add NAT for backup mail server in PIX 515e

Posted on 2006-06-21
Last Modified: 2010-04-11
We have added a backup exchange server running Double-Take to be used in failover situations. I think I'll need to mimic the lines for the primary mail server for the secondary in the PIX config.  I need assistance with the commands to edit and save the working config.  The pix OS Ver is  6.3.(3)

The lines below reference my primary mail server.
access-list outside_in permit tcp any host 65.x.x.192 eq smtp
static (inside,outside) 65.x.x.192 netmask 0 0

I think I'll need to add the following for the backup machine:
access-list outside_in permit tcp any host 65.x.x.193 eq smtp
static (inside,outside) 65.x.x.193 netmask 0 0

There is also a line in the current config that reads:
access-list outside_in permit tcp any host 65.x.x.192 eq www What is this for (OWA)?  Looking at an older config form this PIX when the company had a backup mail server there is not a line similar to this referencing the backup server, only the one for smtp.

Thanks in advance.
Question by:Clamsy
  • 3
  • 2
LVL 25

Expert Comment

ID: 16952531
I would make the same assumption as you and guess it was for OWA.  Those two lines for the backup machine are exactly right
you may want to also reapply the acl to the interface to be sure it applies and clear the xlate after the static entry to ensure that the backup machine is referenced correctly
access-group outside_in in interface outside
clear xlate

also, I would recommend an os upgrade to 6.3(5).  Then study the changes that have occurred in 7.x and see if you want to upgrade to that eventually.

Author Comment

ID: 16952704
OK but i am looking for what commands to use to edit the config.  I am somewhat familiar with the commands but it's a production box and I can't afford to guess. I can get to here (which isn't very far..)

telnet to pix, login, enable and then wr t.  not sure if it's 'config t' to edit or what to do after that to save the config.  

The only real work I have done with routers and firewalls is to reset the password and rebuild the config of a 2600, which was a spare. No deadline just had to make it work when we gave back the ISP their loaner.

We tried to upgrade to 6.3.(4) last year and had major problems with one of our remote connections, (outside vendor used for terminal server access) the tunnel to the remote vendor would not stay up and we had to initiate the conn from inside. after about a week of trying to figure out the problem and several remote user complaints we decieded to roll back the OS.

LVL 25

Accepted Solution

Cyclops3590 earned 500 total points
ID: 16953065
ok, after you telnet in and enable, type

config t
access-list outside_in permit tcp any host 65.x.x.192 eq smtp
static (inside,outside) 65.x.x.192 netmask 0 0
access-group outside_in in interface outside
clear xlate

so long as 65.x.x.192 is the public IP of the backup mail server and is the Inside IP of it

oh and when you confirm that the config changes work go back in and type
config t
write mem
 to save the config changes

Understand about the OS rollback, **it happens sometimes and of course keeping this working is more important than uptodate.

Author Comment

ID: 16959206
Worked thanks!  

Author Comment

ID: 16959217
Also I confirmed the www line was for owa and added that as well with the IP of the backup machine.

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Access point 6 60
Setup NAT/PAT question 3 42
Tools to detect weak WiFi routers prior connecting to it 14 104
inserting an ACL line Cisco IOS XR Software, Version 5.3.3 2 19
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now