Static Port Forwarding Reverse-DNS Problem (using PAT ip not Mai

mahirvrazalic · ‎09-27-2011

If I use static port forwarding on my firewall for my exchange server, using smtp for emails and https for outlook web access, etc, when sending an email, the header shows the PAT public ip address. What happens then is that the RBLs kick in and it says mail returned because of reverse-DNS issue.

If i use the full on static (inside,outside) email external ip email internal ip netmask 255.255.255.255

then the email headers show the proper external ip for the email server (which maps to the MX) and all is OK.

Can i basically use the port forwarding and get my email external ip shown on the header? If not, what do i do? been reading for past 3 days and cannot find/understand why it does not work

varrao · ‎09-27-2011

Hi Mahir,

Can you post teh two statements being used??

You can change the ip's if you want.

Thanks,

Varun

Thanks,
Varun Rao

mahirvrazalic · ‎09-27-2011

OK so i can have only:

static (inside,outside) 95.95.95.95 10.10.10.10 netmask 255.255.255.255 and it all works

email header shows 95.95.95.95 so all is OK

OR

static (inside,outside) tcp 95.95.95.95 smtp 10.10.10.10 smtp netmask 255.255.255.255

static (inside,outside) tcp 95.95.95.95 https 10.10.10.10 https netmask 255.255.255.255

static (inside,outside) tcp 95.95.95.95 135 10.10.10.10 https netmask 255.255.255.255 (for Microsoft RPC)

and i can keep on going...

what happens next? instead of showing 95.95.95.95 in the email header, it shows 95.95.95.94 which is the PAT external ip

why am i asking?

i got a proxy machine in between the internal network and the firewall and it has this feature to release spam at a click of a button. Internally works fine, but externally does not. so what i did was give the proxy a name (for instance proxy.domain.com and i mapped it to another public ip 95.95.95.99 and did reverse dns).

I then added another line to the 3 above (second scenario) as follows:

static (inside,outside) tcp 95.95.95.99 5600 10.10.10.10 5600 netmask 255.255.255.255

and it works like a charm! releases emails as it should do BUT i got that nasty message from RBLs, etc, now, saying that the reverse DNS does not match, ie, it is showing the PAT ip address...thats the issue here!

kevinskiwen · ‎09-27-2011

I hope I understand you correctly and the following can help you a little ..

static (inside,outside) tcp 95.95.95.95 smtp 10.10.10.10 smtp netmask 255.255.255.255

static (inside,outside) tcp 95.95.95.95 https 10.10.10.10 https netmask 255.255.255.255

=========

The above meas only when the external clients connect to your MailServer and your server will be port mapped to IP 95.*.95, but if your server send mail to the external mailservers, It will use the IP address of which NAT group it belonged to.

So It will use another Internet IP but not 95.*.95 when it connect to the external mailserver.

Then your proxy server will compare the header IP to the correct IP(95.*.95),If the header IP is not 95.*.95,Proxy will post a warning.

To solve this problem,Add a new nat and global in the ASA.such as:

nat (inside) 10 10.10.10.10 255.255.255.255

global(outside) 10 95.95.95.95 255.255.255.255

good luck.

mahirvrazalic · ‎09-29-2011

Thanks Kevin - was completely blind to this - very straight forward answer LOL...

Yes, have done this, added all those static port forwarding roots and now it's all showing up as the 95 ip that i wanted it to show instead of the global ip.

So lets see how things work. Added the port forwarding with http, https, www, 135, 993, 995, etc and all the ports i need for my email server.

One hour after implementing it is working OK, so will keep on monitoring to see if the cisco asa becomes temperamental at any point!

I'll keep you posted! Cheers.

Static Port Forwarding Reverse-DNS Problem (using PAT ip not Mail)