«

Hi,

I'm pretty new to configuring the PIX, but I have a slight problem that
maybe someone knows the answer to. One of the sites I'm working on has
a mailserver behind a PIX, but a standard static (inside,outside)
command cannot fix the problem. The problem is that incoming mail
first goes to one server, and THAT server forwards the mail to the
mailserver. Thus, I need a way to make the mail go to the inside IP,
but then exit using the same IP it came in, even though it's a differen
inside machine. Anyone have any clues? I've been reading up and see
some possibilities, but I'd like to see if anyone's dealth with a
similar issue.

Thanks in advance,

-cos

<> wrote in message
news: ups.com...
> Hi,
>
> I'm pretty new to configuring the PIX, but I have a slight problem that
> maybe someone knows the answer to. One of the sites I'm working on has
> a mailserver behind a PIX, but a standard static (inside,outside)
> command cannot fix the problem. The problem is that incoming mail
> first goes to one server, and THAT server forwards the mail to the
> mailserver. Thus, I need a way to make the mail go to the inside IP,
> but then exit using the same IP it came in, even though it's a differen
> inside machine. Anyone have any clues? I've been reading up and see
> some possibilities, but I'd like to see if anyone's dealth with a
> similar issue.
>
> Thanks in advance,
>
> -cos

If mail is delivered to the relay server which then passes it onto the
internal server, why not get the internal server to relay its outbound mail
through the relay server. Normally a relay server is used for
filtering/virus checking etc, so it makes sense to do it in both directions.

Chris.

Unfortunetly, the request I have is specific and that's the way they're
setup . I'd like to know if there's a way to do it just for my
reference anyhow, because it seems like it should be simple. Basically
I just need an example of the command(s) that would allow me to have
ONE IP for two different protocols, each one going to a different
machine. One incoming, the other outgoing. I don't know if they'd
want me to tell them to start changing how their servers do stuff, I'd
rather just change it at the PIX to be honest. Keep in mind that this
PIX is using NAT, so I made sure that the mailserver IP is not going to
be in the global NAT pool.

Maybe this will help.

Let's say I have mailserver 192.168.1.10, and a mail/filter virus
checker on 192.168.1.5.
The command on my PIX says :
static (inside,outside) xxx.xxx.xxx.128 192.168.1.5 netmask
255.255.255.255 0 0

This allows incoming mail to contact xxx.xxx.xxx.128 and get to the
mailserver filter/virus checker, which in turn forwards the email to
the actual mailserver. What command will let me specify the IP in
which outgoing SMTP (from 192.168.1.10) will appear as OUTSIDE? If I
have to change their server IPs and stuff, it's going to require much
more time than a simple IOS command.

Thanks anyhow Chris, if nothing else works I can try doing what you
suggested.

-cos

In article <. com>,
<> wrote:
:I'm pretty new to configuring the PIX, but I have a slight problem that
:maybe someone knows the answer to. One of the sites I'm working on has
:a mailserver behind a PIX, but a standard static (inside,outside)
:command cannot fix the problem. The problem is that incoming mail
:first goes to one server, and THAT server forwards the mail to the
:mailserver. Thus, I need a way to make the mail go to the inside IP,
:but then exit using the same IP it came in, even though it's a differen
:inside machine. Anyone have any clues? I've been reading up and see
:some possibilities, but I'd like to see if anyone's dealth with a
:similar issue.

The key to this is to recognize that the incoming email is always
going to inside port 25, but the outgoing email is going to -outside-
port 25, with some random high numbered port as the inside port.

So, you configure something like,

static (inside,outside) tcp PUBLICIP smtp FILTERSERVERIP smtp netmask 255.255.255.255
nat (inside) 2 MAILSERVERIP
global (outside) 2 PUBLICIP

The static PAT (port address translation) takes precidence over
the nat, so the incoming smtp will go to the filter server.
The outgoing smtp will not have source port 25, so the static will
not apply, and the nat will take over.


Note that the following will NOT work:

static (inside,outside) tcp PUBLICIP smtp FILTERSERVERIP smtp netmask 255.255.255.255
static (inside,outside) PUBLICIP MAILSERVERIP netmask 255.255.255.255

You cannot use that because a plain static takes precidence over
a static with ports.


In PIX 6.3(2) or later [I think it is] you have an additional option,
which is to use policy static. That's a static with an access-list
that controls the circumstances under which the static is used.
policy statics are a bit wonky -- you have to know undocumented
details about which part of the access list is being paid attention to.
--
Look out, there are llamas!

Thanks Walter, it makes much more sense now. I was wrongly trying to
do the static thing you said NOT to do, and that's why it wasn't
working. You probably saved me hours of painful mucking about.

