PIX 501 and inbound NAT/PAT

Discussion in 'Cisco' started by Alex, Aug 10, 2004.

  1. Alex

    Alex Guest

    Hello NG,

    I'm in the process of changing ISPs and I'm configuring a PIX 501 to use as
    a backup firewall while our DNS entries change. So our main firewall will be
    configured with the new ISP's public IP address, and the PIX will be
    assigned our existing ISP's public IP address. Internal addresses will be
    192.168.1.254 and 192.168.1.253 respectively.

    The main reason for this is so we can receive incoming SMTP through our old
    ISP while the DNS records get updated, and I've already configured a port
    mapping on the PIX to forward SMTP traffic to our internal mail server.

    However, as the default gateway of the mail server is not the PIX, this is
    not working properly. I think the only way this can be quickly fixed is if
    the inbound traffic is NAT'ed onto the PIX internal IP address, but I'm not
    sure how to do this.

    So I want all traffic arriving on the PIX public interface, port 25, to be
    forwarded to our internal mail server and the source address NAT'ed to the
    PIX private interface. So reply packets will go to the PIX (and then back
    out through the public interface), as opposed to them being "lost" by going
    to the default gateway, which will have no knowledge of this traffic.

    Is there a way to do this, and if so, how?

    Alex
    Alex, Aug 10, 2004
    #1
    1. Advertising

  2. Alex

    none Guest

    You could setup a mail relay to intercept the incoming mail on the old ISP
    address and have it relay it on in to the mail server. The relay would use
    the old network as it's default gateway.

    PIX
    New ISP FW Old ISP FW
    | |
    +------------------------+
    | |
    SMTP Server SMTP Relay

    You can then setup two MX records (when new ISP is connected) - one pointing
    to the new mail server public IP and one pointing to the old mailserver
    public IP. Give the record pointing to the old network IP a higher priority
    than the one pointing to the new IP - when the old IP goes away (I.E.
    disconnected), mail will flow through the new IP with the lower priority MX
    as backup. Then you can take down the relay.

    I've used small Linux boxes running Sendmail as a relay in the past.


    "Alex" <> wrote in message
    news:1W6Sc.70$...
    > Hello NG,
    >
    > I'm in the process of changing ISPs and I'm configuring a PIX 501 to use

    as
    > a backup firewall while our DNS entries change. So our main firewall will

    be
    > configured with the new ISP's public IP address, and the PIX will be
    > assigned our existing ISP's public IP address. Internal addresses will be
    > 192.168.1.254 and 192.168.1.253 respectively.
    >
    > The main reason for this is so we can receive incoming SMTP through our

    old
    > ISP while the DNS records get updated, and I've already configured a port
    > mapping on the PIX to forward SMTP traffic to our internal mail server.
    >
    > However, as the default gateway of the mail server is not the PIX, this is
    > not working properly. I think the only way this can be quickly fixed is if
    > the inbound traffic is NAT'ed onto the PIX internal IP address, but I'm

    not
    > sure how to do this.
    >
    > So I want all traffic arriving on the PIX public interface, port 25, to be
    > forwarded to our internal mail server and the source address NAT'ed to the
    > PIX private interface. So reply packets will go to the PIX (and then back
    > out through the public interface), as opposed to them being "lost" by

    going
    > to the default gateway, which will have no knowledge of this traffic.
    >
    > Is there a way to do this, and if so, how?
    >
    > Alex
    >
    >
    none, Aug 10, 2004
    #2
    1. Advertising

  3. Alex

    Alex Guest

    I have considered that idea, but we're short on hardware and the PIX
    solution would be a lot more straightforward in our case... just add a
    couple of lines to my config (hopefully), and it's up and running. Building
    a new server (assuming we had the hardware) would take half a day at best...

    I'm really looking for the PIX option here...

    Alex


    "none" <> wrote in message
    news:pK7Sc.1532$...
    > You could setup a mail relay to intercept the incoming mail on the old ISP
    > address and have it relay it on in to the mail server. The relay would

    use
    > the old network as it's default gateway.
    >
    > PIX
    > New ISP FW Old ISP FW
    > | |
    > +------------------------+
    > | |
    > SMTP Server SMTP Relay
    >
    > You can then setup two MX records (when new ISP is connected) - one

    pointing
    > to the new mail server public IP and one pointing to the old mailserver
    > public IP. Give the record pointing to the old network IP a higher

    priority
    > than the one pointing to the new IP - when the old IP goes away (I.E.
    > disconnected), mail will flow through the new IP with the lower priority

    MX
    > as backup. Then you can take down the relay.
    >
    > I've used small Linux boxes running Sendmail as a relay in the past.
    >
    >
    > "Alex" <> wrote in message
    > news:1W6Sc.70$...
    > > Hello NG,
    > >
    > > I'm in the process of changing ISPs and I'm configuring a PIX 501 to use

    > as
    > > a backup firewall while our DNS entries change. So our main firewall

    will
    > be
    > > configured with the new ISP's public IP address, and the PIX will be
    > > assigned our existing ISP's public IP address. Internal addresses will

    be
    > > 192.168.1.254 and 192.168.1.253 respectively.
    > >
    > > The main reason for this is so we can receive incoming SMTP through our

    > old
    > > ISP while the DNS records get updated, and I've already configured a

    port
    > > mapping on the PIX to forward SMTP traffic to our internal mail server.
    > >
    > > However, as the default gateway of the mail server is not the PIX, this

    is
    > > not working properly. I think the only way this can be quickly fixed is

    if
    > > the inbound traffic is NAT'ed onto the PIX internal IP address, but I'm

    > not
    > > sure how to do this.
    > >
    > > So I want all traffic arriving on the PIX public interface, port 25, to

    be
    > > forwarded to our internal mail server and the source address NAT'ed to

    the
    > > PIX private interface. So reply packets will go to the PIX (and then

    back
    > > out through the public interface), as opposed to them being "lost" by

    > going
    > > to the default gateway, which will have no knowledge of this traffic.
    > >
    > > Is there a way to do this, and if so, how?
    > >
    > > Alex
    > >
    > >

    >
    >
    >
    Alex, Aug 10, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Edwards

    Nat/Pat-problem with pix 501

    Martin Edwards, Jul 22, 2004, in forum: Cisco
    Replies:
    7
    Views:
    653
    Walter Roberson
    Jul 22, 2004
  2. Jordan Peterson
    Replies:
    1
    Views:
    593
    mcaissie
    Sep 17, 2004
  3. Replies:
    4
    Views:
    922
    Martin Bilgrav
    Feb 8, 2005
  4. Replies:
    4
    Views:
    6,739
    mostro
    Oct 29, 2005
  5. BinSur
    Replies:
    4
    Views:
    5,771
    BinSur
    Jan 13, 2006
Loading...

Share This Page