Link to home
Create AccountLog in
Avatar of adrianjfx
adrianjfxFlag for Bahamas

asked on

Forcing Protocol On PIX from Internal Ip to Ips on Outisde Interface

I want to force the smtp traffic from internal mail server to a public ip range that is not the configured IP on my  outside interface of my PIX. For example. my pool of public addresses was a.b.c.161-174
my outside interface was configured with a.b.c.164 and i wanted the mail to leave as if from a.b.c.1173. i get mail just fine coming in on the a.b.c.173 but it still sends out on the a.b.c.164 when it leaves the internal to go out.
i tried a policy nat from the internal to the external ip with smtp but it doesn't work. any ideas?
i have a PIX 515E
Avatar of batry_boy
batry_boy
Flag of United States of America image

Without seeing your existing configuration, I would say that you can set up a static one-to-one NAT for your e-mail server.  For example, if your e-mail server has the internal IP address 192.168.1.15 and you want it to look like a.b.c.173 on the outside, then you could do:

static (inside,outside) a.b.c.173 192.168.1.15 netmask 255.255.255.255

Then, all outbound traffic from 192.168.1.15 would look like a.b.c.173 on the outside.
Avatar of adrianjfx

ASKER

i currently have:
static (inside,outside) tcp A.B.C.173 smtp 10.168.4.11 smtp netmask 255.255.255.255

and mail transfers from the outside to my internal mail server

so if i did

static (outside,inside) tcp 10.168.4.11 smtp A.B.C.173 smtp netmask 255.255.255.255 ?

i don't want all traffic just smtp
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
hhmmmm would i have to remove the
static (inside,outside) tcp A.B.C.173 smtp 10.168.4.11 smtp netmask 255.255.255.255?

Good point...I think that statement would conflict with the commands I gave you.

Try this instead:

access-list smtp-out permit tcp host 10.168.4.11 any eq smtp
global (outside) 10 a.b.c.173
nat (inside) 10 access-list smtp-out

You may get a an overlapping NAT error when you try it.  If you do, then I think you may have to do the one-to-one NAT I suggested in my first post.  I don't know since I've never tried to do this before.
hhmmm i think i know the issue because i have
nat (inside) 1 10.168.4.0 255.255.255.0
global (outside) 1 A.B.C.164
the mail server is 10.168.4.11
and since that is the Priority of PIX

even if i did that option you said it would not have worked because of that
so that is my server network so not worried about removing that and giving it another Global IP
it should work i will try tomorrow
I still think you should do the one-to-one NAT like I suggested in my first post.  Is there a reason you don't want to do this?  This is the typical way to do what you are wanting to do.
well the reason i don't want to do a 1-to-1 nat is because i have other tcp nat from the same public address to different internal servers so a 1-to-1 would ruin that unless i did the access list approach. but i just logged into asdm for my PIX and changed the address i had for that
nat (inside) 1 10.168.4.0 255.255.255.0
global (outside) 1 A.B.C.164

to global (outside) 10 A.B.C.173 which was already there just that the previous one took priority
i did a test mail and looked at my mail options and the origin is now the public address A.B.C.173
so i am good thanks
but if you think about it if i removed the static nat completely i would have had the same result since i had
static (inside,outside) tcp A.B.C.173 smtp 10.168.4.11 smtp netmask 255.255.255.255
 the dynamic but static takes presidence
so
nat (inside) 1 10.168.4.0 255.255.255.0
global (outside) 1 A.B.C.164
was the problem was not needed in this situation
Understood...glad you got it resolved!