If worse comes to worse, I'll try Chris's idea which should've been the
way they configured it in the first place. Thanks again guys! Your
input has been helpful.

-cos

Walter Roberson wrote:
> In article <. com>,
>
> You cannot use that because a plain static takes precidence over
> a static with ports.
>
>

How about NAT? Is there a priority level for NAT?

For example, take these following commands...

global (outside) 1 10.10.10.10-10.10.10.24 netmask 255.255.255.0
global (outside) 2 10.10.10.25
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 2 192.168.1.15

Is there a way to establish priority? Or does the translating inside
addresses by default take priority?

In article < .com>,
<> wrote:
:How about NAT? Is there a priority level for NAT?

:For example, take these following commands...

:global (outside) 1 10.10.10.10-10.10.10.24 netmask 255.255.255.0
:global (outside) 2 10.10.10.25
:nat (inside) 1 0.0.0.0 0.0.0.0
:nat (inside) 2 192.168.1.15

:Is there a way to establish priority? Or does the translating inside
:addresses by default take priority?

Regular works by "longest match", the same as routing.
The numbers after the interface in 'nat' and 'global' statements
have no significance other than as arbitrary labels, with the
one exception of the use of 0 .

The relative order of static, static PAT, nat, policy nat,
policy static, nat exception, and identity nat, are documented
in the PIX command reference under the 'static' and 'nat' references.
Mostly. The relative order of policy static to policy nat is not
documented. I did get the information from Cisco, but I have forgotten
for now.
--
"Who Leads?" / "The men who must... driven men, compelled men."
"Freak men."
"You're all freaks, sir. But you always have been freaks.
Life is a freak. That's its hope and glory." -- Alfred Bester, TSMD

Walter Roberson wrote:

>
> :Is there a way to establish priority? Or does the translating
inside
> :addresses by default take priority?
>
> Regular works by "longest match", the same as routing.
> The numbers after the interface in 'nat' and 'global' statements
> have no significance other than as arbitrary labels, with the
> one exception of the use of 0 .
>

Well if anyone has some input, it'd be much appreciated.

Okay, the reason I asked was because the configuration you lead me to
now has an interesting issue. I'll show you an example config, so you
can get the picture. The problem is there's now another issue that has
arisen, even worse than the previous!

*Site is using a global pool of 10 addresses with NAT, in which the
last address is specified as the mailserver (IP POOL 10.10.10.10-20)*
*keep in mind I'm using example IPs, in which 10.10.10.0 is considered
a public IP*

*Virus/Filter checker (IP = 192.168.1.5) forwards mail to actual
mailserver (IP = 192.168.1.10), mailserver sends out mail directly*

**********************************

PIX Version 6.1(1)
....snip...

static (inside,outside) tcp 10.10.10.20 smtp 192.168.1.5 smtp netmask
255.255.255.255

nat (inside) 0 access-list do-no-nat

global (outside) 1 10.10.10.10-10.10.10.19 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 2 10.10.10.20
nat (inside) 2 192.168.1.10 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 #ROUTER_OUTSIDE_PIX_IP# 1

....snip...

************************************

Now assuming the config is somewhat correct and understandable, the PIX
should send mail to the 192.168.1.5 to check it for viruses, which in
turn sends it to 192.168.1.10. Then 192.168.1.10; the ACTUAL
mailserver, sends SMTP traffic via the IP 10.10.10.20. Meanwhile, all
other machines in the local IP pool are numbered randomly between 10-19
for the last octet.

The problem that is occuring now is that I send mail outbound with the
correct IP (10.10.10.20), which shows up in the email header... But
when mail is incoming, it doesn't seem to reach the server, and I get a
'failed attempt' email after 24 hours of waiting. NAT is functioning
fine as well. The only problem is that email doesn't seem to be going
to the right place now, when it was before. Am I missing something
simple?

Thanks in advance,

cos

In article <. com>,
<> wrote:
IX Version 6.1(1)

:static (inside,outside) tcp 10.10.10.20 smtp 192.168.1.5 smtp netmask 255.255.255.255

:global (outside) 1 10.10.10.10-10.10.10.19 netmask 255.255.255.0

:global (outside) 2 10.10.10.20

Is your outside IP address distinct from all of 10.10.10.10 thru
10.10.10.19 ? If not, then you are going to have problems,
especially if the outside IP is 10.10.10.20 .

If 10.10.10.20 is your outside IP, then in static and global
statements you should replace it with the keyword interface
as in

static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255

global (outside) 2 interface

6.1(1) and 6.1(2) is particularily problematic with respect
to static PAT on the outside IP.

If you use the real outside IP address in the global statement,
then some things will work but some will fail, and it can be
hard to track down.
--
Are we *there* yet??