Cisco Support Community
Community Member

Help with Translation Rule on PIX 506E

I have a network connected to DSL via an 847 Router. We are adding a PIX firewall and I am a little confused about the translation rule for the email server.

Currently we have a pubic (static) IP assigned to the ATM interface of the router, and have assigned on the router's LAN side. My plan is to assign to the outside interface of the PIX, use for the inside interface and then use the range for my PC's/Server. My question is, should I translate the inside address of my email server ( to the address of my router/gateway ( on the unsecured side, or to my public IP address on the WAN side of the router?

Any help you could give me would be greatly appreciated, as this is my first attempt at PIX configuration. Thanks in advance.


Community Member

Re: Help with Translation Rule on PIX 506E

Hi Scott,

there's a couple of ways for you to set it up.

If the port translation through the router is on port 25 at the moment, when the pix is in place and address changes made as planned, simply add a static translation / ACL on the pix for the new address eg

static (inside,outside) netmask

access-list in_out permit tcp any host eq smtp

access-group in_out in interface outside

The static will allow traffic from the mail server going out to translate to its original ip address requiring no further config on the router apart from clearing arp. Inbound traffic to the server will be natted through the router as before but now the pix will proxy arp for the server ( on So long as the routing is up to scratch, should all work fine.

This is the easiest way so won't even mention anything else.

CreatePlease to create content