Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Mapping SMTP port 25 (outside ) to a different internal port (12345) (inside) on a PIX

Posted on 2007-03-28
7
Medium Priority
?
378 Views
Last Modified: 2012-06-21
I need to have email sent to port 25 for SMTP mail (Exchange 2007) from the Internet mapped to a different internal port.

I have Exchange 2003 server that is running a sonic wall spam filter (not a good practice but it is what we have - for now).  The spam service receives mail on port 25 from the PIX and sends mail to the Exchange 2003 server listening on port 2525.  This has works for a long time.  

We are adding a new Exchange 2007 server that will replace the Exchange 2003 server after adequate testing (a month or so).  The issue is the Exchange 2007 can ONLY use port 25 to talk to the Exchange 2003 - Per Microsoft's tech support - and CAN NOT be changed.  So my easy workaround is to have the spam firewall listen on port (xxxxx) and forward the mail to exchange on port 2525 and let the routing group connector use port 25.

What is the command for the PIX to translate port 25 externally to another port internally (12345 for example).

Let me know what other information you need.  Thanks!
0
Comment
Question by:e_vanheel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18809286
Just use a static xlate
  static (inside,outside) tcp <public ip> 25 <private ip> 12345 netmask 255.255.255.255

0
 
LVL 6

Author Comment

by:e_vanheel
ID: 18809457
does this remove this or just add to it?  My real question is does it only affect port 25 or the whole address?

This is the existing static command on the PIX:
static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255 0 0

Others worth noting:
no fixup protocol smtp 25

access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389

access-group mail in interface outside

timeout xlate 0:10:00
timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18809545
Given this existing static, we need to make some adjustments
> static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255 0 0

Instead of a 1-1 static nat that you have, you now have to port-forward each individual port that you have open via acl:

no static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.226 2525 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.226 pop3 netmask 255.255.255.255
<etc>
That might cause some issues with outbound email since your mail server would now be using the dynamic global IP, unless you make an exception for it with a new global/nat
 global (outside) 25 xx.xx.xx.147
 nat (inside) 25 172.36.10.226 255.255.255.255


0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 6

Author Comment

by:e_vanheel
ID: 18809726
Irmoore, Thanks for your help!!!
So if I understand you correctly.
no static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.226 252525 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.226 pop3 netmask 255.255.255.255
global (outside) 25 xx.xx.xx.147
nat (inside) 25 172.36.10.226 255.255.255.255

Should allow me to keep everything the same except port 25 will be ported to 252525...Right?

Most of the current config:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 100 permit ip 172.36.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 121 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 126 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.146 255.255.255.248
ip address inside 172.36.10.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 192.168.2.1-192.168.2.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xx.147 172.36.10.225 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.148 172.36.10.226 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.149 172.36.10.224 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.150 172.36.10.228 netmask 255.255.255.255 0 0
access-group mail in interface outside
established tcp 135 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.145 1
route outside 172.26.8.0 255.255.252.0 xx.xx.xx.145 1
route outside 172.26.30.0 255.255.255.0 xx.xx.xx.145 1
route outside 172.36.66.0 255.255.255.0 xx.xx.xx.145 1
route outside 172.36.203.0 255.255.255.0 xx.xx.xx.145 1
timeout xlate 0:10:00
timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.36.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 18810283
Yes, assuming that your new port is not 252525 (too many digits). It can be 2525
And assuming at xx.xx.xx.147 is the IP address of your current MX record for your domain..
0
 
LVL 6

Author Comment

by:e_vanheel
ID: 18839218
worked like a champ!

Thanks!
0
 
LVL 6

Author Comment

by:e_vanheel
ID: 18855181
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question