Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

One Way Nating

Setup: Static NAT for smtp a/v box in dmz is filtering mail in/out bound.

Need to keep inbound NATing to smpt a/v box, but outbound smtp needs to NATed directly from the email servers to the same Public MX record . Thanks

New Member

Re: One Way Nating

Have you tried to use a static NAT ?

Re: One Way Nating

I dont think this is possible, please correct me if I am wrong.

The Mail server should relay back to the AV Mail Relay in the DMZ to send the Emails and not directly send Emails to the Internet, in this setup the Email is also scanned outbound.


access-list outside permit tcp any host Mail-MX eq smtp

access-group outside in interface outside

static (dmz,outside) Mail-MX-PubIP AV-Relay-DMZ-IP netmask

static (inside,dmz) InsideNetwork InsideNetwork netmask 0 0

access-list dmz .... (All other service that have outbound connections)

access-list dmz permit tcp host AV-Relay-DMZ-IP host MailServer-Internal-IP eq smtp

access-group dmz in interface dmz

The Inside Email Server connects to the DMZ Private IP of the Email Relay.



New Member

Re: One Way Nating

Correct this is how it is currently configured, however the server crew would like to only scan inbound smtp traffic and send outbound traffic driectly to thru the firewall. Is it possible to have inbound NAT NAT to box A and outbound NAT from Box B using the same NATing address?

New Member

Re: One Way Nating

You can try this example.

a/v box =

public ip = x.x.x.x

inside mail server = y.y.y.y

static (outside,dmz) tcp x.x.x.x 25 25

nat (inside) 1 y.y.y.y // for mail servers

global (outside ) 1 x.x.x.x

nat (inside) 2 y.y.0.0 //for the rest of the traffic

global (outside) 2

the catch here is that the nat for the mail servers should be before the nat statement for the mail servers

New Member

Re: One Way Nating

The goal is to use the same public ip but nat in traffic to the a/v box and outbound traffic (email server) from a different box/ip address. Some security devices will not except smtp from different ip address. Is this possible?

New Member

Re: One Way Nating

That is what is happening in the above example. we are natting the inbound traffic to a/v box. and not natting the outbound traffic to the same ip address. If you see i have used the same ip address for global. Please see I am not using one to one static nat for a/v box.

New Member

Re: One Way Nating


sorry for my vocab in the last conversation. I was able to understand ur problem that few mailing servers would do a reverse lookup for incoming mail and if the ip address doesnot match the registered one would reject the mail. If you look at the solution provided we are taking care of the same thing.

CreatePlease login to create content