Solved

PIX static PAT on Public IP to smtp and https doesnt use the same Public IP outbound, breaks Reverse DNS

Posted on 2007-08-07
5
1,758 Views
Last Modified: 2013-11-30
i have a pix 506 running 6.3.5 and just got a antivirus/spam appliance which i put infront of my mail server which before had a Static NAT statement mapping 1 public ip and all services to 1 private IP w/ all services.  This worked w/out any issue as when the server was communicating outbound to the world it would use that Public IP and thus not break Reverse DNS.  But now that Ive put this appliance in and changed my static NAT to a Static PAT, routing Port 25 to AV appliance and HTTPs and RPC over HTTP to my Exchange server, the Exchange server uses the Global IP pool for outbound and is breaking Reverse DNS causing a bunch of:

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <corp11.lan.xxx.com #5.5.0 smtp;553 Bogus helo zefabryzzm. <http://unblock.secureserver.net/?ip=204.x.x163>>

Here is the static NAT which I had previously before the AV Appliance:
static (inside,outside) 204.x.x.168  192.168.100.18 netmask 255.255.255.255 0 0

After Appliance:
static (inside,outside) tcp 204.x.x.168 smtp 192.168.100.26 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 993 192.168.100.18 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 https 192.168.100.18 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6001 192.168.100.18 6001 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6002 192.168.100.18 6002 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 6004 192.168.100.18 6004 netmask 255.255.255.255 0 0
static (inside,outside) tcp 204.x.x.168 pop3 192.168.100.18 pop3 netmask 255.255.255.255 0 0

Also here is my global pool info:
global (outside) 1 204.x.x.163
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

So basically what I am trying to do is use the Static PAT to 2 servers, but make them both communicate Outbound on the same PAT IP.
0
Comment
Question by:Veros1
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 19647120
Try this:
global (outside) 2 204.x.x.168
nat (inside) 2 192.168.100.26 255.255.255.255
nat (inside) 2 192.168.100.18 255.255.255.255

This lets all the outbound for these two servers share the same external IP as the inbound SMTP and it should work. If it doesn't work, you might have to change all the nat/global to change the priority like this:
global (outside) 1 204.x.x.168
nat (inside) 1 192.168.100.26 255.255.255.255
nat (inside) 1 192.168.100.18 255.255.255.255
global (outside) 2 204.x.x.163
nat (inside) 2 0 0 0
0
 

Author Comment

by:Veros1
ID: 19647386
Ill try that tonight, cant really put it in place right now, but i think it will do the trick as long as i have the priorities synced up.  Weird thing is though, I swear Ive done PATs like this and the servers have used the PATed IP for outbound.  Im wondering maybe its the version of code im running, unfortunately this things so old, it doesnt meet the requirments for 7.0 so i cant check tthat.  
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19647631
6.3(5) is latest available for PIX 506
Outbound smtp uses an ephemeral (dynamic) source port with destination port 25 and therefore cannot use the same PAT IP as it does for inbound because the PAT is only bound to port 25.
0
 

Author Comment

by:Veros1
ID: 19654799
Thx lrmoore!!!  worked like a charm, but I actually changed it a bit to the following:

access-list mail permit ip host 192.168.100.26 any
access-list mail permit ip host 192.168.100.18 any
nat (inside) 2 access-list mail
global (outside) 2 204.x.x.168
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19654904
Always more than one way to skin a cat...
Thanks!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now