Re: [fw-wiz] accessing SMTP server via the translated address

I've dealt with this problem in two different ways.

One way was on our internal network DNS our admins had a domain set up for
all of our public facing servers with A records containing the real private
IP of the server. So for example, if I went to inside our
network it would resolve to the private IP instead of the public one. That
works pretty good but then you have double maintenance when you add new
hosts. We didn't really add that many over time so it was not a big deal but
for a high maintenance shop this might get to be a pain.

The other way you can do it is with DNS doctoring where you tell the PIX to
inspect all DNS traffic passing through it. Then at the end of you static
statement you put in the keyword DNS the PIX will automatically rewrite the
response to your DNS query and replace the public IP with the private one.
I've not used this on the newer PIX / ASA OS but I did use it on the version
6 OS and it worked pretty good. You have to refer to the box by name to
invoke DNS in order for this to work though, so if you're required for some
reason to refer to IP it won't work.

See this:

Good luck!

On Fri, Dec 12, 2008 at 4:17 AM, Rudy Setiawan <rudal@xxxxxxxxxxxxxxxx>wrote:


we have a firewall, both outside and inside interfaces.
We have a SMTP server that lives in the inside network
and it's translated to a public IP on the outside interface.
SMTP inside IP:
Translated IP:
in the pix (version 7.2.3)
static (inside,outside) netmask

I have a workstation with IP which has a translated IP of
From my workstation I tried to access port 25 or ping I got request timed out.

I have access-list that allows icmp as well as port 25 on the
I am able to access port 25 and ping the IP from anywhere in the world.

How can I permit such traffic?

firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Re: DNS on multihomed server
    ... > is connected to public network and other is on private ... > public network but not the private. ... Through DNS ... > to the private network for security reasons. ...
  • Re: Windows 2K3 and Virtual Server 2005 guests NAT problem
    ... these machines are not able to connect to our ... internal network. ... If you want to have the two or three VMs on a private ... If you have configured DNS on the host and have set your vms to use this ...
  • Re: Help with initial small org AD setup convention when using DMZ network
    ... Consider using Dynamic DNS internally (aka Active Directory Integrated ... > firewall which then connects the public IP dmz network to a private IP ... > domain name for such subnets based on the nearest airport code, ... > servers to serve names for external users. ...
  • Re: About DNS naming convention for Active Directory
    ... Here's what I did so far, I set up a private network consists of the ... I did an in-place upgrade of the NT4 PDC to Active Directory 2003, ... I had no DNS service at all. ... Joined the 2003 Server as a member server and that went well too. ...
  • Re: Subnet problem.
    ... I do understand that it should be changed to any private ip range. ... DNS or NetBIOS. ... own and they are connected to the Internet. ... ip range of 198.x.x.x on their network. ...