Solved

PIX static PAT on Public IP to smtp and https doesnt use the same Public IP outbound, breaks Reverse DNS

Posted on 2007-08-07
5
1,755 Views
Last Modified: 2013-11-30
i have a pix 506 running 6.3.5 and just got a antivirus/spam appliance which i put infront of my mail server which before had a Static NAT statement mapping 1 public ip and all services to 1 private IP w/ all services.  This worked w/out any issue as when the server was communicating outbound to the world it would use that Public IP and thus not break Reverse DNS.  But now that Ive put this appliance in and changed my static NAT to a Static PAT, routing Port 25 to AV appliance and HTTPs and RPC over HTTP to my Exchange server, the Exchange server uses the Global IP pool for outbound and is breaking Reverse DNS causing a bunch of:

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <corp11.lan.xxx.com #5.5.0 smtp;553 Bogus helo zefabryzzm. <http://unblock.secureserver.net/?ip=204.x.x163>>

Here is the static NAT which I had previously before the AV Appliance:
static (inside,outside) 204.x.x.168  192.168.100.18 netmask 255.255.255.255 0 0

After Appliance:
static (inside,outside) tcp 204.x.x.168 smtp 192.168.100.26 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 993 192.168.100.18 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 https 192.168.100.18 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6001 192.168.100.18 6001 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6002 192.168.100.18 6002 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6004 192.168.100.18 6004 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 pop3 192.168.100.18 pop3 netmask 255.255.255.255 0 0

Also here is my global pool info:
global (outside) 1 204.x.x.163
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

So basically what I am trying to do is use the Static PAT to 2 servers, but make them both communicate Outbound on the same PAT IP.
0
Comment
Question by:Veros1
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 19647120
Try this:
global (outside) 2 204.x.x.168
nat (inside) 2 192.168.100.26 255.255.255.255
nat (inside) 2 192.168.100.18 255.255.255.255

This lets all the outbound for these two servers share the same external IP as the inbound SMTP and it should work. If it doesn't work, you might have to change all the nat/global to change the priority like this:
global (outside) 1 204.x.x.168
nat (inside) 1 192.168.100.26 255.255.255.255
nat (inside) 1 192.168.100.18 255.255.255.255
global (outside) 2 204.x.x.163
nat (inside) 2 0 0 0
0
 

Author Comment

by:Veros1
ID: 19647386
Ill try that tonight, cant really put it in place right now, but i think it will do the trick as long as i have the priorities synced up.  Weird thing is though, I swear Ive done PATs like this and the servers have used the PATed IP for outbound.  Im wondering maybe its the version of code im running, unfortunately this things so old, it doesnt meet the requirments for 7.0 so i cant check tthat.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19647631
6.3(5) is latest available for PIX 506
Outbound smtp uses an ephemeral (dynamic) source port with destination port 25 and therefore cannot use the same PAT IP as it does for inbound because the PAT is only bound to port 25.
0
 

Author Comment

by:Veros1
ID: 19654799
Thx lrmoore!!!  worked like a charm, but I actually changed it a bit to the following:

access-list mail permit ip host 192.168.100.26 any
access-list mail permit ip host 192.168.100.18 any
nat (inside) 2 access-list mail
global (outside) 2 204.x.x.168
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19654904
Always more than one way to skin a cat...
Thanks!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now