Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DOUBLE PIX with nat: pix v. 6.3(4) + v. 7.1(2)

I have a problem with 2 pix connected as follow:

CLIENT INSIDE ---> PIX 6 (NAT) ---> PIX 7 (NAT) ---> INTERNET SMTP SERVER OUTSIDE.

if the client try to connect to ANY the ESMTP Server on internet (telnet to port TCP 25) the connection hang up: on the cleitn I can see the banner 220: OUT MSG.

(If the client try the same connection with only 1 pix all is OK !!)

The firewalls do nat; the fixup smtp and the inspect ESMTP are disabled.

Any idea ? It's a bug ? The double nat break the connection ?

Best regards.

Roberto Taccon

1 REPLY

Re: DOUBLE PIX with nat: pix v. 6.3(4) + v. 7.1(2)

Roberto,

I've always tried not to use double nat. It really does break a lot of different protocols and causes a ton of troubleshooting headaches. If it's possible try not to use nat on the inside firewall. If its some sore of requriement that you use double nat then here is what I would start doing. Capture the traffic between the client on the inside, between the two pix's and on the outside for the pix 7.0. Look to see if the smtp traffic is being augmented in anyway besides the ip address being changed.

I was just thinking you said the fixup smtp was turned off, is it turned off on both firewalls or just one. This really only changes information to mask what kind of mail server your using.

Let us know what you find out.

Patrick

113
Views
4
Helpful
1
Replies
CreatePlease login to create content