Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX SMTP NAT or Port Based NAT?

I have what may seem a strange question...

I have a customer with a PIX and an SMTP server on the inside of their network. They were using a Port Based NAT via the following command (all IP addresses are changed to protect the innocent):

static (inside,outside) tcp 1.1.1.1 smtp 192.168.0.1 smtp netmask 255.255.255.255

This worked fine for both incoming and outgoing email EXCEPT for going out to particular mail servers. What was happening was they were recieving bounce messages as below:

<mail.domainname.com #5.7.1 smtp;550 5.7.1 This system is configured to reject mail from 1.1.1.2 (DNS reverse lookup failed)>

Where IP address 1.1.1.2 matched up with the client's global command.

Once I changed their nat to use a normal NAT rather than a port-based one everything worked fine. ie:

static (inside,outside) 1.1.1.1 192.168.0.1 netmask 255.255.255.255

My question is can I make the port-based nat work for IP addressing in both directions or am I stuck with using a single IP NAT?

I assume what is happening is that the port-based NAT only looks at conversations starting in the incoming direction (ie the conversation is with port 25 on the 192.168.0.1), not conversations starting in the outgoing direction (ie the conversation is with port 25 on an outside IP address).

Rgds,

Peter

1 ACCEPTED SOLUTION

Accepted Solutions

Re: PIX SMTP NAT or Port Based NAT?

Excellent analysis and you are right on. Just a simple mis-config that most people miss. Try the following:

static (inside,outside) tcp 1.1.1.1 smtp 192.168.0.1 smtp netmask 255.255.255.255

global (outside) 2 1.1.1.1

nat (inside) 2 192.168.0.1 255.255.255.255

The static is only going to match on traffic sourced from port 25 on the mail server. So when your mail server sends traffic outbound on a port other than 25, it uses the nat/global config you have defined for the other hosts on the inside interface. Which clearly the other mail server dislikes.

Hope this is clear but if not, let me know.

Scott

2 REPLIES

Re: PIX SMTP NAT or Port Based NAT?

Excellent analysis and you are right on. Just a simple mis-config that most people miss. Try the following:

static (inside,outside) tcp 1.1.1.1 smtp 192.168.0.1 smtp netmask 255.255.255.255

global (outside) 2 1.1.1.1

nat (inside) 2 192.168.0.1 255.255.255.255

The static is only going to match on traffic sourced from port 25 on the mail server. So when your mail server sends traffic outbound on a port other than 25, it uses the nat/global config you have defined for the other hosts on the inside interface. Which clearly the other mail server dislikes.

Hope this is clear but if not, let me know.

Scott

New Member

Re: PIX SMTP NAT or Port Based NAT?

Scott,

Interesting solution - I would never have thought of setting up a separate global for that single host.

Thanks for the speedy help (nice to catch someone in a similar timezone).

Rgds,

Peter

137
Views
0
Helpful
2
Replies