Re: Please Somebody Help me

harris-ross · ‎01-15-2005

Please Please Please help. I am pulling my hair out!!!

My network configuration is as follows:

INTERNET – ROUTER – PIX FIREWALL – ISA SERVER – LAN

I want to route my SMTP traffic into my exchange server inside my LAN. Please NOTE that all devices are configured to NAT . If you could show me how to stop using NAT on the Router and Pix firewall I would be very grateful; because every time I stop Natting on Router or Pix I loose Internet connection. I do not need to NAT with Router or Pix because I am already NATTING with ISA SERVER .

My main problem which is to route SMTP traffic into my exchange server on my LAN. My ISP has configured my MX record as the Public IP of the WAN interface of the Router. I have checked incoming traffic on my Router and I can see SMTP traffic coming in but I am unable to forward it to my Exchange server.

Configuring the ISA server is no problem, all I need is get the traffic to my ISA server.

All I need is help on configuring Router and Pix to allow and to forward smtp traffic to inside LAN.

Please help, I have been up all night for the last 2 days but no joy, I am going crazy. I spent whole weekend installing and configuring Exchange Server 2003 and it is working because I am able to send mail internally.

Please take me through the process of disabling NAT on Router and PIX if possible and then forwarding my SMTP to LAN

Thanks for your time.

Cheers

Tony

ehirsel · ‎01-16-2005

On the pix, do this to disable NATing:

Create an acl whose source address is those of the internal network that you do not want to nat for example:

access-list nonat_01 permit ip n.n.n.n m.m.m.m any

where n.n.n.n is the subnet that the ISA server nat's to (say 156.69.45.0) and m.m.m.m is the subnet mask.

Then code this statement on the PIX:

nat (inside) 0 access-list nonat_01

This will take care of connections that originate inside your network that get nat'ed via the isa server - such as web client browsing. To handle the cases where the connection originates outside your network, such a smtp, then code a static on the pix like so:

static (inside,outside) s.s.s.s s.s.s.s netmask 255.255.255.255

and code an acl like this and apply it on the outside interface:

access-list outside_in permit tcp any gt 1023 host s.s.s.s eq 25 - this allows connections on the smtp port of the exchange server. The address on the static (s.s.s.s) is that of the server the way the isa expects to see it and note that on the static, the real and mapped address is the same - thus the pix will not nat.

What type of router are you using? Is it an ios-based device? I need to know that to handle the router end.

One note about the pix: static overrides nat and global, so if s.s.s.s falls within n.n.n.n/m.m.m.m that is okay it will still work.

harris-ross · ‎01-16-2005

Thanks so much for your reply; you are God sent, I have been having nightmares about this.

I am using an ios based router, I am using the Cisco 831 Router. My pix is the 501 series.

I need to let you know that the ISA server has been configured as smtp relay meaning it will listen for all smtp traffic and automatically forward that smtp traffic to the mail server in my LAN, so we can safely use the ip address of the outside interface of the ISA as the mail server, which in this case is 172.16.165.2.

I understand the first part about connections that originate from inside my LAN, but can you please clear things a bit on the connections originating outside my LAN such as smtp?

you have given the following example:

"access-list outside_in permit tcp any gt 1023 host s.s.s.s eq 25" what is the "gt 1023" ?

If you require further info please let me as I am here waiting. It is 4AM here in the UK and I am still up trying to solve this so thank you for all your help.

cheers

Tony

ehirsel · ‎01-16-2005

The gt 1023 means that the client port is higher than 1023 (could be anywhere from 1024 to 65534 inclusive). The s.s.s.s in the static and acl example that I gave would be the outside interface of the isa server as seen by the outside users (in other words what the isp mx record contains for your mail server).

In order for the mail to reach your exchange it is first sent to the isa server which will then send it on in, so as far as smtp is concerned the isa server is the mx host that someone outside your org will use to send mail to someone inside your org. In order for that to happen the external mx host (say yahoo.com) will be the client and will send smtp commands to the isa server on port 25.

harris-ross · ‎01-16-2005

Thanks for that clarification; what about the router side of things; how do I configure the router to stop natting and also to send smtp traffic to the pix.

