Mapping SMTP port 25 (outside ) to a different internal port (12345) (inside) on a PIX

I need to have email sent to port 25 for SMTP mail (Exchange 2007) from the Internet mapped to a different internal port.

I have Exchange 2003 server that is running a sonic wall spam filter (not a good practice but it is what we have - for now).  The spam service receives mail on port 25 from the PIX and sends mail to the Exchange 2003 server listening on port 2525.  This has works for a long time.  

We are adding a new Exchange 2007 server that will replace the Exchange 2003 server after adequate testing (a month or so).  The issue is the Exchange 2007 can ONLY use port 25 to talk to the Exchange 2003 - Per Microsoft's tech support - and CAN NOT be changed.  So my easy workaround is to have the spam firewall listen on port (xxxxx) and forward the mail to exchange on port 2525 and let the routing group connector use port 25.

What is the command for the PIX to translate port 25 externally to another port internally (12345 for example).

Let me know what other information you need.  Thanks!
LVL 6
e_vanheelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
Just use a static xlate
  static (inside,outside) tcp <public ip> 25 <private ip> 12345 netmask 255.255.255.255

0
e_vanheelAuthor Commented:
does this remove this or just add to it?  My real question is does it only affect port 25 or the whole address?

This is the existing static command on the PIX:
static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255 0 0

Others worth noting:
no fixup protocol smtp 25

access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389

access-group mail in interface outside

timeout xlate 0:10:00
timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
0
lrmooreCommented:
Given this existing static, we need to make some adjustments
> static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255 0 0

Instead of a 1-1 static nat that you have, you now have to port-forward each individual port that you have open via acl:

no static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.226 2525 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.226 pop3 netmask 255.255.255.255
<etc>
That might cause some issues with outbound email since your mail server would now be using the dynamic global IP, unless you make an exception for it with a new global/nat
 global (outside) 25 xx.xx.xx.147
 nat (inside) 25 172.36.10.226 255.255.255.255


0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

e_vanheelAuthor Commented:
Irmoore, Thanks for your help!!!
So if I understand you correctly.
no static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.226 252525 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.226 pop3 netmask 255.255.255.255
global (outside) 25 xx.xx.xx.147
nat (inside) 25 172.36.10.226 255.255.255.255

Should allow me to keep everything the same except port 25 will be ported to 252525...Right?

Most of the current config:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 100 permit ip 172.36.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 121 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 126 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.146 255.255.255.248
ip address inside 172.36.10.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 192.168.2.1-192.168.2.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xx.147 172.36.10.225 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.148 172.36.10.226 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.149 172.36.10.224 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.150 172.36.10.228 netmask 255.255.255.255 0 0
access-group mail in interface outside
established tcp 135 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.145 1
route outside 172.26.8.0 255.255.252.0 xx.xx.xx.145 1
route outside 172.26.30.0 255.255.255.0 xx.xx.xx.145 1
route outside 172.36.66.0 255.255.255.0 xx.xx.xx.145 1
route outside 172.36.203.0 255.255.255.0 xx.xx.xx.145 1
timeout xlate 0:10:00
timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.36.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
0
lrmooreCommented:
Yes, assuming that your new port is not 252525 (too many digits). It can be 2525
And assuming at xx.xx.xx.147 is the IP address of your current MX record for your domain..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
e_vanheelAuthor Commented:
worked like a champ!

Thanks!
0
e_vanheelAuthor Commented:
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.