Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

pix 515e config for spam appliance

i have a cisco pix 515e that sits in front of a symantec spam 8240 appliance. we need to nat the ip address of the box to a public ip 67.a.b.c which is done - no problem. what we need to do next is nat the virtual interface that is used for sending mail out to the same public ip. the virtual ip address cant accept mail from the outside.

i am looking for advice configuring this on the firewall.

thanks in advance.


Re: pix 515e config for spam appliance

This will be a problem. From your explanation I understand that you have configured NAT for the box. This means that everything arriving on 67.a.b.c is forwarded to the box's IP.

You cannot make an exception for SMTP or any other port/protocol so I think that you will need to use a different IP adress to xlate the virtual interface.

If you do not need to nat the whole ip adress to box outside adress you may use PAT to forward certain ports to one inside adress and other ports to a different one. In that way it will be possible to use one outside adress for both applications.

To use PAT you have to specify the desired protocol and port with the nat command:

ip nat (DMZ,outside) tcp 67.a.b.c 25 box-virt 25



New Member

Re: pix 515e config for spam appliance

Just refer to the screenshot below for patting

New Member

Re: pix 515e config for spam appliance

I have a similar design. According to your explanation you can do the following to allow smtp traffic to be directed to the Anti Spam.


Anti Spam public IP:

Anti Spam DMZ IP:

PIX internal IP:

1- The Default Gateway for the Anti Spam must be

2- Create an access list to permit smtp traffic to the public IP (you can name it with any thing you want) by using this command:

access-list smtp permit tcp any host eq smtp

(this command allows smtp traffic from any source if it is directed to

3-Define NAT Role:

static (inside,outside) netmask 0 0

4-Apply the access list on the ouside interface:

access-group smtp in interface outside

Important notes:

- there is no need for any roles on the pix to send emails just insure internet connectivity to the Anti spam.

- It is better to configure the mail server (MS change or whatever) to send outside emails directly not through the Anti Spam. Spam checking is recommended for received emails from outside only.

- You can allow any other traffic to the same IP on the same Access List. For example if that Anti Spam has Web service, you can also allow access to it by adding this command:

access-list smtp permit tcp any host eq www

access-list smtp permit tcp any host eq https



New Member

Re: pix 515e config for spam appliance

like this?

static (inside,outside) tcp 67.a.b.c smtp 8240PrivateIP smtp netmask

global (outside) 10 67.a.b.c

nat (inside) 10 access-list SPAM

access-list SPAM permit ip host any

i got this to work - but it sent emails very slowly - is that why you suggested to only scan inbound?

CreatePlease to create content