Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configure PIX 506 to forward only SMTP traffic to a mail filter

Status
Not open for further replies.
nsglists

nsglists

IS-IT--Management
Jul 20, 2006
57
US
Design plan is to forward inbound SMTP traffic to a Symantec 8240 E-Mail (SPAM filter) appliance (10.1.1.11). The SPAM appliance will forward (filtered) SMTP traffic to Microsoft (SBS) Exchange Server 2003 (10.1.1.3 internal, pubIP public)installed on internal LAN.

What commands would do I use to enable the PIX506 Firewall to forward only the inbound SMTP traffic to the internal IP address of the SPAM Filter appliance?


We have a static mapping public to private IP address for our mail server...
static (inside,outside) pubIP 10.1.1.3 netmask 255.255.255.255 0 0
If I remove the access list command below it shuts down all smtp traffic.... (obviously!!)
access-list 100 permit tcp any host 67.65.77.124 eq smtp

Now, the email server itself has other services offering on other ports. So I cant be changing the "A" record itself, cos then clients can avail those services on the other IP/Ports. So again, all I want to do is on the PIX (version 6...), forwarding only the smtp traffic coming in for domain.com to the spam filter, while the rest of the traffic goes directly to the email server.

Kindly advice,
Thanks.
 
Sort by date Sort by votes
You want policy NAT or port redirection.

static (inside,outside) tcp pubIP smtp 10.1.1.11 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp pubIP [Port#] 10.1.1.3 [Port#] netmask 255.255.255.255 0 0
(You will need one of these for each port you want to forward internally.)

Then just modify your access-list to allow that traffic to terminate on the external IP.
access-list 100 permit tcp any host 67.65.77.124 eq [Port#]
(You will also need one of these for each port you want to forward internally.)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Brent, Sorry I couldnt thank earlier.
I will try these options and see. Also, one clarification,

Re,
Edit: "Then just modify your access-list to allow that traffic to terminate on the external IP.
access-list 100 permit tcp any host 67.65.77.124 eq [Port#]
(You will also need one of these for each port you want to forward internally.)"

I would one for smtp as well ..right ? like the one I already have.
access-list 100 permit tcp any host 67.65.77.124 eq smtp

I guess it is a stupid clarification, but I just wanted to be sure!!
Thanks.
 
Upvote 0 Downvote
It's always better to ask -
Yes, you want an entry like that in your ACL, and one for each type of traffic inbound (if you have anything else.)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Miluis
  • Locked
  • Question
How necessary is an antivirus?
Replies
3
Views
333
Rick998
Rick998
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
818
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
694
XLNTech1
XLNTech1
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
296
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top