DOUBLE PIX with nat: pix v. 6.3(4) + v. 7.1(2)

ROBERTO TACCON · ‎03-21-2006

I have a problem with 2 pix connected as follow:

CLIENT INSIDE ---> PIX 6 (NAT) ---> PIX 7 (NAT) ---> INTERNET SMTP SERVER OUTSIDE.

if the client try to connect to ANY the ESMTP Server on internet (telnet to port TCP 25) the connection hang up: on the cleitn I can see the banner 220: OUT MSG.

(If the client try the same connection with only 1 pix all is OK !!)

The firewalls do nat; the fixup smtp and the inspect ESMTP are disabled.

Any idea ? It's a bug ? The double nat break the connection ?

Best regards.

Roberto Taccon

Patrick Laidlaw · ‎03-22-2006

Roberto,

I've always tried not to use double nat. It really does break a lot of different protocols and causes a ton of troubleshooting headaches. If it's possible try not to use nat on the inside firewall. If its some sore of requriement that you use double nat then here is what I would start doing. Capture the traffic between the client on the inside, between the two pix's and on the outside for the pix 7.0. Look to see if the smtp traffic is being augmented in anyway besides the ip address being changed.

I was just thinking you said the fixup smtp was turned off, is it turned off on both firewalls or just one. This really only changes information to mask what kind of mail server your using.

Let us know what you find out.

Patrick