example config for Cisco PIX 515E

I am configuring a 515E and would like to know if anyone could make a post
showing how to allow for PAT mappings between the outside interface and the
inside interface e.g. 1.2.3.4 25 maps to 192.168.0.2 25. If you have a
config showing the filters and mappings necessary that would be very useful.
Thank you!

PIX Newbie

-Gary

 

Try adding these:



access-list smtp permit tcp any host 1.2.3.4 eq smtp
access-group smtp in interface outside
static (inside,outside) 1.2.3.4 192.168.0.2 netmask 255.255.255.255 0 0



That will allow any smtp traffic that is for 1.2.3.4 to head to 192.168.0.2.
The "smtp" in the access list is just a wild-card...you could call it ACL1
or anything else as long as you remain consistent in its use.

I assume that you've also registered your "1.2.3.4" address as your MX
record with your host or DNS provider?

HTH,

Mike

 

Yes,

1.2.3.4 would be the MX record. Would this config also allow other hosts to
use 1.2.3.4 as their NAT address e.g. my client machine at 192.168.0.3 would
be able to establish and maintain a connection to a remote host's SMTP
server at 4.3.2.1? what is I wanted the entire subnet to be able to go out
using NAT on 1.2.3.4, but want only 192.168.0.2 to accept inbound
connections at 1.2.3.4:25?

Thanks!

-Gary

 

Hang on....let me see if I understand you correctly.

You want port 25 open and mapped for a mail server that you are physically
hosting, correct? Otherwise you wouldn't need to open it as the machines on
the inside of your firewall would be initiating the connection, hence the
firewall will allow it.

But, going on what you indicated, you ARE hosting your own mail:

The PIX itself will perform NAT that you require for all of your internal
network, however, you will need 2 public IP addresses. One for your PIX
itself, and one for your Mail (MX) server. The PIX will be assigned one IP
(let's say 150.200.30.21) and the MX the other (example again:
150.200.30.22).

You would then configure the PIX with the following commands:


ip address outside 150.200.30.21 255.255.255.x
ip address inside 192.168.0.1 255.255.255.0


Then, if all of your machines are set to point to the PIX (192.168.0.1) as
their gateway, you will all be NAT'd behind the same IP (150.200.30.21), and
they will all be allowed to go out to the SMTP server.

Now, to finish your setup for mail, you would take the commands I gave you
last night and enter those to map your 192.168.0.2 machine to accept
incoming mail destined for your public mailserver record:


access-list smtp permit tcp any host 150.200.30.22 eq smtp
access-group smtp in interface outside
static (inside,outside) 150.200.30.22 192.168.0.2 netmask 255.255.255.255 0
0


That should do it. Post back if you have any more questions.