i need some help with a pix issue we have on our network. on our DMZ, we have a SMTP server which is to send all packets out on a static IP Address. the problem is that it's not sending packets out on that specific IP address, it's using another IP address. The static IP address that it is supposed to be using is: 202.x.x.37. But all emails are being recieved on IP address: 202.x.x.34
here are the lines I have written for traffic going both ways: static (dmz,outside) tcp 202.x.x.37 smtp 192.x.x.197 smtp netmask
Okay, I read your post again and am not enitrely sure of what you are trying to do. Your incomming mail should go to a specific address? or your outgoing mail should be from a specific address?
Assuming mail is coming in: Let's start here, assuming you're on some sort of *nix box issue the following command: "dig -t mx someDomain.tld |grep -ir mx"
The above should tell you what the public MX records are, this are the addresses that your email will be forwarded to...
Say the PIX config is as follows: interface 0 (outside) 1.1.1.1 interface 1 (indide) 2.1.1.1 interface 2 (dmz0) 3.1.1.1
You need to create a static on your dmz, let's assume the MX record above was 1.1.1.99 and you server on the DMZ is 3.1.1.99: "static (dmz0,outside) tcp 1.1.1.99 smtp 3.1.1.99 smtp netmask
255.255.255.255" "access-list inboundACL line X permit tcp any 1.1.1.99 eq smtp" "clear xlate"
Problem should be solved, now if your outgoing mail should be from a specific address just set up a one-to-one static NAT, not a tcp static but the whole IP.
Point your clients at the 3.1.1.99 address, when it relays the outside world will see it as 1.1.1.99.
You do not need to create static's in both directions, it's really messy and could cause some nice problems later in life when you least expect it. One last note, if you do just so happen to be using a Microsoft product for your email, be sure to issue the command "no fixup protocol smtp"
Thanks for the explanations Will, I really appreciate your time. basically when we send mail out, it should be staticly mapped to a specific IP address. but this has not been working so far.
here's our interface config: ip address outside 202.x.x.x ip address inside 10.x.x.x ip address dmz 192.x.x.x
mail being sent from the smtp server (in the DMZ) is not being sent with the static IP address that we want. All incoming mail is fine.
i will try those one-to-one static NATs and let you know.
I have tried this, and so far it is successful, once again thanks for your help. even though we are using Exchange for email, i've left out the "no fixup protocol smtp" line. all seems to be fine for now. cheers!
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.