Re: [fw-wiz] accessing SMTP server via the translated address

I've dealt with this problem in two different ways.

One way was on our internal network DNS our admins had a domain set up for
all of our public facing servers with A records containing the real private
IP of the server. So for example, if I went to inside our
network it would resolve to the private IP instead of the public one. That
works pretty good but then you have double maintenance when you add new
hosts. We didn't really add that many over time so it was not a big deal but
for a high maintenance shop this might get to be a pain.

The other way you can do it is with DNS doctoring where you tell the PIX to
inspect all DNS traffic passing through it. Then at the end of you static
statement you put in the keyword DNS the PIX will automatically rewrite the
response to your DNS query and replace the public IP with the private one.
I've not used this on the newer PIX / ASA OS but I did use it on the version
6 OS and it worked pretty good. You have to refer to the box by name to
invoke DNS in order for this to work though, so if you're required for some
reason to refer to IP it won't work.

See this:

Good luck!

On Fri, Dec 12, 2008 at 4:17 AM, Rudy Setiawan <rudal@xxxxxxxxxxxxxxxx>wrote:


we have a firewall, both outside and inside interfaces.
We have a SMTP server that lives in the inside network
and it's translated to a public IP on the outside interface.
SMTP inside IP:
Translated IP:
in the pix (version 7.2.3)
static (inside,outside) netmask

I have a workstation with IP which has a translated IP of
From my workstation I tried to access port 25 or ping I got request timed out.

I have access-list that allows icmp as well as port 25 on the
I am able to access port 25 and ping the IP from anywhere in the world.

How can I permit such traffic?

firewall-wizards mailing list

firewall-wizards mailing list