Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

gdi
New Member

How do I re-direct smtp traffic from PIX to Internal Mail Server?

I have a PIX 506E (PIXOS 6.2(2) ) with a single routeable static IP address (10.20.30.123 in config below) using PAT to translate internal traffic to the outside interface. From home I access the internal network via VPN (split-tunnel arrangement using Cisco VPN Client 3.6) in order to get mail from the internal mail server (working well).

I want to have all traffic to smtp port 25 directed to an internal mail server (192.168.0.22 in config below).

When I try to add a translation rule to redirect port 25 (smtp) from my outside interface ip to my internal mail server (server1) I get the following error message (using PDM 2.0(2)):

"host outside 10.20.30.123 is derived from the IP address of interface outside. You cannot specify translation rule for it"

I instead tried to add an Access Rule to allow traffic from port 25 of the external interface to the internal mail server, and I got the following error:

"No static Network Address Translation (NAT) rule is configured for the destination host or network on interface outside. Would you like to add a static NAT rule for the host or network now?"

QUESTION: How can I redirect all port 25 traffic from my static ip address (which is also the outside interface) to my internal mail server?

Config listing attached at end. All help appreciated!

Config listing (critical addresses, passwords etc removed):

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxxxxxx encrypted

hostname gateway_hostname

domain-name domainname.com

clock timezone CST -6

clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 10.20.30.0 outside-net

name 192.168.0.0 inside-net

name 10.1.2.0 vpnip-net

name 192.168.0.22 server1

access-list nonatinside permit ip inside-net 255.255.255.0 vpnip-net 255.255.255.0

access-list splittun permit ip inside-net 255.255.255.0 vpnip-net 255.255.255.0

pager lines 24

logging on

logging timestamp

logging trap notifications

logging history warnings

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 10.20.30.123 255.255.255.0

ip address inside 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 10.1.2.1-10.1.2.254

pdm location server1 255.255.255.255 inside

pdm logging informational 500

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonatinside

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 10.20.30.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpngroup1 address-pool ippool

vpngroup vpngroup1 dns-server server1 1.2.3.4

vpngroup vpngroup1 wins-server server1

vpngroup vpngroup1 default-domain domainname.com

vpngroup vpngroup1 split-tunnel splittun

vpngroup vpngroup1 idle-time 1800

vpngroup vpngroup1 password vvvvvvvvvvvvvvvvvv

telnet timeout 5

ssh timeout 5

terminal width 80

: end

2 REPLIES
Cisco Employee

Re: How do I re-direct smtp traffic from PIX to Internal Mail Se

You can use the outside IP address for port redirection.

Try from command line the following, see if it works;

static (inside,outside) tcp 10.20.30.123 smtp 192.168.0.22 smtp netmask 255.255.255.255 0 0

I tried on my PIX and it works from CLI.

HTH

R/Yusuf

gdi
New Member

Re: How do I re-direct smtp traffic from PIX to Internal Mail Se

Thanks... The port redirect worked (plus access commands)... I am still having problems with Mailguard (fixup protocol smtp etc) in 6.2(2) but will dig deeper before posting.

For the record, the following commands (entered from CLI, not PDM) worked:

access-list 101 permit tcp any host outside_gateway eq smtp

static (inside,outside) tcp outside_gateway smtp internal_mailserver smtp netmask 255.255.255.255 0 0

access-group 101 in interface outside

333
Views
0
Helpful
2
Replies