Email going out on the wrong IP address

Answered Question
Apr 15th, 2009

Hi, hope you can help...

We are getting some emails bounced because the mail is going out on the outside i/f address of our PIX instead of the reverse lookup address of our mail server.

This is because the SMTP W2K server is clustered, so while the mail arrives on it's internal address OK, outgoing mail is sent on the physical server's address, not the clustered 2ndary address of the SMTP server.

How do I get the mail to go out on the right external address?

Here's the config commands I currently have set on the PIX:

global (outside) 2 199.199.199.2

global (outside) 1 interface

nat (inside) 2 10.0.0.2 255.255.255.255 0 0

nat (inside) 1 10.0.0.0 255.255.0.0 0 0

static (inside,outside) 199.199.199.2 10.0.0.2 netmask 255.255.255.255 0 0

This has been bugging me for months! Any help appreciated. Regards, Peter

I have this problem too.
0 votes
Correct Answer by thotsaphon about 7 years 7 months ago

Peter,

What about these commands?

Inside --> outside

global (outside) 2 199.199.199.2

nat (inside) 2 10.0.0.1 255.255.255.255 0 0

access-list inside_access_in extended permit ip 10.0.0.0 255.255.0.0 any

Outside --> inside

static (inside,outside) tcp 199.199.199.2 25 10.0.0.2 25 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 199.199.199.2 eq 25

EDIT:

HTH,

Toshi

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
John Blakley Wed, 04/15/2009 - 06:03

Since you have a static assigned to your mail server, I would remove the line:

nat (inside) 2 10.0.0.2 255.255.255.255

and replace with

nat (inside) 2 255.255.255.255

Your static translation will take care of the incoming mail, and your cluster will send out as 199.199.199.2. You can then have your reverse ptr point to 199.199.199.2 and everything should work.

HTH,

John

1peter1xx Wed, 04/15/2009 - 06:18

Hi John,

Thanks for the quick reply.

I was hoping it'd be that simple...

But I put the commands into the PIX:

no nat (inside) 2 10.0.0.2 255.255.255.255 0 0

nat (inside) 2 10.0.0.1 255.255.255.255

and now I can't browse the internet or send mail from the server, even though I have:

access-list 110 permit ip host 10.0.0.1 any

included in the outbound acl.

What else needs "tweaking"?

Regards,

Peter

John Blakley Wed, 04/15/2009 - 06:32

Try to run "clear xlate" and see if that will do it. Clear xlate will tear down all nat translations and rebuild, so there will be a small blip for people surfing the internet right now.

John

John Blakley Wed, 04/15/2009 - 06:38

Okay. What are the addresses of the servers in the cluster, and the cluster address (or physical address) that you're working with. Your internet access *should* be natted to your interface address (global 1) because it would be caught by the nat 1 statement. What device is this? ASA or PIX?

1peter1xx Wed, 04/15/2009 - 07:57

The cisco web site just timed out after I'd written the whole reply!!!!!!

I've taken out:

nat (inside) 2 10.0.0.1

and email and internet are working again.

The physical server address is 10.0.0.1 (the access-list hit count increments this rule when SMTP is initiated).

Yes I have:

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.255.0.0

It's a PIX.

Regards,

Peter

John Blakley Wed, 04/15/2009 - 08:03

Try putting in nat (inside) 2 10.0.0.2 (Keep your nat (inside) 2 10.0.0.1).That should allow both addresses to be natted to the same address.

HTH,

John

1peter1xx Wed, 04/15/2009 - 08:40

That didn't work.

I think the trouble is that the packets out on 10.0.0.1 are on the right external address, but the replies are natted back to 10.0.0.2 via the static nat. Even though both addresses are on the same server, the replies are not "seen"...

thotsaphon Wed, 04/15/2009 - 08:11

Peter,

Please correct me if I'm wrong.

Your mail server is using 10.0.0.1 to be a source of ip address and you want to do NAT with 199.199.199.2 before sending out the outside.

The mail servers out there are connecting to your mail server via 199.199.199.2 but you do NAT it with 10.0.0.2.

Is that what you want?

Toshi

Correct Answer
thotsaphon Wed, 04/15/2009 - 08:58

Peter,

What about these commands?

Inside --> outside

global (outside) 2 199.199.199.2

nat (inside) 2 10.0.0.1 255.255.255.255 0 0

access-list inside_access_in extended permit ip 10.0.0.0 255.255.0.0 any

Outside --> inside

static (inside,outside) tcp 199.199.199.2 25 10.0.0.2 25 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 199.199.199.2 eq 25

EDIT:

HTH,

Toshi

1peter1xx Thu, 04/16/2009 - 03:12

Excellent!

The static command needs the port 25 adding to it to allow other addresses to get replies to packets sent on 199.199.199.2.

Now inbound smtp goes to 10.0.0.2 and outbound goes on 10.0.0.1 without the receiving smtp server saying "may be forged".

Our smtp server is finally legit!

Thanks all who contributed for all your help, with a gold star to Toshi!

Regards, Peter

Actions

This Discussion