PIX Question about NAT

Discussion in 'Cisco' started by Joe Hayes, Jan 15, 2005.

  1. Joe Hayes

    Joe Hayes Guest

    I've got an SMTP virus-filtering gateway sitting on my DMZ with a private
    address of 192.168.x.y. The public address is 12.a.b.c. From the gateway
    itself, I need to originate an SMTP connection out to the public address so
    mail can come back in and be forwarded correctly. This is because the DNS
    on our DMZ returns a MX record with the public address for our domain rather
    than the private address. Normally outgoing traffic from the DMZ to the
    public network works without any problem, but I can't seem to connect to the
    server's public address from the server itself. Any help would be
    appreciated.
    Joe Hayes, Jan 15, 2005
    #1
    1. Advertising

  2. In article <U51Gd.91058$Ix2.50474@okepread02>,
    Joe Hayes <> wrote:
    :I've got an SMTP virus-filtering gateway sitting on my DMZ with a private
    :address of 192.168.x.y. The public address is 12.a.b.c. From the gateway
    :itself, I need to originate an SMTP connection out to the public address so
    :mail can come back in and be forwarded correctly. This is because the DNS
    :eek:n our DMZ returns a MX record with the public address for our domain rather
    :than the private address. Normally outgoing traffic from the DMZ to the
    :public network works without any problem, but I can't seem to connect to the
    :server's public address from the server itself. Any help would be
    :appreciated.

    You have three or more choices:

    1) Change the DNS server to return the private IP address for the
    MX record and add the 'dns' keyword to the 'static' statements.
    The DNS server will return the private IP, but the PIX will
    modify the DNS response to contain the public IP when the DNS record
    goes outside.

    2) Change the DNS server to impliment 'split views', so that the
    DNS server recognizes whether the query is from inside or outside
    and returns different results in the two cases.

    3) Have the DMZ hosts uses a DNS server which resides outside,
    have the DNS server return the public IPs, and use the 'dns' keyword
    on the 'static' statements; this will cause the PIX to modify
    the DNS response from outside to contain the private IP when the DNS
    record comes inside.


    All in all, you might find option #1 to be the easiest to impliment.
    --
    *We* are now the times. -- Wim Wenders (WoD)
    Walter Roberson, Jan 15, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Gorsuch

    Pix-to-Pix VPN - BOTH BOXES BEHIND NAT!!!

    Michael Gorsuch, Oct 23, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,647
    Walter Roberson
    Oct 24, 2003
  2. Oleg Tipisov

    PIX Policy NAT: order of NAT commands

    Oleg Tipisov, Aug 12, 2004, in forum: Cisco
    Replies:
    4
    Views:
    8,775
    Walter Roberson
    Aug 13, 2004
  3. Jose
    Replies:
    3
    Views:
    1,943
  4. Matthew Melbourne
    Replies:
    2
    Views:
    7,340
    Matthew Melbourne
    Feb 12, 2005
  5. Sri
    Replies:
    0
    Views:
    455
Loading...

Share This Page