PIX nat/pat issue

awmccurry · ‎08-12-2006

I am having a problem with a nat/pat on a 515.

For smtp traffic coming in, I need to send the traffic to a Spam filter device, and the www traffic to the OWA box (inside the DMZ). When the mail goes out from the Exchange Server I need it to use a different global(outside) than the other address so that it is on the address with the Reverse DNS entry. So far I have:

access-list inbound line 2 permit tcp any host x.x.x.124 eq smtp (hitcnt=245082)

access-list inbound line 4 permit tcp any host x.x.x.124 eq www (hitcnt=2623)

static (inside,outside) tcp x.x.x.124 smtp 192.168.0.22 smtp netmask 255.255.255.255 0 0

static (DMZ,outside) tcp x.x.x.124 www 172.16.30.1 www netmask 255.255.255.255 0 0

global (outside) 1 x.x.x.114

global (outside) 25 x.x.x.124

nat (inside) 25 192.168.0.20 255.255.255.255 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

The problem I have is when I add the nat (inside) 25 rule, then the Exchange server no longer routes past the Pix to the internet on outbound connections, but I can still connect to it remotely via RDP. I have ran a clear xlate, and still cannot get it to traverse the pix and talk out on the x.x.x.124 address.

This same config works for me on another client's pix, just doesn't want to work here. they are both version 6.3. The one that works is 6.3(4) while this one is 6.3(1). Is it a bug in that revision, or am I missing something else?

--Thanks in advance

abdel_n · ‎08-13-2006

Hi,

There is two points to clear:

1) Is the outside global address used in "global (outside) 25" identical to previously used?

2) According to your statements:

global (outside) 25 x.x.x.124

nat (inside) 25 192.168.0.20 255.255.255.255 0 0

You want to translate a single inside local ip 12.168.0.20 in the inside to the inside global x.x.x.124

But this is a one-to-one translation! And this is equivalent to:

static (inside, outside) x.x.x.124 192.168.0.20

And if the last x.x.x.124 is the same as previously used, you should have a problem with the "global (outside) 25" and event with the "static" command, I have proposed, because you can use the same outside global address in different static command only if you use different ports (policy NAT)

So i suggest the following if I understood what you want:

=================================================================

access-list inbound permit tcp any host x.x.x.124 eq smtp

access-list inbound permit tcp any host x.x.x.124 eq www

!this acl statement concern traffic destined to 192.168.0.20

access-list inbound permit tcp any host x.x.x.124 eq

static (inside,outside) tcp x.x.x.124 smtp 192.168.0.22 smtp netmask 255.255.255.255 0 0

!You add this line if you want to access to (192.168.0.20,portA) from the outside

static (inside,outside) tcp x.x.x.124 192.168.0.20 netmask 255.255.255.255 0 0

static (DMZ,outside) tcp x.x.x.124 www 172.16.30.1 www netmask 255.255.255.255 0 0

global (outside) 1 x.x.x.114

nat (inside) 1 0.0.0.0 0.0.0.0 0 0