port forwarding pix 506E

Posted on 2008-11-17
Last Modified: 2012-05-05
URGENT : need help on this ASAP.

Problem:  This network was set up via the Pix 506E PDM.  Simple network setup - several servers and workstations internally, all accessed till now via VPN connections.  An Exchange server was set up internally, and is able to send email just fine, but not receive.

What command do I have to enter to allow SMTP traffic to reach the exchange server ( /22) on the internal network?  That's the only incoming traffic that needs to be routed anywhere internally... BUT the VPN must stay active, and nothing else much change in that regard.
We only have one public IP address, and WHATEVER I DO, I do NOT want to affect anything else running (i.e. VPN connections coming in, and all internal servers able to get out without trouble).  I only have access to this network remotely, so if i screw something up, i'll have to get on the next flight to go fix it :/  Please help.

Thanks so much
pix(config)# show run

: Saved


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 0CAS23G3SwFOYdVC encrypted

passwd 0CAS23G3SwFOYdVC encrypted

hostname pix


fixup protocol dns maximum-length 512

no fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


name DC1

name saNetwork1

name saNetwork2

name HOU-EXC1

object-group service RDP tcp

  description MS RDP

  port-object range 3389 3389

access-list splitTunnelAcl permit ip any

access-list inside_nat0_outbound permit ip any

access-list inside_nat0_outbound permit ip saNetwork1

access-list inside_nat0_outbound permit ip saNetwork2

access-list outside_cryptomap_20 permit ip saNetwork1

access-list outside_cryptomap_20 permit ip saNetwork2

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.xx.xx.xx

ip address inside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN_Client mask

pdm location inside

pdm location DC1 inside

pdm location outside

pdm location outside

pdm location outside

pdm location inside

pdm location xx.xx.xx.xx outside

pdm location inside

pdm location saNetwork1 outside

pdm location saNetwork2 outside

pdm location HOU-EXC1 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0 0

route outside xx.xx.xx.xx 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host DC1 12345 timeout 10

aaa-server LOCAL protocol local

aaa-server Radius protocol radius

aaa-server Radius max-failed-attempts 3

aaa-server Radius deadtime 10

aaa-server Radius (inside) host DC1 12345 timeout 10

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address netmask no-xauth no-config-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup asdf address-pool VPN_Client

vpngroup asdf dns-server DC1

vpngroup asdf default-domain

vpngroup asdf split-tunnel splitTunnelAcl

vpngroup asdf split-dns

vpngroup asdf idle-time 1800

vpngroup asdf password ********

telnet inside

telnet timeout 5

ssh outside

ssh inside

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80


: end

Open in new window

Question by:Mystical_Ice
    LVL 57

    Accepted Solution

    Add the following
    access-list inbound permit tcp any interface outside eq smtp
    access-group inbound in interface outside
    static (inside,outside) tcp interface smtp smtp netmask
    Also if your email server is Exchange issue the following command as well

    no fixup protocol smtp 25



    Author Comment

    that did it - thanks!
    LVL 57

    Expert Comment

    by:Pete Long
    My Pleasure  - ThanQ

    Author Comment

    ONE more thing, and you don't have to answer this since i already gave you the points, but if i wanted to add rules to allow POP, HTTP, and HTTPS traffic to the exchange server, how would i do that?  The rule you gave allows traffic TO the exchange server, these rules would need to allow traffic FROM it.  how would i do that?
    LVL 57

    Expert Comment

    by:Pete Long
    to allow traffic INTO it enter the folowing........
    for http/www, https and POP

    access-list inbound permit tcp any interface outside eq www
    static (inside,outside) tcp interface www www netmask
    access-list inbound permit tcp any interface outside eq https
    static (inside,outside) tcp interface https10.50.1.7 https netmask    
    access-list inbound permit tcp any interface outside eq 110
    static (inside,outside) tcp interface 110  110 netmask
    to allow traffic OUT FROM it enter the folowing........
    acess-group outbound in interface inside
    access-list outbound permit tcp host any eq www
    access-list outbound permit tcp host any eq https
    access-list outbound permit tcp host any eq 110
    access-list outbound permit tcp host any eq smtp
    LVL 57

    Expert Comment

    by:Pete Long
    and ThanQ

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Suggested Solutions

    Title # Comments Views Activity
    VLAN and IP Addressing Schema 35 45
    Cisco managed to unmanaged 5 39
    Alternate/Backup Port 14 45
    Cisco 800 Internet Uptime 3 40
    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now