Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Static NAT on Pix 515E 1

Status
Not open for further replies.
mdc1973

mdc1973

Technical User
Jul 7, 2003
31
GB
Need some advice on a Pix setup, I've looked through the forum and can't find anything that answers it- but if so, sorry and can you point me to the relevant thread...

The scenario is this- I have a Pix 515E running 6.3(4). There is a static NAT as follows (IPs changed, obviously...)

static (inside,outside) 1.1.1.1 2.2.2.2

and an access-list permitting inbound traffic:

access-list inbound permit tcp any host 1.1.1.1 eq www
access-list inbound permit tcp any host 1.1.1.1 eq https
access-list inbound permit tcp any host 1.1.1.1 eq smtp
access-list inbound permit tcp any host 1.1.1.1 eq ldap

The customer asked to change the ldap so it points to a different inside IP (2.2.2.3). So I removed the original static and replaced it with:

static (inside,outside) tcp 1.1.1.1 80 2.2.2.2 80
static (inside,outside) tcp 1.1.1.1 443 2.2.2.2 443
static (inside,outside) tcp 1.1.1.1 25 2.2.2.2 25
static (inside,outside) tcp 1.1.1.1 389 2.2.2.3 389

and cleared the xlate for 1.1.1.1

Everything inbound was fine, but they could no longer send emails. I have no access-list on the inside interface, the xlate table showed translations as expected so I can't see why the outgoing smtp stopped working.

Probably missed something very obvious, but can anyone help? I have restored the config now to the original setup.
 
Sort by date Sort by votes
Without the full config I can only imagine that you may not have enabled PAT or static IP the mail server can use. Try this

nat (inside) 1 0 0
global (outside) 1 interface
 
Upvote 0 Downvote
If you do have the global/nat pair, the outgoing smtp will use the IP of the global instead of the static. It is just the way policy nat works. If the email servers you send to use reverse dns to verify the sender and you don't have the global ip as an mx record in your dns, the emails will get hung up in the queue.

Another option is this - I have not tried it but you might try

nat(inside) 2 2.2.2.2 255.255.255.255
global (outside) 2 1.1.1.1


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thanks for the input horus, but that's already in:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Inbound and outbound mail is fine when I only have the one static in place. It is when I changed to the static PATs that outbound mail stopped working.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
intel233
  • Locked
  • Question Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
1K
intel233
intel233
steve777777
  • Locked
  • Question Question
Cisco ASA VPN+NAT
Replies
0
Views
267
steve777777
steve777777
PauS0n
  • Locked
  • Question Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
471
PauS0n
PauS0n
mcisar
  • Locked
  • Question Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
397
mcisar
mcisar

Part and Inventory Search

Sponsor

Back
Top