My router has a public IP address on the WAN and a private IP address on the inside.

cheers

Tony

ehirsel · ‎01-16-2005

Examine the router config and look for statements such as the following:

ip nat inside source list acl-name ip-address pool pool-name overload - or -

ip nat inside static ip1 ip2

There may be an interface reference on the ip nat statement. What ever ip nat statement you find, remove it with the no ip nat rest-of-statement command, where rest-of-statement is whatever follows after the "ip nat" keywords.

If you have acls applied to the public interface, then add this statement:

ip access-list acl-name (or acl number) permit tcp any gt 1023 host isa-server-public-address eq 25

This assumes that you are using an extended acl.

ehirsel · ‎01-16-2005

Tony, it's about 12:40 am est here in the US. I am about to sign off for the day. Please review my last post, prior to this.

I was wondering if everything is working fine now. I assume that your isa server is acutally configured to respond to the smtp packets whose dest. ip matches that of the isp mx record.

One item that I did not mention is routing. You need to tell the router and the pix that the routing to the public block of ip addresses is as follows:

The 831 router needs to use the pix outside interface as the gateway for the subnets that ISA nats to. The pix needs to use the ISA server as the gateway for those subnets. One the pix add this command if it is not already present:

route inside n.n.n.n m.m.m.m isa-public-interface-ip

On the 831 the route command would be this:

ip route n.n.n.n m.m.m.m pix-outside-interface-ip-address

Let me know if this helps.

harris-ross · ‎01-16-2005

Hi

Thanks, regarding the Router, I have the follwing nat command:

"ip nat inside source list 102 interface Ethernet1 overload"

But if I remove it I loose internet connection. Please advice.

Thanks

Tony

ehirsel · ‎01-16-2005

If that is the case, then the ISA server is not performing nat for internet connections such as web browsing for inside clients.

Examine access-list 102 and see what it contains. If it contains the any keword as the source, such as permit ip any host x.x.x.x, then you must adjust the list to deny traffic to/from the isa server's public address.

So now your acl should look like this:

access-list 102 deny ip host isa-public any

access-list 102 deny ip host other-host-that_is_natted_already any

access-list 102 permit ..... (whatever permit lines are needed for internet access)

Try these adjustments and let me know what happens. You may need to contact your service provider to help you further, if you suspect that their routed environment is not forwarding the packets to your 831 router for the public subnets behind it (such as your isa server).

harris-ross · ‎01-16-2005

Hi

Thanks for helping me so much, really appreciate dude.

You have mentioned my ISA server public ip address so, I need to confirm to you that my ISA server IP address I am using is actually private, yes I know it is technically a public address but because I was behing the PIX and the Router that is why I used it. But I can confirm that it is being used as a private address; does that ease things or complicate things?

I am sorry I shoulkd have pointed that out.

cheers

Tony

ehirsel · ‎01-17-2005

I thought the same thing when you told me that removing the ip nat statement on the 831 router stopped inet access.

What is happening is that the isa server is nating from one set of private ip's to another set, but those private ips are not routable on the public inet. So you will need to nat on the router and isa, but not the pix. Since we have taken nat off the pix, here's what to do next:

On the 831, you will need to use static nat statements for the isa server's public interface so that outside mx hosts can contact your mx host.

Let's say that the public mx record for your mail system is p.p.p.p. On the 831 you would code a nat like this:

ip nat inside source static i.i.i.i p.p.p.p, where i.i.i.i is the acutal ip address of the isa server and p.p.p.p is the public ip address.

Let me know if this helps.

harris-ross · ‎01-17-2005

Hi

Thanks for getting back. I feel I am very close to nailing this baby.

I have done all the config you have said.

What about the inbound access-list? Would the following do:

"access-list 120 permit tcp any any smtp log"

cheers

Tony

ehirsel · ‎01-17-2005

Yes, that acl entry on the inbound acl of your router should suffice to allow smtp traffic in.

harris-ross · ‎01-18-2005

Ed

I am happy to let you know that all is working now; I would not have come this far without your generous and well articulated help.

I want to thank you for all your help and also for not abandoning me, you are a true professional, thanks pal.

Please let me have your e-mail address so I can keep in touch.

God bless

Tony

ehirsel · ‎01-18-2005

Glad to be of help.

You can email me at this address:

edward_a_hirsel@yahoo.com (note theunderscore chars around my MI).