08-12-2006 09:48 PM - edited 02-21-2020 01:06 AM
I am having a problem with a nat/pat on a 515.
For smtp traffic coming in, I need to send the traffic to a Spam filter device, and the www traffic to the OWA box (inside the DMZ). When the mail goes out from the Exchange Server I need it to use a different global(outside) than the other address so that it is on the address with the Reverse DNS entry. So far I have:
access-list inbound line 2 permit tcp any host x.x.x.124 eq smtp (hitcnt=245082)
access-list inbound line 4 permit tcp any host x.x.x.124 eq www (hitcnt=2623)
static (inside,outside) tcp x.x.x.124 smtp 192.168.0.22 smtp netmask 255.255.255.255 0 0
static (DMZ,outside) tcp x.x.x.124 www 172.16.30.1 www netmask 255.255.255.255 0 0
global (outside) 1 x.x.x.114
global (outside) 25 x.x.x.124
nat (inside) 25 192.168.0.20 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
The problem I have is when I add the nat (inside) 25 rule, then the Exchange server no longer routes past the Pix to the internet on outbound connections, but I can still connect to it remotely via RDP. I have ran a clear xlate, and still cannot get it to traverse the pix and talk out on the x.x.x.124 address.
This same config works for me on another client's pix, just doesn't want to work here. they are both version 6.3. The one that works is 6.3(4) while this one is 6.3(1). Is it a bug in that revision, or am I missing something else?
--Thanks in advance
08-13-2006 12:52 AM
Hi,
There is two points to clear:
1) Is the outside global address used in "global (outside) 25" identical to previously used?
2) According to your statements:
global (outside) 25 x.x.x.124
nat (inside) 25 192.168.0.20 255.255.255.255 0 0
You want to translate a single inside local ip 12.168.0.20 in the inside to the inside global x.x.x.124
But this is a one-to-one translation! And this is equivalent to:
static (inside, outside) x.x.x.124 192.168.0.20
And if the last x.x.x.124 is the same as previously used, you should have a problem with the "global (outside) 25" and event with the "static" command, I have proposed, because you can use the same outside global address in different static command only if you use different ports (policy NAT)
So i suggest the following if I understood what you want:
=================================================================
access-list inbound permit tcp any host x.x.x.124 eq smtp
access-list inbound permit tcp any host x.x.x.124 eq www
!this acl statement concern traffic destined to 192.168.0.20
access-list inbound permit tcp any host x.x.x.124 eq
static (inside,outside) tcp x.x.x.124 smtp 192.168.0.22 smtp netmask 255.255.255.255 0 0
!You add this line if you want to access to (192.168.0.20,portA) from the outside
static (inside,outside) tcp x.x.x.124
static (DMZ,outside) tcp x.x.x.124 www 172.16.30.1 www netmask 255.255.255.255 0 0
global (outside) 1 x.x.x.114
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: