PAT NAT issue with only 1 IP address

[marsmann]

Hi all,

simple question:

I have a PIX 515E with only one usable public IP address.

I have the single address used as the global NAT/PAT for all users and it's also the endpoint to the Internet for my inbound VPN connections.

I need to do a static NAT to an inside host on port 25 as this client has changed the way of handling email. I can't do a static inside,outside to forward to an internal host on 25, can i? Or, can I do a static inside outside to the only usable IP address? I don't think you can do a 1 to 1 nat with the same PAT address, right? What can I do?

the other caveat is that the firewall is NOT physically connected to the inside network, but it can route to it.

for example:

100.100.100.100/30 Internet
|
|
100.100.100.99/30 pix outside address
PIX 515e
10.10.10.10/24 pix inside address
|
|
10.10.10.20 proxy server external
Proxy server
172.24.1.50 proxy server internal
|
172.24.1.0/24 LAN containing email server host

 

[baddos]

If I'm reading your message right, you want to do something like this.

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside, outside) tcp interface 25 mail_ip 25 netmask 255.255.255.255

 

[marsmann]

so, I CAN do a 1 to 1 nat to the outside address even if it's the only IP address available and already in use by the global NAT/PAT?

I thought it would run into problems in the translation tables.

 

[baddos]

No... Because PAT uses port ranges way above 25. Shouldn't be a problem.