04-15-2009 04:49 AM - edited 03-04-2019 04:22 AM
Hi, hope you can help...
We are getting some emails bounced because the mail is going out on the outside i/f address of our PIX instead of the reverse lookup address of our mail server.
This is because the SMTP W2K server is clustered, so while the mail arrives on it's internal address OK, outgoing mail is sent on the physical server's address, not the clustered 2ndary address of the SMTP server.
How do I get the mail to go out on the right external address?
Here's the config commands I currently have set on the PIX:
global (outside) 2 199.199.199.2
global (outside) 1 interface
nat (inside) 2 10.0.0.2 255.255.255.255 0 0
nat (inside) 1 10.0.0.0 255.255.0.0 0 0
static (inside,outside) 199.199.199.2 10.0.0.2 netmask 255.255.255.255 0 0
This has been bugging me for months! Any help appreciated. Regards, Peter
Solved! Go to Solution.
04-15-2009 08:58 AM
Peter,
What about these commands?
Inside --> outside
global (outside) 2 199.199.199.2
nat (inside) 2 10.0.0.1 255.255.255.255 0 0
access-list inside_access_in extended permit ip 10.0.0.0 255.255.0.0 any
Outside --> inside
static (inside,outside) tcp 199.199.199.2 25 10.0.0.2 25 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 199.199.199.2 eq 25
EDIT:
HTH,
Toshi
04-15-2009 06:03 AM
Since you have a static assigned to your mail server, I would remove the line:
nat (inside) 2 10.0.0.2 255.255.255.255
and replace with
nat (inside) 2
Your static translation will take care of the incoming mail, and your cluster will send out as 199.199.199.2. You can then have your reverse ptr point to 199.199.199.2 and everything should work.
HTH,
John
04-15-2009 06:18 AM
Hi John,
Thanks for the quick reply.
I was hoping it'd be that simple...
But I put the commands into the PIX:
no nat (inside) 2 10.0.0.2 255.255.255.255 0 0
nat (inside) 2 10.0.0.1 255.255.255.255
and now I can't browse the internet or send mail from the server, even though I have:
access-list 110 permit ip host 10.0.0.1 any
included in the outbound acl.
What else needs "tweaking"?
Regards,
Peter
04-15-2009 06:32 AM
Try to run "clear xlate" and see if that will do it. Clear xlate will tear down all nat translations and rebuild, so there will be a small blip for people surfing the internet right now.
John
04-15-2009 06:35 AM
Still no SMTP or internet!
04-15-2009 06:38 AM
Okay. What are the addresses of the servers in the cluster, and the cluster address (or physical address) that you're working with. Your internet access *should* be natted to your interface address (global 1) because it would be caught by the nat 1 statement. What device is this? ASA or PIX?
04-15-2009 07:57 AM
The cisco web site just timed out after I'd written the whole reply!!!!!!
I've taken out:
nat (inside) 2 10.0.0.1
and email and internet are working again.
The physical server address is 10.0.0.1 (the access-list hit count increments this rule when SMTP is initiated).
Yes I have:
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.0.0
It's a PIX.
Regards,
Peter
04-15-2009 08:03 AM
Try putting in nat (inside) 2 10.0.0.2 (Keep your nat (inside) 2 10.0.0.1).That should allow both addresses to be natted to the same address.
HTH,
John
04-15-2009 08:40 AM
That didn't work.
I think the trouble is that the packets out on 10.0.0.1 are on the right external address, but the replies are natted back to 10.0.0.2 via the static nat. Even though both addresses are on the same server, the replies are not "seen"...
04-15-2009 08:11 AM
Peter,
Please correct me if I'm wrong.
Your mail server is using 10.0.0.1 to be a source of ip address and you want to do NAT with 199.199.199.2 before sending out the outside.
The mail servers out there are connecting to your mail server via 199.199.199.2 but you do NAT it with 10.0.0.2.
Is that what you want?
Toshi
04-15-2009 08:58 AM
Peter,
What about these commands?
Inside --> outside
global (outside) 2 199.199.199.2
nat (inside) 2 10.0.0.1 255.255.255.255 0 0
access-list inside_access_in extended permit ip 10.0.0.0 255.255.0.0 any
Outside --> inside
static (inside,outside) tcp 199.199.199.2 25 10.0.0.2 25 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host 199.199.199.2 eq 25
EDIT:
HTH,
Toshi
04-16-2009 03:12 AM
Excellent!
The static command needs the port 25 adding to it to allow other addresses to get replies to packets sent on 199.199.199.2.
Now inbound smtp goes to 10.0.0.2 and outbound goes on 10.0.0.1 without the receiving smtp server saying "may be forged".
Our smtp server is finally legit!
Thanks all who contributed for all your help, with a gold star to Toshi!
Regards, Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide