Solved

PIX Static Translations

Posted on 2007-03-28
10
490 Views
Last Modified: 2010-04-09
Hello,

I've installed a PIX 515e. We have an Exim mail relay that sits infront of the PIX. The mail relay was connecting to our Exchange 5.5 servers before the PIX installation through a router only but now they are sitting behind the PIX. How can I get this traffic to pass through the PIX and reach the mail servers?  I don't know how to do it using a static xlate because there is one IP for the mail relay but five mail servers behind the PIX each with its own IP.
0
Comment
Question by:Ciderspine
  • 6
  • 4
10 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18811706
Do you have 5 public IP addresses for static translations for your mail servers?  If you don't, then you can use one IP address along with port redirection to your inside mail servers.  Post back with the info and I can explain how to do it one way or the other.
0
 

Author Comment

by:Ciderspine
ID: 18812051
Yes, I have 5 public addresses. The mail servers are already assigned public addresses if that matters.

The relay has an alias list which tells it which mail server to smart-host the mail to. So the relay has a list of 5 public addresses which correspond to the mail servers behind the PIX. Can you do static translations like NAT 0 so the address remains the same on the other side of the PIX? Hope this info helps.

Thanks,
Ben
0
 

Author Comment

by:Ciderspine
ID: 18812571
After some research, I think I've found the answer. You can static NAT an IP to itself, like so:

static (inside,outside) tcp 192.168.1.100 smtp 192.168.1.100 smtp 255.255.255.255
                                         ^ mail server behind PIX

Do you think this will work if I add a translation for each mail server?

Ben
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18812947
No, I would continue to use the 5 public addresses you are using now for the mail servers.  You would specify these addresses in the static command you mentioned above.  You can either implement the static using one-to-one IP address mapping that would allow you to forward any port (not just smtp) to the inbound mail server if you wanted to...or you can use the form you used above which is called port redirection where you are redirecting only specific ports (in your example, the smtp port) to the inbound server.   The syntax between the two forms is very similar.  Here is the one-to-one IP mapping syntax of the static command using 1.1.1.1 as one of your mail server's public IP addresses:

static (inside,outside) 1.1.1.1 192.168.1.100 netmask 255.255.255.255

Here is the syntax for the port redirection static command (like you used in your last post, but with the public IP address being used):

static (inside,outside) tcp 1.1.1.1 smtp 192.168.1.100 smtp netmask 255.255.255.255

So, if you were to use one-to-one mappings like I suggested above, here is the set of commands you would need to put in your PIX to get traffic flowing (assuming the following values):

Mail server public IP address 1 : 1.1.1.1
Mail server public IP address 2 : 1.1.1.2
Mail server public IP address 3 : 1.1.1.3
Mail server public IP address 4 : 1.1.1.4
Mail server public IP address 5 : 1.1.1.5
Mail server private IP address 1 : 192.168.1.100
Mail server private IP address 1 : 192.168.1.101
Mail server private IP address 1 : 192.168.1.102
Mail server private IP address 1 : 192.168.1.103
Mail server private IP address 1 : 192.168.1.104

Mail relay public IP address : 1.1.1.10

-----BEGIN COMMANDS------
static (inside,outside) 1.1.1.1 192.168.1.100 netmask 255.255.255.255
static (inside,outside) 1.1.1.2 192.168.1.101 netmask 255.255.255.255
static (inside,outside) 1.1.1.3 192.168.1.102 netmask 255.255.255.255
static (inside,outside) 1.1.1.4 192.168.1.103 netmask 255.255.255.255
static (inside,outside) 1.1.1.5 192.168.1.104 netmask 255.255.255.255
access-list acl_outside_in permit tcp host 1.1.1.10 host 1.1.1.1 eq smtp
access-list acl_outside_in permit tcp host 1.1.1.10 host 1.1.1.2 eq smtp
access-list acl_outside_in permit tcp host 1.1.1.10 host 1.1.1.3 eq smtp
access-list acl_outside_in permit tcp host 1.1.1.10 host 1.1.1.4 eq smtp
access-list acl_outside_in permit tcp host 1.1.1.10 host 1.1.1.5 eq smtp
access-group acl_outside_in in interface outside
-----END COMMANDS------

Let me know if I need to clarify any of this.
0
 

Author Comment

by:Ciderspine
ID: 18814208
I was hoping I could do it without changing the mail servers' IPs. For example, the alias list in Exim points to the mail servers IP which is a public IP. So, in order for the above to work I would have to change or assign a secondary IP to each mail server?

Ben
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 28

Expert Comment

by:batry_boy
ID: 18815423
The problem is that you want to move the mail servers behind the PIX which is a Layer 3 device.  This means that you have to put them on a different subnet if you want them to sit behind the PIX.  This means that you will not be able to keep the same IP addresses on the mail server since you're moving them to a different subnet.

If the mail server can have a secondary address, then this may be the way to go if you don't want to change the mail server's main IP addresses.
0
 

Author Comment

by:Ciderspine
ID: 18820011
The mail servers are already behind the PIX and they are on a different subnet. I tried  just a no NAT static translation and it's working so the relay is reaching the mail servers. Sorry about the confusion - I didn't make the question very clear at the start.

Now, strangely, I'm having a problem with creating static translations from a public IP to a private IP. Server behind the PIX has a private IP. I've added a static translation like so:

static (inside,outside) tcp 1.1.1.1. 3389 172.16.72.1 3389

The 1.1.1.1 represents a public IP from the network assigned to the PIX outside interface.

Am I right in assuming that the PIX will translate any traffic destined for port 3389 on 1.1.1.1 (access lists permitting) to 3389 on 172.16.72.1?

I just can't get it to work - it's as if it's not reaching the outside of the PIX as I can't see anything in the PIX logs.

Thanks,

Ben
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 18821034
Yes, you're understanding is correct about the use of the static command.  If you had the following 3 statements, you should be able to access an RDP session on host 172.16.72.1 by pointing your external client to 1.1.1.1:

static (inside,outside) tcp 1.1.1.1 3389 172.16.72.1 3389 netmask 255.255.255.255
access-list acl_outside_in permit tcp any host 1.1.1.1 eq 3389
access-group acl_outside_in in interface outside

Why don't you post your current PIX config and we can take a look?  It will probably clear some things up...
0
 

Author Comment

by:Ciderspine
ID: 18822048
Thanks,

Will post config later.

Ben
0
 

Author Comment

by:Ciderspine
ID: 18824990
Well, it's resolved now. I think it was a number of things but an access-list on a downstream router was the main problem. Thanks for your assistance.

Ben
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
LDAP Sending RST 11 64
DHCP relay on Sonicwall 7 322
Basic Sonicwall Administration 3 65
Website content filtering at different level 5 54
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now