PIX 505 with Email and NAT

cory-gray · ‎01-30-2006

Hello Everyone. I am having a problem with a pix 515. I have my MX record pointing at .50. I have the PIX

NATing the connections on the appropriate ports to my email server at 192.168.1.60. I have all outbound

connections NATing to .51. AOL is rejected mail from my email server because the MX record is .50 and mail

of course is coming from .51. I tried changing outbound connections to NAT to .50 but it did not work.

Documentation said that whatever IP address you use for the "global" command has to be unique. I thought I

would not have an issue with that configuration because the IP I tried using was unique except for the fact that it

was used with the static command. Anyway, this is the relevant portion of the config. Any ideas are

appreciated.

CURRENT CONFIG

ip address outside X.X.X.51 255.255.255.248

global (outside) 1 interface

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) X.X.X.50 192.168.1.60 netmask 255.255.255.255 0 0

CONFIG ATTEMPTED(Internet no longer worked, outbound email worked but not inbound)

ip address outside X.X.X.51 255.255.255.248

global (outside) 1 X.X.X.50

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) X.X.X.50 192.168.1.60 netmask 255.255.255.255 0 0

varakantam · ‎01-30-2006

Your Static and PAT configuration looks OK. I would like to why is the mail commint from .51 is your mail server is .50 ? I am assuming clients in your network should be using your internal mail server at .50 for mail relay. Could you check to see why the outbound source IP for mail is .51 from clients ?

cory-gray · ‎01-30-2006

There is no mail relay... the only mail server is the internal exchange server so thats why the .50 is being translated to 192.168.1.60 inbound. There is no mail server addressed as .50 so when mail gets sent out it comes straight from the internal server and all outbound connections are Nat'd to the outside interface. I know most organizations have an external mail server but this company doesn't. I would like to make it work without suggesting they buy an external mail server. All email is working today except for AOL because the source ip address does not match the MX record.

varakantam · ‎01-30-2006

Can you post mail headers for a bounced mail to aol ?

d-roush · ‎01-30-2006

Your current config looks correct. I would do a show xlate and make sure that your mail server is mapped correctly. Also, if you go to http://www.whatismyip.com form your mail server, your ip address should be your .50 address. Did the returned mail from AOL have a reason it was bounced? Also, do you have reverse dns setup for your mx record. I don't think AOL will accept mail without doing a lookup.

jmia · ‎01-31-2006

Cory,

To resolve your mail issues to AOL, what you need is a RDNS (Reverse DNS) setup for your PAT address, i.e. if all your internal IP's are being translated to your outside interface IP of your PIX then when you send mail to outside recipient's the IP address that will show up as the sending IP is your PIX's outside interface IP. So to resolve this issue, get your ISP to setup RDNS for your domain to point to your IP address of your PIX outside interface.

You can check this youself by going here - enter the IP address of your PIX's outside IP and see if AOL can resolve this IP to your domain name.

> http://postmaster.info.aol.com/tools/rdns.html

I hope this makes sense and helps, I have come across this alot with my customers.

Jay