The only public address is on the internet port of the ATA (phone adapter) the 192.168.0.x addresses are private addresses. The 10.10.1.x addresses are on E1 of the PIX and back into the hosts on the network. HTTP traffic is coming and going fine. The only issue is with SMTP. I can send (of course) but not receive. When I do a "sh xlate" I see the 10.10.1.x traffic being translated to the 192.168.0.x range.
Looking at your configuration, I presume that the IP address 192.168.0.0 /24 you have posted is so to hide your real internet routable IP address as you are posting on a open forum?
You need to use an internet routable IP address on your PIX outside interface i.e.
As an example:
ip address outside 212.205.xxx.101 255.255.255.248
ip address inside 10.10.1.1 255.255.255.0
route outside 0.0.0.0 0.0.0.0 18.104.22.168
The 212.205.xxx.102 is the internet facing router Ethernet address.
Now if you only have one public IP address available to you (22.214.171.124) and this address is being also used on the outside interface - as above, then yes you can use the keyword 'interface' on your static statement i.e.
access-list smtp_in permit tcp any host 212.205.xxx.101 eq 25
You need to make sure that your MX record for smtp is also pointing to IP 126.96.36.199, i.e.
xyz.com MX preference = 5, mail exchanger = smtp.xyz.com
smtp.xyz.com internet address = 188.8.131.52
Of course when you have made the appropriate changes on your PIX and saved with: write mem - you need also to issue - clear xlate
Now if you telnet to IP 212.205.xxx.101 on port 25 from an external network you should get a response from your internal smtp exchange server.
If you have a spare public IP address available on the same IP range then use the spare IP for your smtp service and make the appropriate changes to your outside ACL and static statement, also to hide your PIX from any internet based scanners you can apply on your PIX:
In config mode
icmp deny any outside
Only issue deny icmp after your satisfied that all your internet-based services are working correctly.
You can test your PIX for any open 'holes' by going to http://www.grc.com and use the 'shields up' application to scan your network. One thing to take note here, is that if you are using the outside interface IP address for your smtp service then when you scan your network using the 'shields up' application it will show up as open for port 25 and hence may give any internet scanners information that your smtp port is open for abuse!
This is why I suggest that you use a different IP address for your smtp service and apply on the outside interface: icmp deny any outside, so that the PIX does not respond to any internet scanners.
You could also use the mail guard feature of the PIX but as you probably know, MS ESMTP servers have difficulty communicating if you use the mail guard feature!
I hope the above helps and let me know if you need any further help/assistance. Please rate posts - by rating posts will give an indication to the responder to your question that the information provided is correct and may help others who may be looking for similar answers!
What I'm saying is that the "Linksys" phone adapter is working as the perimeter router. It has the ONLY public ip address on it's internet port and is 68.36.x.x It's ethernet port is PRIVATE and is 192.168.0.1
The PIX E0 is PRIVATE and is 192.168.0.2 and the PIX E1 is also PRIVATE 10.10.1.x I was wanting to get smtp through the "Linksys" and the PIX and to the smtp server on the 10.10.1.0 network. Since other services, ie: http, are coming through I'm looking for the right config to get the smtp to pass the PIX.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :