POP3 & SMTP through Pix to Static NAT Address [7:19931]
I have a situation which someone may be able to shed some light on. The configuration that is in place is a PIX 515 6.01 with a public IP on the 'outside' interface and private IP on the 'inside' interface as you would normally see in a straight-forward config. We are using PAT to another external IP for all internal users. Also there are static NAT statements on this same external IP (one used for PAT) that translate to the appropriate internal IPs for the respective services. Ex. static (inside,outside) tcp x.x.x.x pop3 10.x.x.x pop3 netmask x.x.x.x (translating all pop3 queried traffic on x.x.x.x to be forwarded to 10.x.x.x) One inbound access list is applied to the 'outside' interface filtering for the protocols we need allowed in and for the static nats. So this works fine for all external users and querying the various protocols. All locations are connected via private frame WAN to the central location, where the internet connection out is and also this PIX. Here is the problem. There are travelling users which bounce from site to site and are configured to access email via POP3. Unfortunately this will not work from inside the PIX. What it looks like is that basically the client is querying a pop3 server which resolves to the public IP address which is in turn the same address assigned for the static nat translation to the actual internal pop3 box. I would change the client to resolve pop3 to the actual internal IP address but then they would be unable to reach the box from home or hotel etc. ie. client queries pop3 to 'popserver.domain.com' > dns resolves this to x.x.x.x from above static NAT. Query fails. Does anyone have any suggestions on what may be happening and could shed some light on whether this can be done first of all, and what steps may need to be taken on the PIX so that interal queries for pop3 and smtp will be able to go out through the PAT and come back in as the static nat translates them and still work. Thanks VERY much for anyones input. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19931&t=19931 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: POP3 & SMTP through Pix to Static NAT Address [7:19931]
Hello, This is common problem in PIX. when internal client gets Public IP from DNS, it tries to reach that IP. Since it is external IP PIX routes it outside & hence packets are lost. There is workaround provided by PIX for this kind of problem. YOu need to use "alia" command on PIX. Please ref to http://www.cisco.com/warp/public/110/alias.html or This document explains the use of the alias command on the Cisco Secure PIX Firewall. The alias command has two possible functions: It can be used to do "DNS Doctoring" of DNS replies from an external DNS server. In DNS Doctoring, the PIX "changes" the DNS response from a DNS server to be a different IP address than the DNS server actually answered for a given name. This process is used when we want the actual application call from the internal client to connect to an internal server by its internal IP address. It can be used to do "Destination NAT" (dnat) of one destination IP address to another IP address. In dnat, the PIX "changes" the destination IP of an application call from one IP address to another IP address. This process is used when we want the actual application call from the internal client to the server in a perimeter (dmz) network by its external IP address. This does not "doctor" the DNS replies. For example, if a host sends a packet to 99.99.99.99, you can use the alias command to redirect traffic to another address, such as 10.10.10.10. You can also use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. For more information, consult the PIX Hope this will help you pat --- atram wrote: > I have a situation which someone may be able to shed > some light on. > > The configuration that is in place is a PIX 515 6.01 > with a public IP on the > 'outside' interface and private IP on the 'inside' > interface as you would > normally see in a straight-forward config. > > We are using PAT to another external IP for all > internal users. Also there > are static NAT statements on this same external IP > (one used for PAT) that > translate to the appropriate internal IPs for the > respective services. > > Ex. > static (inside,outside) tcp x.x.x.x pop3 10.x.x.x > pop3 netmask x.x.x.x > (translating all pop3 queried traffic on x.x.x.x to > be forwarded to > 10.x.x.x) > > > One inbound access list is applied to the 'outside' > interface filtering for > the protocols we need allowed in and for the static > nats. > > > So this works fine for all external users and > querying the various > protocols. All locations are connected via private > frame WAN to the central > location, where the internet connection out is and > also this PIX. > > Here is the problem. There are travelling users > which bounce from site to > site and are configured to access email via POP3. > Unfortunately this will > not work from inside the PIX. What it looks like is > that basically the > client is querying a pop3 server which resolves to > the public IP address > which is in turn the same address assigned for the > static nat translation to > the actual internal pop3 box. I would change the > client to resolve pop3 to > the actual internal IP address but then they would > be unable to reach the > box from home or hotel etc. > > ie. client queries pop3 to 'popserver.domain.com' > > dns resolves this to > x.x.x.x from above static NAT. Query fails. > > Does anyone have any suggestions on what may be > happening and could shed > some light on whether this can be done first of all, > and what steps may need > to be taken on the PIX so that interal queries for > pop3 and smtp will be > able to go out through the PAT and come back in as > the static nat translates > them and still work. > > > Thanks VERY much for anyones input. [EMAIL PROTECTED] __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20123&t=19931 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: POP3 & SMTP through Pix to Static NAT Address [7:19931]
Hello, This is common problem in PIX. when internal client gets Public IP from DNS, it tries to reach that IP. Since it is external IP PIX routes it outside & hence packets are lost. There is workaround provided by PIX for this kind of problem. YOu need to use "alia" command on PIX. Please ref to http://www.cisco.com/warp/public/110/alias.html or This document explains the use of the alias command on the Cisco Secure PIX Firewall. The alias command has two possible functions: It can be used to do "DNS Doctoring" of DNS replies from an external DNS server. In DNS Doctoring, the PIX "changes" the DNS response from a DNS server to be a different IP address than the DNS server actually answered for a given name. This process is used when we want the actual application call from the internal client to connect to an internal server by its internal IP address. It can be used to do "Destination NAT" (dnat) of one destination IP address to another IP address. In dnat, the PIX "changes" the destination IP of an application call from one IP address to another IP address. This process is used when we want the actual application call from the internal client to the server in a perimeter (dmz) network by its external IP address. This does not "doctor" the DNS replies. For example, if a host sends a packet to 99.99.99.99, you can use the alias command to redirect traffic to another address, such as 10.10.10.10. You can also use this command to prevent conflicts when you have IP addresses on a network that are the same as those on the Internet or another intranet. For more information, consult the PIX Hope this will help you --- atram wrote: > I have a situation which someone may be able to shed > some light on. > > The configuration that is in place is a PIX 515 6.01 > with a public IP on the > 'outside' interface and private IP on the 'inside' > interface as you would > normally see in a straight-forward config. > > We are using PAT to another external IP for all > internal users. Also there > are static NAT statements on this same external IP > (one used for PAT) that > translate to the appropriate internal IPs for the > respective services. > > Ex. > static (inside,outside) tcp x.x.x.x pop3 10.x.x.x > pop3 netmask x.x.x.x > (translating all pop3 queried traffic on x.x.x.x to > be forwarded to > 10.x.x.x) > > > One inbound access list is applied to the 'outside' > interface filtering for > the protocols we need allowed in and for the static > nats. > > > So this works fine for all external users and > querying the various > protocols. All locations are connected via private > frame WAN to the central > location, where the internet connection out is and > also this PIX. > > Here is the problem. There are travelling users > which bounce from site to > site and are configured to access email via POP3. > Unfortunately this will > not work from inside the PIX. What it looks like is > that basically the > client is querying a pop3 server which resolves to > the public IP address > which is in turn the same address assigned for the > static nat translation to > the actual internal pop3 box. I would change the > client to resolve pop3 to > the actual internal IP address but then they would > be unable to reach the > box from home or hotel etc. > > ie. client queries pop3 to 'popserver.domain.com' > > dns resolves this to > x.x.x.x from above static NAT. Query fails. > > Does anyone have any suggestions on what may be > happening and could shed > some light on whether this can be done first of all, > and what steps may need > to be taken on the PIX so that interal queries for > pop3 and smtp will be > able to go out through the PAT and come back in as > the static nat translates > them and still work. > > > Thanks VERY much for anyones input. [EMAIL PROTECTED] __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20122&t=19931 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: POP3 & SMTP through Pix to Static NAT Address [7:19931]
Thanks Pat worked like a charm! ""pat"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello, > > This is common problem in PIX. when internal client > gets Public IP from DNS, it tries to reach that IP. > Since it is external IP PIX routes it outside & hence > packets are lost. There is workaround provided by PIX > for this kind of problem. YOu need to use "alia" > command on PIX. Please ref to > > http://www.cisco.com/warp/public/110/alias.html > > or > This document explains the use of the alias command on > the Cisco Secure PIX Firewall. > > The alias command has two possible functions: > > It can be used to do "DNS Doctoring" of DNS replies > from an external DNS server. > > In DNS Doctoring, the PIX "changes" the DNS response > from a DNS server to be a different IP address than > the DNS server actually answered for a given name. > > This process is used when we want the actual > application call from the internal client to connect > to an internal server by its internal IP address. > > It can be used to do "Destination NAT" (dnat) of one > destination IP address to another IP address. > > In dnat, the PIX "changes" the destination IP of an > application call from one IP address to another IP > address. > > This process is used when we want the actual > application call from the internal client to the > server in a perimeter (dmz) network by its external IP > address. This does not "doctor" the DNS replies. > For example, if a host sends a packet to 99.99.99.99, > you can use the alias command to redirect traffic to > another address, such as 10.10.10.10. You can also use > this command to prevent conflicts when you have IP > addresses on a network that are the same as those on > the Internet or another intranet. For more > information, consult the PIX > > > Hope this will help you > > pat > > > > --- atram wrote: > > I have a situation which someone may be able to shed > > some light on. > > > > The configuration that is in place is a PIX 515 6.01 > > with a public IP on the > > 'outside' interface and private IP on the 'inside' > > interface as you would > > normally see in a straight-forward config. > > > > We are using PAT to another external IP for all > > internal users. Also there > > are static NAT statements on this same external IP > > (one used for PAT) that > > translate to the appropriate internal IPs for the > > respective services. > > > > Ex. > > static (inside,outside) tcp x.x.x.x pop3 10.x.x.x > > pop3 netmask x.x.x.x > > (translating all pop3 queried traffic on x.x.x.x to > > be forwarded to > > 10.x.x.x) > > > > > > One inbound access list is applied to the 'outside' > > interface filtering for > > the protocols we need allowed in and for the static > > nats. > > > > > > So this works fine for all external users and > > querying the various > > protocols. All locations are connected via private > > frame WAN to the central > > location, where the internet connection out is and > > also this PIX. > > > > Here is the problem. There are travelling users > > which bounce from site to > > site and are configured to access email via POP3. > > Unfortunately this will > > not work from inside the PIX. What it looks like is > > that basically the > > client is querying a pop3 server which resolves to > > the public IP address > > which is in turn the same address assigned for the > > static nat translation to > > the actual internal pop3 box. I would change the > > client to resolve pop3 to > > the actual internal IP address but then they would > > be unable to reach the > > box from home or hotel etc. > > > > ie. client queries pop3 to 'popserver.domain.com' > > > dns resolves this to > > x.x.x.x from above static NAT. Query fails. > > > > Does anyone have any suggestions on what may be > > happening and could shed > > some light on whether this can be done first of all, > > and what steps may need > > to be taken on the PIX so that interal queries for > > pop3 and smtp will be > > able to go out through the PAT and come back in as > > the static nat translates > > them and still work. > > > > > > Thanks VERY much for anyones input. > [EMAIL PROTECTED] > > > __ > Terrorist Attacks on U.S. - How can you help? > Donate cash, emergency relief information > http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20903&t=19931 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
