• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 380
  • Last Modified:

Mapping SMTP port 25 (outside ) to a different internal port (12345) (inside) on a PIX

I need to have email sent to port 25 for SMTP mail (Exchange 2007) from the Internet mapped to a different internal port.

I have Exchange 2003 server that is running a sonic wall spam filter (not a good practice but it is what we have - for now).  The spam service receives mail on port 25 from the PIX and sends mail to the Exchange 2003 server listening on port 2525.  This has works for a long time.  

We are adding a new Exchange 2007 server that will replace the Exchange 2003 server after adequate testing (a month or so).  The issue is the Exchange 2007 can ONLY use port 25 to talk to the Exchange 2003 - Per Microsoft's tech support - and CAN NOT be changed.  So my easy workaround is to have the spam firewall listen on port (xxxxx) and forward the mail to exchange on port 2525 and let the routing group connector use port 25.

What is the command for the PIX to translate port 25 externally to another port internally (12345 for example).

Let me know what other information you need.  Thanks!
0
e_vanheel
Asked:
e_vanheel
  • 4
  • 3
1 Solution
 
lrmooreCommented:
Just use a static xlate
  static (inside,outside) tcp <public ip> 25 <private ip> 12345 netmask 255.255.255.255

0
 
e_vanheelAuthor Commented:
does this remove this or just add to it?  My real question is does it only affect port 25 or the whole address?

This is the existing static command on the PIX:
static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255 0 0

Others worth noting:
no fixup protocol smtp 25

access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389

access-group mail in interface outside

timeout xlate 0:10:00
timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
0
 
lrmooreCommented:
Given this existing static, we need to make some adjustments
> static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255 0 0

Instead of a 1-1 static nat that you have, you now have to port-forward each individual port that you have open via acl:

no static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.226 2525 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.226 pop3 netmask 255.255.255.255
<etc>
That might cause some issues with outbound email since your mail server would now be using the dynamic global IP, unless you make an exception for it with a new global/nat
 global (outside) 25 xx.xx.xx.147
 nat (inside) 25 172.36.10.226 255.255.255.255


0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
e_vanheelAuthor Commented:
Irmoore, Thanks for your help!!!
So if I understand you correctly.
no static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.226 252525 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.226 pop3 netmask 255.255.255.255
global (outside) 25 xx.xx.xx.147
nat (inside) 25 172.36.10.226 255.255.255.255

Should allow me to keep everything the same except port 25 will be ported to 252525...Right?

Most of the current config:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 100 permit ip 172.36.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 121 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 126 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.146 255.255.255.248
ip address inside 172.36.10.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 192.168.2.1-192.168.2.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xx.147 172.36.10.225 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.148 172.36.10.226 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.149 172.36.10.224 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.150 172.36.10.228 netmask 255.255.255.255 0 0
access-group mail in interface outside
established tcp 135 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.145 1
route outside 172.26.8.0 255.255.252.0 xx.xx.xx.145 1
route outside 172.26.30.0 255.255.255.0 xx.xx.xx.145 1
route outside 172.36.66.0 255.255.255.0 xx.xx.xx.145 1
route outside 172.36.203.0 255.255.255.0 xx.xx.xx.145 1
timeout xlate 0:10:00
timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.36.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
0
 
lrmooreCommented:
Yes, assuming that your new port is not 252525 (too many digits). It can be 2525
And assuming at xx.xx.xx.147 is the IP address of your current MX record for your domain..
0
 
e_vanheelAuthor Commented:
worked like a champ!

Thanks!
0
 
e_vanheelAuthor Commented:
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now