?
Solved

PIX static PAT on Public IP to smtp and https doesnt use the same Public IP outbound, breaks Reverse DNS

Posted on 2007-08-07
5
Medium Priority
?
1,772 Views
Last Modified: 2013-11-30
i have a pix 506 running 6.3.5 and just got a antivirus/spam appliance which i put infront of my mail server which before had a Static NAT statement mapping 1 public ip and all services to 1 private IP w/ all services.  This worked w/out any issue as when the server was communicating outbound to the world it would use that Public IP and thus not break Reverse DNS.  But now that Ive put this appliance in and changed my static NAT to a Static PAT, routing Port 25 to AV appliance and HTTPs and RPC over HTTP to my Exchange server, the Exchange server uses the Global IP pool for outbound and is breaking Reverse DNS causing a bunch of:

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <corp11.lan.xxx.com #5.5.0 smtp;553 Bogus helo zefabryzzm. <http://unblock.secureserver.net/?ip=204.x.x163>>

Here is the static NAT which I had previously before the AV Appliance:
static (inside,outside) 204.x.x.168  192.168.100.18 netmask 255.255.255.255 0 0

After Appliance:
static (inside,outside) tcp 204.x.x.168 smtp 192.168.100.26 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 993 192.168.100.18 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 https 192.168.100.18 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6001 192.168.100.18 6001 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6002 192.168.100.18 6002 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6004 192.168.100.18 6004 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 pop3 192.168.100.18 pop3 netmask 255.255.255.255 0 0

Also here is my global pool info:
global (outside) 1 204.x.x.163
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

So basically what I am trying to do is use the Static PAT to 2 servers, but make them both communicate Outbound on the same PAT IP.
0
Comment
Question by:Veros1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 19647120
Try this:
global (outside) 2 204.x.x.168
nat (inside) 2 192.168.100.26 255.255.255.255
nat (inside) 2 192.168.100.18 255.255.255.255

This lets all the outbound for these two servers share the same external IP as the inbound SMTP and it should work. If it doesn't work, you might have to change all the nat/global to change the priority like this:
global (outside) 1 204.x.x.168
nat (inside) 1 192.168.100.26 255.255.255.255
nat (inside) 1 192.168.100.18 255.255.255.255
global (outside) 2 204.x.x.163
nat (inside) 2 0 0 0
0
 

Author Comment

by:Veros1
ID: 19647386
Ill try that tonight, cant really put it in place right now, but i think it will do the trick as long as i have the priorities synced up.  Weird thing is though, I swear Ive done PATs like this and the servers have used the PATed IP for outbound.  Im wondering maybe its the version of code im running, unfortunately this things so old, it doesnt meet the requirments for 7.0 so i cant check tthat.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19647631
6.3(5) is latest available for PIX 506
Outbound smtp uses an ephemeral (dynamic) source port with destination port 25 and therefore cannot use the same PAT IP as it does for inbound because the PAT is only bound to port 25.
0
 

Author Comment

by:Veros1
ID: 19654799
Thx lrmoore!!!  worked like a charm, but I actually changed it a bit to the following:

access-list mail permit ip host 192.168.100.26 any
access-list mail permit ip host 192.168.100.18 any
nat (inside) 2 access-list mail
global (outside) 2 204.x.x.168
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19654904
Always more than one way to skin a cat...
Thanks!
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
We aren’t perfect, just like everyone else.  Check out the email errors our community caught and learn the top errors every email marketer should avoid.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month8 days, 11 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question