Re: outbound static nat on pix possible?

m.matteson · ‎09-15-2004

Interestingly today was going along so good when just as I was about to leave to go home a problem arrived in my inbox - figures. The problem has to do with email. well you ask..this is a firewall forum not about microsoft exchange. well let me finish explaining my problem first. haha.

What is happening is that a mail server that is trying to send to my domain is performing DNS lookups. Here is a quick explaination on what DNS lookups are in regards to elimination spam. (http://www.postcastserver.com/help/Anti-Spam/DNS%20Lookups.htm). I know what needs to be done on my pix but do not know how to do it. My configuration is as follows.

PIX 515e running IOS 6.3(3)

int outside : 10.10.10.1/24

int dmz : 20.20.20.1/24

int inside : 30.30.30.1/24

the SMTP gateway (recieves email) is on the DMZ with IP 20.20.20.2

the mail server (sends email) is internal with IP 30.30.30.2

30.30.30.0/24 is PAT'd to 10.10.10.2

20.20.20.2 is NAT'd to 10.10.10.3

the MX record in domain xyz.com resolves to 10.10.10.3 (mail.xyz.com)

where the problem occurs is that when our email server sends email to a mail server on the internet that performs DNS lookups it gets rejected because it thinks our ip was spoofed. here's why. our mail server is on a subnet that is PAT'd to 10.10.10.2 and so when is sends and email to server A and then Server A performs a DNS lookup it sees that mail.xyz.com's mail server is 10.10.10.3, but it recieved mail from a person @ xyz.com from a server with an IP address of 10.10.10.2. What i need to do is make the PIX perform a static outbound NAT. I know how to do this on a router but not a PIX. i need 30.30.30.2 to be re-written as coming from 10.10.10.3. so when the mail server performs the lookup it will see that our email is 10.10.10.3 which is what the MX record says it should be and then will send email to our SMTP gateway for spam/anti virus processing before being relayed back to our email server. Can the PIX perform outbound static nat translations? the reason i ask is that cisco documenation says that the static command is for inbound connections. Other newsrooms have suggested changing the interface perspectives of INSIDE, OUTSIDE, and DMZ. but that is not an opion in this case :( Any idea on what i can do? Is this a common problem? Thanks a lot.

-Mike

kevin_reynolds · ‎09-15-2004

The static statement works both ways.

static (inside, outside) 10.10.10.3 10.10.10.3 netmask 255.255.255.255 0 0

This should work as long as your example network (10.10.10.0) is globally routable.

kevin

kevin_reynolds · ‎09-15-2004

One more option is to change the MX record from the mail sending host to the external interface of the firewall. Not sure how critical internal DNS is to you, but this may be the easiest solution.

kevin

a.awan · ‎09-15-2004

The problem here is that you are already using the 10.10.10.3 to provide a static NAT to the smtp_Gateway in the DMZ. I believe the usual practise in such configurations is to have the smtp_Gateway take care of all incoming and outgoing mails. You have the incoming part configured properly but it looks like you are sending mails directly from your inside server out to any smtp server on the internet. Reconfiguring the inside smtp server to send all outgoing mails via the smtp_Gateway might resolve your issue.

By the way is this Mike Matterson from thesiggroup?

m.matteson · ‎09-16-2004

Not i'm not from the siggroup. thanks for your response guys. its like 6am right now and i just got a phone call from work informing me that DNS went down so i figured while i'm up..lets check out cisco forums :). the good news is that restarting the DNS service fixed the problem. anyways.i'll take your suggestions and see what i can do. thanks a lot!!