example config for Cisco PIX 515E

Discussion in 'Cisco' started by Gary, Apr 19, 2004.

  1. Gary

    Gary Guest

    I am configuring a 515E and would like to know if anyone could make a post
    showing how to allow for PAT mappings between the outside interface and the
    inside interface e.g. 1.2.3.4 25 maps to 192.168.0.2 25. If you have a
    config showing the filters and mappings necessary that would be very useful.
    Thank you!

    PIX Newbie

    -Gary
     
    Gary, Apr 19, 2004
    #1
    1. Advertisements

  2. Gary

    Mike W. Guest


    Try adding these:



    access-list smtp permit tcp any host 1.2.3.4 eq smtp
    access-group smtp in interface outside
    static (inside,outside) 1.2.3.4 192.168.0.2 netmask 255.255.255.255 0 0



    That will allow any smtp traffic that is for 1.2.3.4 to head to 192.168.0.2.
    The "smtp" in the access list is just a wild-card...you could call it ACL1
    or anything else as long as you remain consistent in its use.

    I assume that you've also registered your "1.2.3.4" address as your MX
    record with your host or DNS provider?

    HTH,

    Mike
     
    Mike W., Apr 20, 2004
    #2
    1. Advertisements

  3. Gary

    Gary Guest

    Yes,

    1.2.3.4 would be the MX record. Would this config also allow other hosts to
    use 1.2.3.4 as their NAT address e.g. my client machine at 192.168.0.3 would
    be able to establish and maintain a connection to a remote host's SMTP
    server at 4.3.2.1? what is I wanted the entire subnet to be able to go out
    using NAT on 1.2.3.4, but want only 192.168.0.2 to accept inbound
    connections at 1.2.3.4:25?

    Thanks!

    -Gary
     
    Gary, Apr 20, 2004
    #3
  4. Gary

    Mike W. Guest


    Hang on....let me see if I understand you correctly.

    You want port 25 open and mapped for a mail server that you are physically
    hosting, correct? Otherwise you wouldn't need to open it as the machines on
    the inside of your firewall would be initiating the connection, hence the
    firewall will allow it.

    But, going on what you indicated, you ARE hosting your own mail:

    The PIX itself will perform NAT that you require for all of your internal
    network, however, you will need 2 public IP addresses. One for your PIX
    itself, and one for your Mail (MX) server. The PIX will be assigned one IP
    (let's say 150.200.30.21) and the MX the other (example again:
    150.200.30.22).

    You would then configure the PIX with the following commands:


    ip address outside 150.200.30.21 255.255.255.x
    ip address inside 192.168.0.1 255.255.255.0


    Then, if all of your machines are set to point to the PIX (192.168.0.1) as
    their gateway, you will all be NAT'd behind the same IP (150.200.30.21), and
    they will all be allowed to go out to the SMTP server.

    Now, to finish your setup for mail, you would take the commands I gave you
    last night and enter those to map your 192.168.0.2 machine to accept
    incoming mail destined for your public mailserver record:


    access-list smtp permit tcp any host 150.200.30.22 eq smtp
    access-group smtp in interface outside
    static (inside,outside) 150.200.30.22 192.168.0.2 netmask 255.255.255.255 0
    0


    That should do it. Post back if you have any more questions.
     
    Mike W., Apr 20, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.