Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How do I re-direct smtp traffic from PIX to Internal Mail Server?

I have a PIX 506E (PIXOS 6.2(2) ) with a single routeable static IP address ( in config below) using PAT to translate internal traffic to the outside interface. From home I access the internal network via VPN (split-tunnel arrangement using Cisco VPN Client 3.6) in order to get mail from the internal mail server (working well).

I want to have all traffic to smtp port 25 directed to an internal mail server ( in config below).

When I try to add a translation rule to redirect port 25 (smtp) from my outside interface ip to my internal mail server (server1) I get the following error message (using PDM 2.0(2)):

"host outside is derived from the IP address of interface outside. You cannot specify translation rule for it"

I instead tried to add an Access Rule to allow traffic from port 25 of the external interface to the internal mail server, and I got the following error:

"No static Network Address Translation (NAT) rule is configured for the destination host or network on interface outside. Would you like to add a static NAT rule for the host or network now?"

QUESTION: How can I redirect all port 25 traffic from my static ip address (which is also the outside interface) to my internal mail server?

Config listing attached at end. All help appreciated!

Config listing (critical addresses, passwords etc removed):

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxxx encrypted

hostname gateway_hostname


clock timezone CST -6

clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


name outside-net

name inside-net

name vpnip-net

name server1

access-list nonatinside permit ip inside-net vpnip-net

access-list splittun permit ip inside-net vpnip-net

pager lines 24

logging on

logging timestamp

logging trap notifications

logging history warnings

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool

pdm location server1 inside

pdm logging informational 500

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonatinside

nat (inside) 1 0 0

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpngroup1 address-pool ippool

vpngroup vpngroup1 dns-server server1

vpngroup vpngroup1 wins-server server1

vpngroup vpngroup1 default-domain

vpngroup vpngroup1 split-tunnel splittun

vpngroup vpngroup1 idle-time 1800

vpngroup vpngroup1 password vvvvvvvvvvvvvvvvvv

telnet timeout 5

ssh timeout 5

terminal width 80

: end

Cisco Employee

Re: How do I re-direct smtp traffic from PIX to Internal Mail Se

You can use the outside IP address for port redirection.

Try from command line the following, see if it works;

static (inside,outside) tcp smtp smtp netmask 0 0

I tried on my PIX and it works from CLI.



New Member

Re: How do I re-direct smtp traffic from PIX to Internal Mail Se

Thanks... The port redirect worked (plus access commands)... I am still having problems with Mailguard (fixup protocol smtp etc) in 6.2(2) but will dig deeper before posting.

For the record, the following commands (entered from CLI, not PDM) worked:

access-list 101 permit tcp any host outside_gateway eq smtp

static (inside,outside) tcp outside_gateway smtp internal_mailserver smtp netmask 0 0

access-group 101 in interface outside