Simple (ha) Pix config with natted internal ip addresses 2

[somebigguy]

Hi everyone, I have a problem with what should be a simple Pix config.

I have an internal subnet in the range of 10.62.0.0/16 behind a Pix which has one valid external IP address assigned, let's say 99.99.99.1.

I need a mail server with an IP address of 10.62.1.1 on the internal subnet to accept Internet email through the pix.

The related PIX commands are as follows:

ip address outside 99.99.99.1 255.255.255.0
ip address inside 10.62.1.2 255.255.0.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 10.62.1.1 smtp netmask 255.255.255.255 0 0

access-list inbound permit tcp any interface outside eq smtp
access-group inbound in interface outside

With this configuration, the mail server can browse the Internet, but I cannot get any incoming email. The hit count on the Access-list remains at zero. I have no other external IP addresses I can use. Most of the examples I've seen include using secondary natted IP addresses for this purpose.

TIA.

 

[LloydSev]

not sure what you have implemented in your ACL, but it should look more like...


access-list inbound permit tcp any any eq smtp
access-group inbound in interface outside

Your ACL is being to selective and denying everything not coming explicitly from your own IP address.

Computer/Network Technician
CCNA

 

[somebigguy]

Ooops, think I messed up my cut & paste, will fix it...

 

[somebigguy]

I thought I could edit my post, but I guess not. Anyway, this is what it looks like now, still doesn't work though:

ip address outside 99.99.99.1 255.255.255.0
ip address inside 10.62.1.2 255.255.0.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 24.154.230.27 smtp 10.62.1.1 smtp netmask 255.255.255.255 0 0

access-list inbound permit tcp any any eq smtp
access-group inbound in interface outside

One question I have is, can you host something behind only one external IP address like I'm trying to do, or do you need a second one?

 

[br0ck]

this can be done.


I'm running the same this at my house behind a 501

you mail server ip is [b]10.62.1.1[/b]

ip address outside 99.99.99.1 255.255.255.0
ip address inside 10.62.1.2 255.255.0.0

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface smtp [b]10.62.1.1[/b] smtp netmask 255.255.255.255 0 0

access-list inbound permit tcp any any eq smtp
access-group inbound in interface outside

this will allow port 25(smtp) to be open to the internet

 

[somebigguy]

Thanks guys, I'm starting to wonder if the ISP is blocking the traffic somehow, I'll look into that next...

 

[LloydSev]

It's possible if they normally do not allow servers to be run.. and may just need to allow your IP address.

Computer/Network Technician
CCNA

 

[somebigguy]

Confirmed with the ISP today that they are filtering out all those ports. Thanks to all that replied.

 

[br0ck]

you can look into a service from dns2go.com to get around that

http://dns2go.deerfield.com/services/