fixup protocol smtp) since PIX doesnt support the non-standard ESMTP commands while allowing static entry for mail protocol. Now its working. Thats one good lesson ive learned.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...