Pix config question

Posted on 2007-10-04
Last Modified: 2013-11-16
In the past I had one email server and sent/recieved all email through it.  Now I have a 'relay' server (on my lan) that accepts all inboud/outbound mail for the purposes of SPAM filtering. This is working fine with one exception.  

Lets call the two servers email and relay.  Lets say I have two external IPs, one that all of my clients are NAT/PATed out to that is the 'global' IP that is exposed to the internet ( and one that all of my email comes in/out of ( All email comes into which has a DNS record pointing to

Now that i have all email traffic going to the relay server  had to make port specific tranlation rules on my Pix as below:

25 goes to relay
80 goes to mail for Outlook web access
443 goes to mail for SSL Outlook web access
110 goes to mail for pop3

The issue is that once i put in these 'port specific' tranlation rules on the PIX the publically exposed global IP is being used as the 'source' address instead of the mail address.  So whenever an email server does a reverse DNS lookup it is expecting to see and it is instead seeing as the source address of my email, so it is getting rejected.

Is there a way to tell the pix to use external IP for the relay server instead of the global IP of  I know this is done if i use a 'blanket' tranlation rule, but i need it to be done with port specific access rules.

Thanks in advance.
Question by:mikeleebrla
    LVL 79

    Expert Comment

    I feel your pain and it is quite common and there is a solution.
    Create a conditional nat statement...

    access-list conditional_nat permit ip host mail any
    access-list conditional_nat permit ip host relay any
    global (outside) 1
    global (outside) 2
    nat (inside) 1 access-list conditional_nat  <== both mail and relay go out as
    nat (inside) 2 0 0 0  <== everyone else goes out as

    LVL 25

    Author Comment

    those commands did in fact make both the mail and relay servers appear as to the outside world, but no other machines in my network could get out to the internet so I had to undo everything.

    I had all of the conditional port forwarding rules in place BEFORE i put in all of your commands by the way. Of course i had to remove the commands below before as well:
    global (outside) 1
    nat (inside) 1 0 0

    I did notice that there is the command below and there are several 'access-list' commands associated with it. Could this be the cause?
    nat (inside) 0 access-list inside_outbound_nat0_acl

    Any suggestions?
    LVL 79

    Accepted Solution

    The nat 0 with access-list is for VPN tunnels/clients and should  not be causing this problem.
    It should have worked....
    Try reversing the nat/global 1 and the nat/global 2

    global (outside) 1
    global (outside) 2
    nat (inside) 1 0 0 0
    nat (inside) 2 access-list conditional_nat  

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now