PIX static PAT on Public IP to smtp and https doesnt use the same Public IP outbound, breaks Reverse DNS

i have a pix 506 running 6.3.5 and just got a antivirus/spam appliance which i put infront of my mail server which before had a Static NAT statement mapping 1 public ip and all services to 1 private IP w/ all services.  This worked w/out any issue as when the server was communicating outbound to the world it would use that Public IP and thus not break Reverse DNS.  But now that Ive put this appliance in and changed my static NAT to a Static PAT, routing Port 25 to AV appliance and HTTPs and RPC over HTTP to my Exchange server, the Exchange server uses the Global IP pool for outbound and is breaking Reverse DNS causing a bunch of:

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <corp11.lan.xxx.com #5.5.0 smtp;553 Bogus helo zefabryzzm. <http://unblock.secureserver.net/?ip=204.x.x163>>

Here is the static NAT which I had previously before the AV Appliance:
static (inside,outside) 204.x.x.168  192.168.100.18 netmask 255.255.255.255 0 0

After Appliance:
static (inside,outside) tcp 204.x.x.168 smtp 192.168.100.26 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 993 192.168.100.18 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 https 192.168.100.18 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6001 192.168.100.18 6001 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6002 192.168.100.18 6002 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6004 192.168.100.18 6004 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 pop3 192.168.100.18 pop3 netmask 255.255.255.255 0 0

Also here is my global pool info:
global (outside) 1 204.x.x.163
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

So basically what I am trying to do is use the Static PAT to 2 servers, but make them both communicate Outbound on the same PAT IP.
Veros1Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
lrmooreConnect With a Mentor Commented:
Try this:
global (outside) 2 204.x.x.168
nat (inside) 2 192.168.100.26 255.255.255.255
nat (inside) 2 192.168.100.18 255.255.255.255

This lets all the outbound for these two servers share the same external IP as the inbound SMTP and it should work. If it doesn't work, you might have to change all the nat/global to change the priority like this:
global (outside) 1 204.x.x.168
nat (inside) 1 192.168.100.26 255.255.255.255
nat (inside) 1 192.168.100.18 255.255.255.255
global (outside) 2 204.x.x.163
nat (inside) 2 0 0 0
0
 
Veros1Author Commented:
Ill try that tonight, cant really put it in place right now, but i think it will do the trick as long as i have the priorities synced up.  Weird thing is though, I swear Ive done PATs like this and the servers have used the PATed IP for outbound.  Im wondering maybe its the version of code im running, unfortunately this things so old, it doesnt meet the requirments for 7.0 so i cant check tthat.  
0
 
lrmooreCommented:
6.3(5) is latest available for PIX 506
Outbound smtp uses an ephemeral (dynamic) source port with destination port 25 and therefore cannot use the same PAT IP as it does for inbound because the PAT is only bound to port 25.
0
 
Veros1Author Commented:
Thx lrmoore!!!  worked like a charm, but I actually changed it a bit to the following:

access-list mail permit ip host 192.168.100.26 any
access-list mail permit ip host 192.168.100.18 any
nat (inside) 2 access-list mail
global (outside) 2 204.x.x.168
0
 
lrmooreCommented:
Always more than one way to skin a cat...
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.