Re: SMTP reverse dns failing on PIX

stafford.slater · ‎06-14-2005

Hi,

I have problems sending mail to certain domains such as AOL, the mails are bouncing back as the ISP is carrying out a reverse dns lookup, I have a reverse record setup correctly.

I have configurd a static transltion as shown below but when the mail is sent the reverse lookup comes back as 212.9.20.9 which is the PAT address.

static (DMZ,outside) tcp 212.9.20.10 smtp xx.xx.xx.10 smtp netmask 255.255.255.255 0 0

I removed the static and replace with a nat/global to a single ip address

global (outside) 2 212.9.20.10

nat (DMZ) 2 xx.xx.xx.10 255.255.255.255 0 0

ACL for both were: -

access-group OUTSIDE in interface outside

access-group DMZ in interface DMZ

access-list OUTSIDE permit tcp any host 212.9.20.10 eq smtp

access-list OUTSIDE permit udp any host 212.9.20.10 eq domain

access-list OUTSIDE permit udp any host 212.9.20.9 eq domain

access-list DMZ permit tcp host xx.xx.xx.10 any eq smtp

This resolved the reverse mail lookup but incoming mail stopped, I have a line from the logs as follows not sure if it's connected.

Deny inbound (No xlate) tcp src outside:212.179.225.160/3244 dst outside:212.9.20.10/135

Any help would be great.

Cheers

stafford

jmia · ‎06-14-2005

Stafford,

Have you checked with AOL for RDNS for your domain? If not check here:

http://postmaster.info.aol.com/tools/rdns.html

Jay

stafford.slater · ‎06-15-2005

Hi Jay,

Thanks for the reply thats a handy link, but the reverse is configured correctly,the ip address it comes back with is 212.9.20.10, there is a static set up to this ip address but the problem is that outgoing mail is being sent with the PAT ip address of 212.9.20.09

The static config looks correct to me but not workin.

Cheers

Stafford

ali-franks · ‎06-15-2005

Hi Staff,

You can forget the log entry:

Deny inbound (No xlate) tcp src outside:212.179.225.160/3244 dst outside:212.9.20.10/135

Someone having a fumble with a scanner probably! Any news on TAC or bug toolkit?

Ali