Pix config question

Posted on 2007-10-04
Medium Priority
Last Modified: 2013-11-16
In the past I had one email server and sent/recieved all email through it.  Now I have a 'relay' server (on my lan) that accepts all inboud/outbound mail for the purposes of SPAM filtering. This is working fine with one exception.  

Lets call the two servers email and relay.  Lets say I have two external IPs, one that all of my clients are NAT/PATed out to that is the 'global' IP that is exposed to the internet ( and one that all of my email comes in/out of ( All email comes into mail.domain.com which has a DNS record pointing to

Now that i have all email traffic going to the relay server  had to make port specific tranlation rules on my Pix as below:

25 goes to relay
80 goes to mail for Outlook web access
443 goes to mail for SSL Outlook web access
110 goes to mail for pop3

The issue is that once i put in these 'port specific' tranlation rules on the PIX the publically exposed global IP is being used as the 'source' address instead of the mail address.  So whenever an email server does a reverse DNS lookup it is expecting to see and it is instead seeing as the source address of my email, so it is getting rejected.

Is there a way to tell the pix to use external IP for the relay server instead of the global IP of  I know this is done if i use a 'blanket' tranlation rule, but i need it to be done with port specific access rules.

Thanks in advance.
Question by:mikeleebrla
  • 2
LVL 79

Expert Comment

ID: 20016280
I feel your pain and it is quite common and there is a solution.
Create a conditional nat statement...

access-list conditional_nat permit ip host mail any
access-list conditional_nat permit ip host relay any
global (outside) 1
global (outside) 2
nat (inside) 1 access-list conditional_nat  <== both mail and relay go out as
nat (inside) 2 0 0 0  <== everyone else goes out as

LVL 25

Author Comment

ID: 20017693
those commands did in fact make both the mail and relay servers appear as to the outside world, but no other machines in my network could get out to the internet so I had to undo everything.

I had all of the conditional port forwarding rules in place BEFORE i put in all of your commands by the way. Of course i had to remove the commands below before as well:
global (outside) 1
nat (inside) 1 0 0

I did notice that there is the command below and there are several 'access-list' commands associated with it. Could this be the cause?
nat (inside) 0 access-list inside_outbound_nat0_acl

Any suggestions?
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 20018058
The nat 0 with access-list is for VPN tunnels/clients and should  not be causing this problem.
It should have worked....
Try reversing the nat/global 1 and the nat/global 2

global (outside) 1
global (outside) 2
nat (inside) 1 0 0 0
nat (inside) 2 access-list conditional_nat  

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question