PIX515e PAT configuration

[hoinvip]

Hi,

I need to set-up some inbound PAT statements on my Cisco Pix to allow specific ports to be mapped to internal IP addresses.

Specifically, I want to allow SMTP in to my mail server which has an internal address of 192.168.1.11

I am also interested in adding some other PAT statements for other requirements but I'm hoping that once I understand the syntax for the SMTP listing, that I'll be able to work out the others.

Can anyone offer me some advice please?

Many thanks,

Peter

 

[yizhar]

HI.

The best way to go is to have a range of fix registered ip addresses so you can use different address for servers, clients, pix interface, etc...
It can also be done with a single ip but first option is best.
The router outside of the pix should not do NAT also because this can make problems and limitations.

There are some tools and links that can help you with
this task, here are some of them:

* PDM

* Cisco docs:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

http://www.cisco.com/warp/public/110/pix_command_ref.shtml

http://www.cisco.com/warp/public/707/28.html

And many more...

* Pixcript:

http://teachers.sivan.co.il/yizhar/

Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[netwrkr]

Acutally, I disagree to the above. The purpose of the PIX is for (P)rivate (I)nternet (X)change. I see this as limiting your internal and external exposure to the Internet. A configuration which is easier to maintain is less likely to be misconfigured in such as manner as to allow inappropriate access to the inside network.

I have setup many a PIX and on most of them I am using 1 IP address for incoming mail, syslog from a router(s), ssh, and others to inlcude reusing that same IP for my outbound PAT. 1 IP address exposed to the Internet is much easier to maintain control over than 5 or 10. This also allows you to easily perform perimeter packet filtering on your edge routing device.

So, to answer your question:

Specifically, I want to allow SMTP in to my mail server which has an internal address of 192.168.1.11

1. Point your MX record at your PIX outside routeable interface.
2. Configure your PIX to statically xlate mail traffic inside. 'static (inside,outside) pix_outside_ip 192.168.1.11 255.255.255.255 0 0'
3. Turn on PIX mailguard -- 'fixup protocol smtp 25'
4. If you are doing outbound NAT in addition to PAT you will also need to configure NAT and global statements.

I am also interested in adding some other PAT statements for other requirements but I'm hoping that once I understand the syntax for the SMTP listing, that I'll be able to work out the others.

For other services you need to off up the command syntax is the same as the above.



Tom

 

[hoinvip]

Tom,

Thanks for the info, I think I did actually try this but it didn't seem to achieve anything. I will have another go at it.

A couple of questions though:

I have the "fixup..." statement for smtp in my config and have seen references to a mailguard command as well... do I need to enable something else too?

Point 2 above doesn't seem specify the smtp port (25), if I am running other ports to different internal servers how do I set this up?

Sorry for the dumb questions - I'm still learning this stuff!

Cheers,

Peter

e: hoinvip@hotmail.com

 

[netwrkr]

I have the "fixup..." statement for smtp in my config and have seen references to a mailguard command as well... do I need to enable something else too?


With smtp, when you enable fixup on port 25 you are enabling mailguard. I know Cisco documentation is not clear at all on this point.

Point 2 above doesn't seem specify the smtp port (25), if I am running other ports to different internal servers how do I set this up?


Ack! You are correct. The correct syntax should be:

static (inside,outside) tcp outside_routable_ip smtp inside_mail_server smtp netmask 255.255.255.255 0 0

You will also need to modify your inbound access-list to something like:

access-list outside_access_in permit tcp any host outside_routable_ip eq smtp

If this still doesn't work for you, post your config here

I also find it very useful while logged into the console to turn on debugging to check and see what, if any errors are being generated:

logging console debug
logging on

Tom

 

[Adr3nalin]

i found some of mail servers have incompatibility with mailguard, so to make the mail server works with PIX,
i disable the fixup protocol smtp.

there is a simple explanation about SMTP command, PIX and Microsoft SMTP, and how they are effecting each others.
Microsoft Knowledge Base - Q320027

 

[dguinaldo]

I have a similar problem :

I need to redirect port 25, 80, 110 on one IP public address, but once the configuration done, I've not been able to access internet from the internal network. I think this is because I redirect port 80 on my Web server.

Someone could confirm that or give a solution ??

Conifg :

access-list acl-lan-wan permit ip any any
access-list 100 permit tcp any host 192.168.1.11 eq smtp
access-list 100 permit tcp any host 192.168.1.11 eq pop3
access-list 100 permit tcp any host 192.168.1.11 eq www

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl-lan-wan in interface inside
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 212.147.xxx.xxx 1

Thanks