Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
212
Views
0
Helpful
3
Replies

Translation issues, affecting failover testing

g.leonard
Level 1
Level 1

‎09-11-2003 02:11 AM - edited ‎03-09-2019 04:44 AM

What is the best setup for the following scenario? The only traffic permitted inbound is smtp to mail server. This is done using port redirection to internal mailserver:

static (inside,outside) tcp interface smtp X.X.X.X smtp netmask 255.255.255.255 0 0

Outbound traffic initiated by 4 servers. One of which is mail server. Would you be able to use a seperate address to the outside interface for the mail server to use when initiating outbound traffic or would you have to use a static to the same address as the interface. Would there be two translations for the same internal machine if different address was used?

What would be the best way to do this? 2 of the machines really need a static mapping as they would be initiating traffic regularly. The other machines only would initiate traffic once a day for example. However if a static mapping to the interface was used I would get all traffic to the interface forwarded to the mail server. ACLs could block this but in my experience this would add loads of messages to syslog and affect failover testing.

Labels:
0 Helpful
3 Replies 3

scoclayton
Level 7
Level 7

‎09-13-2003 06:31 PM

Hi,

Let me try to answer your questions in a QA format below.

Q: Would you be able to use a seperate address to the outside interface for the mail server to use when initiating outbound traffic or would you have to use a static to the same address as the interface?

A: Well, sither one of these (sort of) would work. In most cases, people just add something like this to the config to allow the internal server to initiate conns outbound:

nat (intf) 2

global (outside) 2 interface

Q: Would there be two translations for the same internal machine if different address was used?

In the case above, you would have potentially mutiple xlates created on the PIX. One for the TCP/25 traffic and others for the outbound traffic.

Hope this helps.

Scott

0 Helpful

g.leonard
Level 1
Level 1
In response to scoclayton

‎09-14-2003 11:28 PM

Cheers Scott

I will try using the global to the interface. Just to clarify do you think that there would be a problem if a machine had more than one xlate on the PIX?

Gary

0 Helpful

scoclayton
Level 7
Level 7
In response to g.leonard

‎09-15-2003 05:44 AM

hard to answer your question because it really depends. Remember that statics get a higher priority when searching for xlate's that anything else (except nat 0 access-list). In your scenerio, this will not be a problem. Good luck.

Scott

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents