Solved

Trying to get NAT an inside mail server to a public IP address on Cisco PIX 515.

Posted on 2010-08-24
4
549 Views
Last Modified: 2013-11-16
I am having trouble figuring out the best way to setup my email server so that it masquerades as one of my assigned public IPs from my ISP. Currently I have it set up behind my PIX 515 and everything looks as though it is coming from the same IP. I have statics set up for traffic coming in and it works great. I am using access lists and the static (inside,outside) command. I thought I could just use the static (outside,inside) command for the other direction but it did't seem to work.

I checked out the following documentation but I am not clear on if I have to use the NAT (inside) command or if I can get away with just using the static commands.

I have attached a copy of my config just for reference sake. My email server is 10.1.19.6 in this config but I would like it to masquerade as 206.xxx.xxx.77 instead of 206.xxx.xxx.87.

Thanks in advance

hostname PIX515E
domain-name rbg.local
clock timezone Arizona -7
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service OUTBOUND tcp
  port-object eq www
  port-object eq https
  port-object eq ftp-data
  port-object eq ftp
  port-object eq citrix-ica
  port-object eq 8000
  port-object eq 3389
  port-object eq 8800
object-group service MEDIAMONITORS tcp
  port-object eq 4002
  port-object range 4009 4011
object-group service OPENFIRE tcp
  port-object eq 1863
  port-object eq 5050
  port-object eq aol
  port-object eq 5222
access-list inside_in permit tcp host 10.1.19.6 any eq smtp
access-list inside_in permit tcp host 10.1.19.6 any eq https
access-list inside_in deny tcp any any eq smtp
access-list inside_in permit tcp 10.1.19.0 255.255.255.0 any object-group OUTBOUND
access-list inside_in permit udp host 10.1.19.2 any eq domain
access-list inside_in permit udp host 10.1.19.3 any eq domain
access-list inside_in permit tcp 10.21.19.0 255.255.255.0 any object-group OUTBOUND
access-list inside_in permit tcp host 10.1.19.20 any eq nntp
access-list inside_in permit tcp host 10.11.19.2 any eq https
access-list inside_in permit tcp host 10.11.19.100 any eq https
access-list inside_in permit tcp host 10.11.19.100 any eq 2002
access-list inside_in permit tcp host 10.11.19.2 any eq 2002
access-list inside_in permit tcp 10.1.19.0 255.255.255.0 any object-group MEDIAMONITORS
access-list inside_in permit tcp host 10.1.19.3 any object-group OPENFIRE
access-list inside_in permit tcp host 10.1.19.6 any eq 3101
access-list inside_in permit tcp host 10.11.19.2 any eq 8800
access-list inside_in permit tcp host 10.11.19.123 any object-group OUTBOUND
access-list inside_in permit tcp host 10.11.19.2 any object-group OUTBOUND
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any time-exceeded
access-list outside_in deny icmp any any
access-list outside_in permit tcp any host 206.xxx.xxx.87 eq https
access-list outside_in permit tcp any host 206.xxx.xxx.87 eq www
access-list outside_in permit tcp any host 206.xxx.xxx.165 eq ftp
access-list outside_in permit tcp any host 206.xxx.xxx.87 eq pop3
access-list outside_in permit tcp any host 206.xxx.xxx.168 eq www
access-list outside_in permit tcp 64.18.0.0 255.255.240.0 host 206.xxx.xxx.87 eq smtp
access-list outside_in permit tcp any host 206.xxx.xxx.170 eq 3389
access-list outside_in permit udp any host 206.xxx.xxx.170 eq 3389
access-list outside_in permit tcp any host 206.xxx.xxx.87 eq imap4
access-list outside_in permit tcp any host 206.xxx.xxx.87 eq 993
access-list outside_in permit tcp any host 206.xxx.xxx.87 eq 465
access-list outside_in permit tcp any host 206.xxx.xxx.167 eq 5800
access-list outside_in permit tcp any host 206.xxx.xxx.167 eq 5900
access-list outside_in permit tcp any host 206.xxx.xxx.87 eq smtp
access-list outside_in permit tcp any host 206.xxx.xxx.166 eq 5800
access-list outside_in permit tcp any host 206.xxx.xxx.166 eq 5900
access-list outside_in permit tcp any host 206.xxx.xxx.172
access-list outside_in permit udp any host 206.xxx.xxx.172
access-list outside_in permit tcp any host 206.xxx.xxx.169 eq ftp
access-list outside_in permit tcp any host 206.xxx.xxx.171
access-list outside_in permit udp any host 206.xxx.xxx.171
access-list outside_in permit tcp any host 206.xxx.xxx.75 eq telnet
access-list outside_in permit tcp any host 206.xxx.xxx.76 eq telnet
access-list outside_in permit tcp any host 206.xxx.xxx.77 eq 1935
access-list outside_in permit tcp any host 206.xxx.xxx.78
access-list outside_in permit udp any host 206.xxx.xxx.78
access-list outside_in permit tcp any host 206.xxx.xxx.79
access-list 101 permit ip 10.0.0.0 255.0.0.0 172.16.20.0 255.255.255.0
access-list 101 permit ip any 10.11.19.0 255.255.255.0
access-list 101 permit ip any 172.16.20.0 255.255.255.0
access-list NoNAT permit ip any 10.1.19.0 255.255.255.0
access-list split_tunnel_access permit ip 10.1.19.0 255.255.255.0 172.16.20.0 255.255.255.0
access-list nonat permit ip any 10.11.19.0 255.255.255.0
access-list nonat permit ip any 172.16.20.0 255.255.255.0
no pager
logging on
logging timestamp
logging trap warnings
logging device-id hostname
logging host inside 10.1.19.20 17/1514
mtu outside 1500
mtu inside 1500
ip address outside 206.xxx.xxx.87 255.255.255.0
ip address inside 10.1.19.76 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 172.16.20.175-172.16.20.200
no pdm history enable
arp outside 206.xxx.xxx.88 000c.8555.392b
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
static (inside,outside) udp 206.xxx.xxx.87 1604 10.1.19.3 1604 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.87 smtp 10.1.19.6 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.87 https 10.1.19.6 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.87 pop3 10.1.19.6 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.87 www 10.1.19.6 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.168 www 10.1.19.28 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.170 3389 10.1.19.8 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp 206.xxx.xxx.170 3389 10.1.19.8 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.87 imap4 10.1.19.6 imap4 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.87 993 10.1.19.6 993 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.167 10983 10.1.19.19 10983 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.87 465 10.1.19.6 465 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.167 5900 10.1.19.18 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.167 5800 10.1.19.18 5800 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.166 5800 10.1.19.19 5800 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.166 5900 10.1.19.19 5900 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.167 5010 10.1.19.18 5010 netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.165 ftp 10.1.19.3 ftp netmask 255.255.255.255 0 0
static (inside,outside) 206.xxx.xxx.171 10.1.19.47 netmask 255.255.255.255 0 0
static (inside,outside) 206.xxx.xxx.172 10.1.19.49 netmask 255.255.255.255 0 0
static (inside,outside) 206.xxx.xxx.75 10.11.19.39 netmask 255.255.255.255 0 0
static (inside,outside) 206.xxx.xxx.76 10.11.19.49 netmask 255.255.255.255 0 0
static (inside,outside) 206.xxx.xxx.78 10.1.19.9 netmask 255.255.255.255 0 0
static (inside,outside) 206.xxx.xxx.79 10.1.19.26 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 206.xxx.xxx.1 1
route inside 10.0.0.0 255.0.0.0 10.1.19.1 1
timeout xlate 4:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 4:00:00 absolute uauth 0:30:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attempts 3
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host 10.1.19.2 Rbg*paz timeout 5
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 10.1.19.8
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 10.1.19.2
vpngroup vpn3000 wins-server 10.1.19.2
vpngroup vpn3000 default-domain rbg.local
vpngroup vpn3000 split-tunnel split_tunnel_access
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 15
ssh 10.1.19.20 255.255.255.255 inside
ssh 10.1.19.17 255.255.255.255 inside
ssh timeout 60
console timeout 0
username admin password O68Yn/LPDoD3PiBu encrypted privilege 15
terminal width 80
Cryptochecksum:732a6ea23581996b7610fadddf055ced
: end
[OK]
PIX515E#
0
Comment
Question by:ditobot
  • 2
4 Comments
 
LVL 16

Accepted Solution

by:
btassure earned 125 total points
ID: 33520154
Just change this line:
static (inside,outside) tcp 206.xxx.xxx.87 smtp 10.1.19.6 smtp netmask 255.255.255.255 0 0

to read 77. That's it. It works in both directions.

You will need to update the outside ACL as well.
access-list outside_in permit tcp 64.18.0.0 255.255.240.0 host 206.xxx.xxx.87 eq smtp
is redundant if you have
access-list outside_in permit tcp any host 206.xxx.xxx.87 eq smtp

further in.
0
 
LVL 28

Assisted Solution

by:bgoering
bgoering earned 125 total points
ID: 33522470
As btassure said, just change the .87 to .77 in the static statement. But apart from redundent ACLs for smtp you will need to change it to .77 there also. These are the commands I would use in config mode:


no static (inside,outside) tcp 206.xxx.xxx.87 smtp 10.1.19.6 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 206.xxx.xxx.77 smtp 10.1.19.6 smtp netmask 255.255.255.255 0 0
no access-list outside_in permit tcp 64.18.0.0 255.255.240.0 host 206.xxx.xxx.87 eq smtp
no access-list outside_in permit tcp any host 206.xxx.xxx.87 eq smtp
access-list outside_in permit tcp any host 206.xxx.xxx.77 eq smtp


Good Luck
0
 

Author Closing Comment

by:ditobot
ID: 33524036
Thanks, that did the trick. For some reason I was thinking the (inside,outside) was a directional command.
0
 
LVL 16

Expert Comment

by:btassure
ID: 33530768
It is :)

But swapping it over would have made the incoming connections be NATed to the specified address on the inside interface. Rather than the other way round.

Remember NAT can work both ways (and be useful to do so) but can be confusing when you don't expect it. Document everything :)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
Issue: Unstable cursor in Windows XP and Windows runs extremely slow in that any click will bring up the Hour glass (sometimes for several seconds before giving you what you want) . Troubleshooting Process and the FINAL FIX: This issue see…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now