1. Home
  2. Cisco Systems
  3. pix 506 nat or pat

pix 506 nat or pat

I have a situation where the mail server is sending out as .198(the external interface)and not .194, where the reverse dns record is set. I am looking for a way, with the below configuration, to make the mail server - mail1 - go out as .194. So it will match the reverse dns record set up for the domain.

PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password hU30LZ0tA/rewfXm encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall domain-name ciscopix.com fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.22 mail1 name 192.168.1.50 graphics name 192.168.1.230 pc1 name 192.168.1.25 vault name 192.168.1.231 estimator name 192.168.1.26 vaultsmtp access-list outside_access_in permit tcp any host x.x.x.196 eq 3389 access-list outside_access_in permit tcp any interface outside eq 3389 access-list outside_access_in permit tcp any host x.x.x.197 eq 3389 access-list outside_access_in permit tcp any host x.x.x.197 eq www access-list outside_access_in permit tcp any interface outside eq www access-list outside_access_in permit tcp any host x.x.x.194 eq www access-list outside_access_in permit tcp any host x.x.x.194 eq https access-list outside_access_in permit tcp any host x.x.x.194 eq 3389 access-list outside_access_in permit tcp any host x.x.x.194 eq smtp access-list outside_access_in permit gre any host x.x.x.195 access-list outside_access_in permit tcp any host x.x.x.195 eq pptp access-list outside_access_in permit udp any host x.x.x.195 eq 1723 access-list outside_access_in permit tcp any host x.x.x.195 eq 3389 pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside x.x.x.198 255.255.255.248 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location 192.168.1.0 255.255.255.0 inside pdm location 10.10.20.0 255.255.255.0 inside pdm location mail1 255.255.255.255 inside pdm location graphics 255.255.255.255 inside pdm location pc1 255.255.255.255 inside pdm location estimator 255.255.255.255 inside pdm location vault 255.255.255.255 inside pdm location vaultsmtp 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface 3389 estimator 3389 netmask

255.255.255.25 5 0 0 static (inside,outside) tcp interface www estimator www netmask 255.255.255.255 0 0 static (inside,outside) tcp x.x.x.194 pop3 mail1 pop3 netmask 255.255.255.25 5 0 0 static (inside,outside) tcp x.x.x.194 https mail1 https netmask 255.255.255. 255 0 0 static (inside,outside) tcp x.x.x.194 www mail1 www netmask 255.255.255.255 0 0 static (inside,outside) tcp x.x.x.194 3389 mail1 3389 netmask 255.255.255.25 5 0 0 static (inside,outside) tcp x.x.x.194 imap4 mail1 imap4 netmask 255.255.255. 255 0 0 static (inside,outside) tcp x.x.x.194 smtp vaultsmtp smtp netmask 255.255.255 .255 0 0 static (inside,outside) x.x.x.196 graphics netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.197 pc1 netmask 255.255.255.255 0 0 static (inside,outside) x.x.x.195 vault netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.193 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.10.20.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community no snmp-server enable traps floodguard enable telnet 10.10.20.0 255.255.255.0 inside telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside terminal width 80 Cryptochecksum:8a392d24aaa7037490e37d05ec75cd26 : end
Reply to
mmark751969
Loading thread data ...

i think U need to remove this:

255.255.255.255 0 0
255.255.255.255 0 0

and add this static (inside,outside) tcp x.x.x.194 mail1 netmask 255.255.255.255 0 0

Reply to
maxim chebanenko

255.255.255.255 0 0

Since you are already port-forwarding public IP .194 to two different inside hosts you can't use static for this.

Maybe you could tweak nat:

global (outside) 1 x.x.x.194 global (outside) 2 interface

nat (inside) 1 192.168.1.22 255.255.255.255 0 0 nat (inside) 2 0.0.0.0 0.0.0.0 0 0

Reply to
Jyri Korhonen

55.255.255 0 0

Thanks. What about just creating a second reverse dns - or adding one for .198

Reply to
mmark751969

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.