The example in this config shows the outside interface with an address of 18.104.22.168 and the mail server traffic is to come in on 22.214.171.124 and translate to 192.168.2.57 which makes sense.
The access-lists permit smtp correctly and that inside,outside nat statement is correct. This all makes sense, but my question is whether or not this is possible?
Can you statically NAT translate traffic from 126.96.36.199 to 192.168.2.57 when the public address of 188.8.131.52 is not bound to an interface or secondary interface (which is not possible on the pix, but is on an IOS router)?
In the past, I have configured the same situation, but used the outside interface address for the MX record with the ISP and statically NAT'd to whatever private I needed. This has worked fine obviously.
In this case though, say you were given a block of addresses from the ISP and wanted to use a different one from the block than the one assigned to the outside interface, as the MX record for your mail traffic.
Would this be possible as the sample config states? I have not gotten this to work in brief lab testing, and I am not certain as to whether I am experiencing arp problems, upstream router config problems, or problems simply because it is not possible.
Anyone who has some input on this would be great!
ISP MX Record: 184.108.40.206
ISP Router: 220.127.116.11
PIX Outside: 18.104.22.168
PIX Inside: 192.168.1.1
MAIL Server: 192.168.1.5
access-list 101 permit tcp any host 22.214.171.124 eq smtp
on the pix, it is possible to use a public ip on the outside interface which is not bound to an interface. All you need is a static translation rule and an access-list to allow the traffic in.
The example you provided in the previous message looks fine.
If it is not working, please make sure that the sending mail server only uses the following smtp commands: HELO, MAIL, RCPT, DATA, RSET, NOOP and QUIT. If other commands are being used, they will be blocked by the smtp fixup protocol. If necessary you can disable the fixup protocol to allow all smtp commands.
I've build several pixes now using this type of config with a static (inside,outside) for the mail server. It has always worked fine with me. Have done this also with routers (using an ip address not on the routers outside interface) and that also works fine.
Thanks for the responses guys. I too was able to verify that this configuration is correct and works in my lab.
I believe the issue I had in production was the arp cache of the upstream isp router. We had taken a mail server that was bound to a public address before outside the firewall and moved it inside the firewall, and opened up the ports and static nat translations to its new private address behind the firwall.
I can only believe that the arp cache was the problem when mail traffic would not pass. Otherwise my second guess would be the fixup for smtp.
Thanks again gentlemen, I needed to make sure I wasn't going crazy here. LOL
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...