address translation

Unanswered Question

PIX 6.3(4)

Have a seldom issue that I would like to resolve by way of address translation, if possible.

Mail Server is inside the private LAN and a Email Spam filter system in the DMZ. All incoming SMTP traffic is directed to the filter using a static command and then sent to the mail server. All outgoing smtp traffic is sent out from the mail server directly to the destination mail system.

My issue is when the mail server establishes an smtp connection with the remote system. To the receiving end, the mail server's IP address appears as our publicly NATed address, which is different then the registered public IP address in DNS for the same mail server. At times remote mail servers reject our mail because the reverse lookup do not match, ie my NATed address is different than the mail server public address. Some systems reject because it appears as relayed email.

I was looking at adding another translation (global and nat) rule for the internal mail server only so that all traffic looks like it is coming from the DNS registered IP address and not our current NATed address.

I am just not sure if the PIX will be happy with me using a global command with an address that will also be used in a static command. I need that static command for all incoming smtp traffic to be forwarded to the filter in the dmz, as mention earlier.

Has anyone come across this or can shed some light on a possible alternative.

TIA.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Tue, 04/08/2008 - 07:12

Hi Carlos,

What is the IP address that appears for MX record of your mail server, and what is the IP address of your publicly NATed IP? Are they in same subnet (I mean do you own that IP by your ISP)?

If not, the correct action is calling your ISP and asking them to change the IP appears in MX record to your public IP. This is the best practise.

Regards

The public MX record IP is different than my public NATed address, but both are in the same subnet block.

Issue is when my Internal Mail Server establishes an smtp connection to an external mail server, the source address appears as the NATed address (which is fine and makes sense), but for some reason some external mail systems perform a reverse lookup for my MX record IP and since the MX is different than what the server sees as the connection source, they assume that the message is being relayed and so it gets rejected.

"...change the IP appears in MX record to your public IP."

I have considered doing this, but will the PIX have an issue with me using the same public IP address in a global command for outbound NAT and in a static command for inbound smtp traffic translation.

Thoughts?

TIA

gecko2207 Tue, 04/08/2008 - 07:46

I think your best bet would be to relay your outgoing smtp traffic back out through your email filter device. I believe that you will get an error if you try to use the same IP in a static and global.

husycisco Tue, 04/08/2008 - 16:20

"The public MX record IP is different than my public NATed address, but both are in the same subnet block"

So that means we can create a static for mail server and seperate it from the PAT statement. We wont have to change the MX record.

" the same public IP address in a global command for outbound NAT and in a static command for inbound smtp traffic translation."

Hmm we have a some kind of problem here I think. You said that the IP stated in MX record is in same subnet with your current NATed public IP correct? Here is an example

Lets say that 66.213.26.18 255.255.255.248 is your NATed outside IP. .248 mask means you own and control the 66.213.26.16-66.213.26.24 range. And lets assume that your MX record has an IP of 66.213.26.21. Then here is what you have to do

static (inside,outside) 66.213.26.21 insidemailserverip netmask 255.255.255.255

access-list outside_access_in permit tcp any host 66.213.26.21 eq smtp

Thats all. Feel free to post your IPs and running config.

Regards

"static (inside,outside) 66.213.26.21 insidemailserverip netmask 255.255.255.255

access-list outside_access_in permit tcp any host 66.213.26.21 eq smtp"

To use your example...

The above lines allow all inbound smtp traffic to my inside mail server. In my evnvironment all inbound smtp traffic is sent to a email filter in the dmz then to my mail server in the inside.

So here is what I have (using your example ip range):

global (outside) 1 66.213.26.18 netmask 255.255.255.248

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) 66.213.26.21 dmzfilterip netmask 255.255.255.255

access-list inbound permit tcp any host 66.213.26.21 eq smtp

access-list outbound permit tcp host insidemailserverip any eq smtp

So my goal is to be able to translate(NAT) outbound smtp traffic from my insidemailserver with the public MX record ip address 66.213.26.21 instead of 66.213.26.18, that way the source ip address of all outbound smtp traffic matches that of my public MX record ip and I would not get any relay rejections.

Just not sure if the PIX would be happy with using an IP address on a global command and in a static command.

I will attempt. Will appreciate any more input.

TIA

husycisco Thu, 04/10/2008 - 13:16

Carlos,

"Just not sure if the PIX would be happy with using an IP address on a global command and in a static command"

You are not using the same IP in static and in global. Config looks fine

"access-list outbound permit tcp host insidemailserverip any eq smtp "

If you are newly adding an ACL to the dmz interface just for this mail traffic, you dont have to. Traffic from higher sec leveled interface to low sec lev interface is permit by default. But if you were filtering the traffic already with that ACL (it was already existing), then you can add the above specific ACE in your ACL.

Assuming that you have a public IP assigned to outside interface, you can use the interface IP as global with following command

global (outside) 1 interface

instead

global (outside) 1 66.213.26.18 netmask 255.255.255.248

Do you have statics for communication between mail filter and mail server? Can they communicate atm?

Actions

This Discussion