PIX 501 Multiple Outside Ports to Single Inside Port

try this:

object-group service MyMail tcp port-object eq smtp port-object eq 587 exit

static (inside,outside) tcp interface MyMail 10.0.0.2 smtp netmask

255.255.255.255 0 0

havent got anything here to test it with but should put you on the right track at least. Now if the port forward command doesnt like the service name in there you just need to use an access-list in your nat statement instead. Lots of examples on cisco.com

Flamer.

No, you cannot do that. While logically it would work inbound it would break going out. How would the smtp packet know which port to pat to on the way out. This is the same reason why you cannot have multiple publics nat'd to a single private.

"Brian V" wrote in news:xOidndfX84AK6ofVnZ2dnUVZ snipped-for-privacy@comcast.com:

I was worried about that. So, this is really something I can't do. I need to find another way to have our e-mail server listen on two different ports and then forward both those ports from the PIX. Thanks, I have been beating my head at this for a while and was thinking that maybe it can't be done.

| >> static (inside,outside) tcp interface smtp 10.0.0.2 smtp netmask | >> 255.255.255.255 0 0 | >>

| >> if I add another line in say: | >>

| >> static (inside,outside) tcp interface 587 10.0.0.2 smtp netmask | >> 255.255.255.255 0 0 | >>

| >> I get an error about overlapping. This has to be possible, I'm just | >> going about it wrong. I have scoured the web and I can see how it | >> can be done in | >> a Linux environment with IP Tables, but I have not found a reference | >> to do this in a CISCO PIX. | > | > No, you cannot do that. While logically it would work inbound it would | > break going out. How would the smtp packet know which port to pat to | > on the way out. This is the same reason why you cannot have multiple | > publics nat'd to a single private. | > | | I was worried about that. So, this is really something I can't do. I | need to find another way to have our e-mail server listen on two | different ports and then forward both those ports from the PIX. Thanks, | I have been beating my head at this for a while and was thinking that | maybe it can't be done.

How about putting a second IP address on your server and then set it to listen on that address using the second port you need. Then you wont have a problem forwarding the port on the PIX since you will be forwarding the port to another address.

What exactly are you trying to accomplish by having SMTP on two different ports? If you can give us an idea on what you are trying to accomplish we might be able to offer you an alternative.

Any MTA that can't handle both port 25 and the submissions port 587 I would consider broken.

"Brian V" wrote in news:QIGdnU-ZU7rHgIbVnZ2dnUVZ snipped-for-privacy@comcast.com:

We have a bunch of clients who are remote from their corporate E-mail server. When we configure their email to send out on smtp default port

25 it gets blocked by AT&T in their wisdom to stop SPAM. Dynamic IP AT&T DSL connections block all traffic to port 25 except to their own servers. The idea is if we can add another port to the corporate server to recieve SMTP traffic, we can use an alternative port to send e-mail getting around AT&T's block.

We have solved this problem not in the PIX but in our SPAM filtering software XWall. In XWall we configured it to listen on both port 25 and another in the 2000 range. Then we set up the PIX to forward both 25 and the 2000 port to the XWall server. Lastly, set up the remote client's e- mails to use the 2000 port to send e-mail out. Works perfectly.

It makes since why this will work if you set up the SMTP server to listen on two different ports instead of using the PIX to try and combine two.

Thanks everybody for your response.

Paul Smedshammer

Why not have them simply connect to the corp LAN via VPN or even RPC via Outlook to the Exchange server? You also have the ability to use smart hosts, SMTP.com is a great example of one.

Paul Smedshammer schrieb:

Don't do that. The SMTP reception port 25 and the submission port 587 should be configured differently, port 587 only accepting authenticated SMTP connections and port 25 only accepting mail for local users. Any decent mail server software should be able to be set up like that.

HTH T.