Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help With Port Redirection And NAT

Status
Not open for further replies.
ixleplix

ixleplix

MIS
Feb 6, 2003
129
We recently added a spam server and therefore had to split the traffic comming in so that the smtp went to the spam server and to the exchange (For OWA). This has apparently had the effect that all traffic outbound from the exchange server (upon leaving the PIX) shows that it is comming from the main IP of the PIX x.x.x.136. Before it showed it was comming from the x.x.x.130 address which was statically mapped to y.y.y.16 (Exchange) inside.

This is a problem since we have a VPN tunnel connected to a network that also has an exchange server & apparently when their router is seing traffic from x.x.x.136 it sends it to their VPN concentrator which drops the packets (as it should). They of course believe that this is our problem. So.....

I thought I could use NAT to resolve this, but my attempted solution didn't work.
Here are the pertinent commands. os 6.3.1

access-list 100 permit tcp any host x.x.x.130 eq www
access-list 100 permit tcp any host x.x.x.130 eq smtp

static (inside,outside) tcp x.x.x.130 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.130 smtp y.y.y.19 smtp netmask 255.255.255.255 0 0

This is the solution I tried that didn't work:

nat (inside) 2 y.y.y.16 255.255.255.255
global (outside) 2 x.x.x.130 netmask 255.255.255.255

After these commands Nothing from the exchange server seemed to be able to go through the PIX

Any help would be great!!!!
 
Sort by date Sort by votes
you probably have a 'global 0 interface', can you change it to global 0 x.x.x.131 (or some other free address?)

Brian
 
Upvote 0 Downvote
or pass smtp traffic between the two sites via the VPN and the internal IP addresses. Add the other sites mail server's inside address to the hosts file on your mail server and update the vpn/nat 0 access lists.
 
Upvote 0 Downvote
HI.

You can simply use an additional IP address and map it to your Exchange server:
x.x.x.131 or any unused public IP.

Then use the normal STATIC command (as you did before the change) instead of port forwarding.

Side note - Ask your ISP to create reverse lookup PRT record for the new IP used by Exchange. It will help you avoid some problems with SMTP.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
you probably have a 'global 0 interface', can you change it to global 0 x.x.x.131 (or some other free address?)


I will try this one, but it's going to be a few days before I'm able.

Thanks to all who replied. The help is always appreciated.

Roland
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
786
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
584
XLNTech1
XLNTech1
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
704
intel233
intel233
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
581
nnaarrnn
nnaarrnn
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
149
tklamb
tklamb

Part and Inventory Search

Sponsor

Back
Top