Re: Translation question

g.leonard · ‎03-15-2004

FOS 6.22 on PIX 515E. Mail server behind firewall needs to send and receive mail. Only have a few IP addresses on outside subnet. Using static PAT (for SMTP) to map mail server to outside interface as to direct inbound SMTP messages to mail server and conserve IPs. Mail server also needs to initiate conx outbound to send mail. Was advised to use NAT and global for outbound conx using address assigned to outside interface as NAT address for mail server. Will this not create a translation issue if a static translation already exists for the mail server? Is the NAT and global necessary if the static PAT exists? Or is there a better way of setting this up with limited outside IPs?

jmia · ‎03-15-2004

Hello Gary,

Have a read of the following document and see if this answers your question, if not then let me know.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094466.shtml

Jay.

g.leonard · ‎03-15-2004

Cheers Jay

The document suggests a good method. Unfortunately I have limited IP addresses on the outside so had resorted to port redirection (static PAT). I've basically got only one available IP outisde. Any ideas?

Gary

jmia · ‎03-15-2004

Gary,

What you can do if you have only one public IP is the following,

> access-list smtp permit tcp any host eq smtp

Now bind the above ACL to the outside interface with:

> access-group smtp in interface outside

You'll require a static translation for the public IP to connect to your inside mail server, so do the following:

> static (inside,outside) tcp interface smtp smtp netmask 255.255.255.255 0 0

I assume that you are using this ONE public IP for your outside interace of the PIX as well? If so don't worry, this will work. The keyword here is the 'interface' on the static above.

Remember to save with write mem and also issue clear xlate

Hope this helps and let me know how you get on.

Jay.

g.leonard · ‎03-16-2004

Jay

With your suggestion, once the static translation is built will it permit the mail server to send mails outbound as well, or is another translation required?

What I have not told you (to make the original question easier to comprehend) is that I actually have 3 internal servers in addition to the mail server that need to initiate outbound connections only. I doubt that with one IP that this could be done as I would have to use PAT for the other servers using the sole outside IP. As far as I am aware, you cannot PAT and static on the same global (outside) IP. Bit of a nightmare, huh! Is it just a case of getting more IPs?

TIA Gary

jmia · ‎03-16-2004

Gary,

If you have only one public IP address and one mail server on the inside the config I posted will work for your mail server for both inbound and out bound SMTP traffic. Makesure that your ISP MX Record is pointing to your outside PIX interface IP address for SMTP.

If you've got more than one mail server behind the PIX, then the better option would be to obtain further public IP addresses for those aditional servers. But the config I posted for the one IP address will not work and you'll need to modify your config accordingly with ACLs and static's.

Hope this helps and let me know if require further help.

Jay

g.leonard · ‎03-16-2004

So am I correct in thinking you cannot use the same global (outside) IP for a static address and a PAT global address?

If I wanted to get the mail server to do its own DNS queries would I need another translation because the the static setup would be for SMTP traffic?