Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
454
Views
4
Helpful
4
Replies

pix 515e config for spam appliance

jerry.mcrae
Level 1
Level 1

‎10-24-2006 02:27 PM - edited ‎03-03-2019 02:27 PM

i have a cisco pix 515e that sits in front of a symantec spam 8240 appliance. we need to nat the ip address of the box to a public ip 67.a.b.c which is done - no problem. what we need to do next is nat the virtual interface that is used for sending mail out to the same public ip. the virtual ip address cant accept mail from the outside.

i am looking for advice configuring this on the firewall.

thanks in advance.

Labels:
0 Helpful
4 Replies 4

lgijssel
Level 9
Level 9

‎10-24-2006 11:45 PM

This will be a problem. From your explanation I understand that you have configured NAT for the box. This means that everything arriving on 67.a.b.c is forwarded to the box's IP.

You cannot make an exception for SMTP or any other port/protocol so I think that you will need to use a different IP adress to xlate the virtual interface.

If you do not need to nat the whole ip adress to box outside adress you may use PAT to forward certain ports to one inside adress and other ports to a different one. In that way it will be possible to use one outside adress for both applications.

To use PAT you have to specify the desired protocol and port with the nat command:

ip nat (DMZ,outside) tcp 67.a.b.c 25 box-virt 25

Regards,

Leo

0 Helpful

baudhayan
Level 1
Level 1
In response to lgijssel

‎10-25-2006 04:27 AM

Just refer to the screenshot below for patting

Preview file
40 KB
0 Helpful

waelalghonimy
Level 1
Level 1

‎10-28-2006 10:07 AM

I have a similar design. According to your explanation you can do the following to allow smtp traffic to be directed to the Anti Spam.

IPs:

Anti Spam public IP: 67.1.2.3

Anti Spam DMZ IP: 172.168.1.41

PIX internal IP: 172.168.1.1

1- The Default Gateway for the Anti Spam must be 172.168.1.1

2- Create an access list to permit smtp traffic to the public IP (you can name it with any thing you want) by using this command:

access-list smtp permit tcp any host 67.1.2.3 eq smtp

(this command allows smtp traffic from any source if it is directed to 67.1.2.3)

3-Define NAT Role:

static (inside,outside) 67.1.2.3 192.168.1.41 netmask 255.255.255.255 0 0

4-Apply the access list on the ouside interface:

access-group smtp in interface outside

Important notes:

- there is no need for any roles on the pix to send emails just insure internet connectivity to the Anti spam.

- It is better to configure the mail server (MS change or whatever) to send outside emails directly not through the Anti Spam. Spam checking is recommended for received emails from outside only.

- You can allow any other traffic to the same IP on the same Access List. For example if that Anti Spam has Web service, you can also allow access to it by adding this command:

access-list smtp permit tcp any host 67.1.2.3 eq www

access-list smtp permit tcp any host 67.1.2.3 eq https

Thanks

Wael

jerry.mcrae
Level 1
Level 1
In response to waelalghonimy

‎10-30-2006 12:45 PM

like this?

static (inside,outside) tcp 67.a.b.c smtp 8240PrivateIP smtp netmask 255.255.255.0

global (outside) 10 67.a.b.c

nat (inside) 10 access-list SPAM

access-list SPAM permit ip host any

i got this to work - but it sent emails very slowly - is that why you suggested to only scan inbound?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card