Here's the config:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password /F.u.pU7VSgK.2I3 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix

domain-name ted.net

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 205.25.2.115 255.255.255.252

ip address inside 10.0.20.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 5 interface

nat (inside) 5 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 205.25.2.115 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.0.20.83 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

All clients can get out with http or icmp. The novell server(unfortunately serves mail) cannot get out at all. The furthest the Novell box goes is the internal 501 int, even before the static command. The static command does not block all traffic when pointing to another internal host, only the Novell box.

I've since tried setting the internal ip(501) to 10.0.20.3 and then setting the default route in tcpcon on the Novell box to the same but w/no results. I'd love to blame the Novell server but the watchgaurd box lets it all through.

Thanks for the time.

I really hope that the IP Addresses and passwords listed are dummy ones that replaced the actual ones.

It's customary to use obviously invalid IPs, like 1.1.1.1 or 10.10.10.10, to ensure no one acquires knowledge of the network that is not for public consumption.

Same thing with passwords: Use obvious password replacements, like or . Even though these are scrambled, it is not secure.

Regarding the problem, can you tell if a translation slot was opened? Do a SH CONN LOCAL 1.1.1.1, where 1.1.1.1 is the inside Novell address. You can also enable some logging to a syslog server while you try to connect and search through to find the transactions between the PIX and Novell server to see what the deal is.

Yes, they are dummy ips and dns names. And thanks for the concern. I can use "debug icmp trace", then ping an external ip from a client and the console shows the traffic. Pinging the same ext. address from the server yields no result on the console. Pinging the internal interface from the server will show on the console. Does that help much? I keep finding articles about Novell IP not working well with NAT but mainly for client/server communications(login, file sharing, etc.). I just need smtp to and from this box.

Any suggestions are appreciated. Thanks again.

ip address outside 205.25.2.115 255.255.255.252

route outside 0.0.0.0 0.0.0.0 205.25.2.115 1

Shouldn't you be routing to the next hop in line. ie

route outside 0.0.0.0 0.0.0.0 205.25.2.114 or something like that?

ie the next hop to your ISP or something like that?

My config is completely different there.

I have ip address outside XXXXXX

and a "next hop" router in line to route all traffic to...

Yes. I apologize, my paranoia was not well thought out. The default route as well as the ips are different so I was reckless in the typing. It's as you guessed(let's say 205.25.2.114).