PIX 501 and inbound NAT/PAT

Discussion in 'Cisco' started by Alex, Aug 10, 2004.

  1. Alex

    Alex Guest

    Hello NG,

    I'm in the process of changing ISPs and I'm configuring a PIX 501 to use as
    a backup firewall while our DNS entries change. So our main firewall will be
    configured with the new ISP's public IP address, and the PIX will be
    assigned our existing ISP's public IP address. Internal addresses will be
    192.168.1.254 and 192.168.1.253 respectively.

    The main reason for this is so we can receive incoming SMTP through our old
    ISP while the DNS records get updated, and I've already configured a port
    mapping on the PIX to forward SMTP traffic to our internal mail server.

    However, as the default gateway of the mail server is not the PIX, this is
    not working properly. I think the only way this can be quickly fixed is if
    the inbound traffic is NAT'ed onto the PIX internal IP address, but I'm not
    sure how to do this.

    So I want all traffic arriving on the PIX public interface, port 25, to be
    forwarded to our internal mail server and the source address NAT'ed to the
    PIX private interface. So reply packets will go to the PIX (and then back
    out through the public interface), as opposed to them being "lost" by going
    to the default gateway, which will have no knowledge of this traffic.

    Is there a way to do this, and if so, how?

    Alex
     
    Alex, Aug 10, 2004
    #1

    1. Advertisements

  2. Alex

    none Guest

    You could setup a mail relay to intercept the incoming mail on the old ISP
    address and have it relay it on in to the mail server. The relay would use
    the old network as it's default gateway.

    PIX
    New ISP FW Old ISP FW
    | |
    +------------------------+
    | |
    SMTP Server SMTP Relay

    You can then setup two MX records (when new ISP is connected) - one pointing
    to the new mail server public IP and one pointing to the old mailserver
    public IP. Give the record pointing to the old network IP a higher priority
    than the one pointing to the new IP - when the old IP goes away (I.E.
    disconnected), mail will flow through the new IP with the lower priority MX
    as backup. Then you can take down the relay.

    I've used small Linux boxes running Sendmail as a relay in the past.
     
    none, Aug 10, 2004
    #2

    1. Advertisements

  3. Alex

    Alex Guest

    I have considered that idea, but we're short on hardware and the PIX
    solution would be a lot more straightforward in our case... just add a
    couple of lines to my config (hopefully), and it's up and running. Building
    a new server (assuming we had the hardware) would take half a day at best...

    I'm really looking for the PIX option here...

    Alex
     
    Alex, Aug 10, 2004
    #3

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. Nat/Pat-problem with pix 501

  2. PIX 501, NAT/PAT capable of utilizing several public IPs?

  3. PAT and Static NAT on a PIX 501

  4. PIX 501 single outside interface and PAT for inbound connections???

  5. Static PAT overrides Dynamic Pat - Pix 515e

  6. PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT

  7. PIX 506E PDM 3.0(1) PIX 6.3(3) NAT/PAT (Part 2)

  8. PIX 501 and ISA 20004 - Pix for DSL PPPOE only and no NAT...

Loading...