Solved

Mapping SMTP port 25 (outside ) to a different internal port (12345) (inside) on a PIX

Posted on 2007-03-28
7
353 Views
Last Modified: 2012-06-21
I need to have email sent to port 25 for SMTP mail (Exchange 2007) from the Internet mapped to a different internal port.

I have Exchange 2003 server that is running a sonic wall spam filter (not a good practice but it is what we have - for now).  The spam service receives mail on port 25 from the PIX and sends mail to the Exchange 2003 server listening on port 2525.  This has works for a long time.  

We are adding a new Exchange 2007 server that will replace the Exchange 2003 server after adequate testing (a month or so).  The issue is the Exchange 2007 can ONLY use port 25 to talk to the Exchange 2003 - Per Microsoft's tech support - and CAN NOT be changed.  So my easy workaround is to have the spam firewall listen on port (xxxxx) and forward the mail to exchange on port 2525 and let the routing group connector use port 25.

What is the command for the PIX to translate port 25 externally to another port internally (12345 for example).

Let me know what other information you need.  Thanks!
0
Comment
Question by:e_vanheel
  • 4
  • 3
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Just use a static xlate
  static (inside,outside) tcp <public ip> 25 <private ip> 12345 netmask 255.255.255.255

0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
does this remove this or just add to it?  My real question is does it only affect port 25 or the whole address?

This is the existing static command on the PIX:
static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255 0 0

Others worth noting:
no fixup protocol smtp 25

access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389

access-group mail in interface outside

timeout xlate 0:10:00
timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Given this existing static, we need to make some adjustments
> static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255 0 0

Instead of a 1-1 static nat that you have, you now have to port-forward each individual port that you have open via acl:

no static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.226 2525 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.226 pop3 netmask 255.255.255.255
<etc>
That might cause some issues with outbound email since your mail server would now be using the dynamic global IP, unless you make an exception for it with a new global/nat
 global (outside) 25 xx.xx.xx.147
 nat (inside) 25 172.36.10.226 255.255.255.255


0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
Irmoore, Thanks for your help!!!
So if I understand you correctly.
no static (inside,outside) <public IP> 172.36.10.225 netmask 255.255.255.255
clear xlate
static (inside,outside) tcp xx.xx.xx.147 smtp 172.36.10.226 252525 netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.147 pop3 172.36.10.226 pop3 netmask 255.255.255.255
global (outside) 25 xx.xx.xx.147
nat (inside) 25 172.36.10.226 255.255.255.255

Should allow me to keep everything the same except port 25 will be ported to 252525...Right?

Most of the current config:
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 100 permit ip 172.36.10.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 100 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 121 permit ip 172.36.10.0 255.255.255.0 172.36.66.0 255.255.255.0
access-list mail permit tcp any host xx.xx.xx.147 eq smtp
access-list mail permit tcp any host xx.xx.xx.147 eq pop3
access-list mail permit icmp any any
access-list mail permit tcp any host xx.xx.xx.147 eq www
access-list mail permit ip any host xx.xx.xx.148
access-list mail permit tcp any host xx.xx.xx.147 eq 993
access-list mail permit tcp any host xx.xx.xx.147 eq https
access-list mail permit tcp any host xx.xx.xx.147 eq imap4
access-list mail permit tcp any host xx.xx.xx.147 eq 26
access-list mail permit tcp any host xx.xx.xx.149 eq smtp
access-list mail permit tcp any host xx.xx.xx.150 eq 3389
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.8.0 255.255.252.0
access-list 200 permit ip 172.36.10.0 255.255.255.0 172.26.30.0 255.255.255.0
access-list 126 permit ip 172.36.10.0 255.255.255.0 172.36.203.0 255.255.255.0
pager lines 24
logging on
logging buffered notifications
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside xx.xx.xx.146 255.255.255.248
ip address inside 172.36.10.220 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 192.168.2.1-192.168.2.30
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) xx.xx.xx.147 172.36.10.225 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.148 172.36.10.226 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.149 172.36.10.224 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.xx.150 172.36.10.228 netmask 255.255.255.255 0 0
access-group mail in interface outside
established tcp 135 0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.145 1
route outside 172.26.8.0 255.255.252.0 xx.xx.xx.145 1
route outside 172.26.30.0 255.255.255.0 xx.xx.xx.145 1
route outside 172.36.66.0 255.255.255.0 xx.xx.xx.145 1
route outside 172.36.203.0 255.255.255.0 xx.xx.xx.145 1
timeout xlate 0:10:00
timeout conn 0:05:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 172.36.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Yes, assuming that your new port is not 252525 (too many digits). It can be 2525
And assuming at xx.xx.xx.147 is the IP address of your current MX record for your domain..
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
worked like a champ!

Thanks!
0
 
LVL 6

Author Comment

by:e_vanheel
Comment Utility
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now