cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3257
Views
4
Helpful
11
Replies

Email going out on the wrong IP address

1peter1xx
Level 1
Level 1

Hi, hope you can help...

We are getting some emails bounced because the mail is going out on the outside i/f address of our PIX instead of the reverse lookup address of our mail server.

This is because the SMTP W2K server is clustered, so while the mail arrives on it's internal address OK, outgoing mail is sent on the physical server's address, not the clustered 2ndary address of the SMTP server.

How do I get the mail to go out on the right external address?

Here's the config commands I currently have set on the PIX:

global (outside) 2 199.199.199.2

global (outside) 1 interface

nat (inside) 2 10.0.0.2 255.255.255.255 0 0

nat (inside) 1 10.0.0.0 255.255.0.0 0 0

static (inside,outside) 199.199.199.2 10.0.0.2 netmask 255.255.255.255 0 0

This has been bugging me for months! Any help appreciated. Regards, Peter

1 Accepted Solution

Accepted Solutions

Peter,

What about these commands?

Inside --> outside

global (outside) 2 199.199.199.2

nat (inside) 2 10.0.0.1 255.255.255.255 0 0

access-list inside_access_in extended permit ip 10.0.0.0 255.255.0.0 any

Outside --> inside

static (inside,outside) tcp 199.199.199.2 25 10.0.0.2 25 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 199.199.199.2 eq 25

EDIT:

HTH,

Toshi

View solution in original post

11 Replies 11

John Blakley
VIP Alumni
VIP Alumni

Since you have a static assigned to your mail server, I would remove the line:

nat (inside) 2 10.0.0.2 255.255.255.255

and replace with

nat (inside) 2 255.255.255.255

Your static translation will take care of the incoming mail, and your cluster will send out as 199.199.199.2. You can then have your reverse ptr point to 199.199.199.2 and everything should work.

HTH,

John

HTH, John *** Please rate all useful posts ***

Hi John,

Thanks for the quick reply.

I was hoping it'd be that simple...

But I put the commands into the PIX:

no nat (inside) 2 10.0.0.2 255.255.255.255 0 0

nat (inside) 2 10.0.0.1 255.255.255.255

and now I can't browse the internet or send mail from the server, even though I have:

access-list 110 permit ip host 10.0.0.1 any

included in the outbound acl.

What else needs "tweaking"?

Regards,

Peter

Try to run "clear xlate" and see if that will do it. Clear xlate will tear down all nat translations and rebuild, so there will be a small blip for people surfing the internet right now.

John

HTH, John *** Please rate all useful posts ***

Still no SMTP or internet!

Okay. What are the addresses of the servers in the cluster, and the cluster address (or physical address) that you're working with. Your internet access *should* be natted to your interface address (global 1) because it would be caught by the nat 1 statement. What device is this? ASA or PIX?

HTH, John *** Please rate all useful posts ***

The cisco web site just timed out after I'd written the whole reply!!!!!!

I've taken out:

nat (inside) 2 10.0.0.1

and email and internet are working again.

The physical server address is 10.0.0.1 (the access-list hit count increments this rule when SMTP is initiated).

Yes I have:

global (outside) 1 interface

nat (inside) 1 10.0.0.0 255.255.0.0

It's a PIX.

Regards,

Peter

Try putting in nat (inside) 2 10.0.0.2 (Keep your nat (inside) 2 10.0.0.1).That should allow both addresses to be natted to the same address.

HTH,

John

HTH, John *** Please rate all useful posts ***

That didn't work.

I think the trouble is that the packets out on 10.0.0.1 are on the right external address, but the replies are natted back to 10.0.0.2 via the static nat. Even though both addresses are on the same server, the replies are not "seen"...

Peter,

Please correct me if I'm wrong.

Your mail server is using 10.0.0.1 to be a source of ip address and you want to do NAT with 199.199.199.2 before sending out the outside.

The mail servers out there are connecting to your mail server via 199.199.199.2 but you do NAT it with 10.0.0.2.

Is that what you want?

Toshi

Peter,

What about these commands?

Inside --> outside

global (outside) 2 199.199.199.2

nat (inside) 2 10.0.0.1 255.255.255.255 0 0

access-list inside_access_in extended permit ip 10.0.0.0 255.255.0.0 any

Outside --> inside

static (inside,outside) tcp 199.199.199.2 25 10.0.0.2 25 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 199.199.199.2 eq 25

EDIT:

HTH,

Toshi

Excellent!

The static command needs the port 25 adding to it to allow other addresses to get replies to packets sent on 199.199.199.2.

Now inbound smtp goes to 10.0.0.2 and outbound goes on 10.0.0.1 without the receiving smtp server saying "may be forged".

Our smtp server is finally legit!

Thanks all who contributed for all your help, with a gold star to Toshi!

Regards, Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco