Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

PIX static PAT on Public IP to smtp and https doesnt use the same Public IP outbound, breaks Reverse DNS

Posted on 2007-08-07
5
1,759 Views
Last Modified: 2013-11-30
i have a pix 506 running 6.3.5 and just got a antivirus/spam appliance which i put infront of my mail server which before had a Static NAT statement mapping 1 public ip and all services to 1 private IP w/ all services.  This worked w/out any issue as when the server was communicating outbound to the world it would use that Public IP and thus not break Reverse DNS.  But now that Ive put this appliance in and changed my static NAT to a Static PAT, routing Port 25 to AV appliance and HTTPs and RPC over HTTP to my Exchange server, the Exchange server uses the Global IP pool for outbound and is breaking Reverse DNS causing a bunch of:

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <corp11.lan.xxx.com #5.5.0 smtp;553 Bogus helo zefabryzzm. <http://unblock.secureserver.net/?ip=204.x.x163>>

Here is the static NAT which I had previously before the AV Appliance:
static (inside,outside) 204.x.x.168  192.168.100.18 netmask 255.255.255.255 0 0

After Appliance:
static (inside,outside) tcp 204.x.x.168 smtp 192.168.100.26 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 993 192.168.100.18 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 https 192.168.100.18 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6001 192.168.100.18 6001 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6002 192.168.100.18 6002 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6004 192.168.100.18 6004 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 pop3 192.168.100.18 pop3 netmask 255.255.255.255 0 0

Also here is my global pool info:
global (outside) 1 204.x.x.163
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

So basically what I am trying to do is use the Static PAT to 2 servers, but make them both communicate Outbound on the same PAT IP.
0
Comment
Question by:Veros1
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 19647120
Try this:
global (outside) 2 204.x.x.168
nat (inside) 2 192.168.100.26 255.255.255.255
nat (inside) 2 192.168.100.18 255.255.255.255

This lets all the outbound for these two servers share the same external IP as the inbound SMTP and it should work. If it doesn't work, you might have to change all the nat/global to change the priority like this:
global (outside) 1 204.x.x.168
nat (inside) 1 192.168.100.26 255.255.255.255
nat (inside) 1 192.168.100.18 255.255.255.255
global (outside) 2 204.x.x.163
nat (inside) 2 0 0 0
0
 

Author Comment

by:Veros1
ID: 19647386
Ill try that tonight, cant really put it in place right now, but i think it will do the trick as long as i have the priorities synced up.  Weird thing is though, I swear Ive done PATs like this and the servers have used the PATed IP for outbound.  Im wondering maybe its the version of code im running, unfortunately this things so old, it doesnt meet the requirments for 7.0 so i cant check tthat.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19647631
6.3(5) is latest available for PIX 506
Outbound smtp uses an ephemeral (dynamic) source port with destination port 25 and therefore cannot use the same PAT IP as it does for inbound because the PAT is only bound to port 25.
0
 

Author Comment

by:Veros1
ID: 19654799
Thx lrmoore!!!  worked like a charm, but I actually changed it a bit to the following:

access-list mail permit ip host 192.168.100.26 any
access-list mail permit ip host 192.168.100.18 any
nat (inside) 2 access-list mail
global (outside) 2 204.x.x.168
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19654904
Always more than one way to skin a cat...
Thanks!
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA ISP failover 3 23
Cisco ASA VPN Client Routing 8 40
ASA 5505 packet drops 14 43
Cisco IOS upgrade c3560_backup and deletion of drwx 7 11
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question