×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

mail to outside address

Unanswered Question
Apr 13th, 2004
User Badges:

I have two servers on the dmz interface both with static nat tranlations. One of the servers needs to send mail to the others static address because of dns lookups. Is it possible to allow this traffic in. Would this be done with the alias command.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jasobrown Tue, 04/13/2004 - 11:28
User Badges:

IF you are running older code you would use the alias command but if you are using new code you would use the dns feature in the static.


static (dmz,outside) public private netmask 255.255.255.255 dns

jasobrown Tue, 04/13/2004 - 13:27
User Badges:

I apologize .. The alias command wont work for you situation but the dns fixup would (and you dont have that in 5.2.4)


The only thing that I can suggest at this point would be to put an entry in your host file for the MX record.

ehirsel Wed, 04/14/2004 - 07:18
User Badges:
  • Silver, 250 points or more

Are both servers off of the same pix interface? Can you diagram the topology? You cannot have the pix send traffic out the same interface on which it was received.



ehirsel Wed, 04/14/2004 - 07:19
User Badges:
  • Silver, 250 points or more

Are both servers off of the same pix interface? Can you diagram the topology? You cannot have the pix send traffic out the same interface on which it was received.


mjhagen Wed, 04/14/2004 - 08:41
User Badges:

Yes both servers are on the same dmz interface.

Would like to only use public DNS server to supply the Public IP of severs. There lies the problem. Currently using and internal DNS server that I would like to eliminate

Topology explanation:

1. 3 vlans behind DMZ

2. public DNS server on first vlan

3. CSS / Loadbalancer connects other 2 vlans to DMZ

4. 2 servers behind CSS.

ehirsel Wed, 04/14/2004 - 11:31
User Badges:
  • Silver, 250 points or more

If I were to draw your topology off of the pix dmz interface it would look like this:


pix---css---servers


The pix and css have one vlan in common and the public dns server is on that vlan. The other vlans are behind the css where the two servers reside.


If I did not draw this correctly. let me know.


Assuming that I did, the pix will not see any server to server traffic. You need to employ NAT/PAT on the css. This is true unless you are running pix code 6.3.


The 6.3 code allows you to do logical interfaces, now we can create two vlans between on the dmz phy interface to force the traffic to flow between the css and the pix to get to the public dns server. The public dns server show have the pix as the default route and the pix should employ statics to hide the true ip address of the pub dns server, otherwise the css will route traffic direct to it, bypassing the pix.



Before I go any further, let me know if I drew the topology correctly.

mjhagen Wed, 04/14/2004 - 12:45
User Badges:

This is correct."The pix and css have one vlan in common and the public dns server is on that vlan. The other vlans are behind the css where the two servers reside."


ehirsel Thu, 04/15/2004 - 11:59
User Badges:
  • Silver, 250 points or more

Is there a reason you want one server to see the other's static address? You should have them connect direct to each other. The pix should not see the traffic. You could setup logical interfaces on the pix if you use 6.3 code, however the css also does stateful filering that could make everything complex. You would need to setup dest nat as well as source nat on the pix to get the flow mapping correct on the css.


Could you move the public dns server to another interface on the pix that connects to a switch other than the css?


mjhagen Thu, 04/15/2004 - 12:57
User Badges:

They do connect directly now but the server admins are requsting that they be able see the mail on there static public address because of dns lookups.

ehirsel Fri, 04/16/2004 - 07:54
User Badges:
  • Silver, 250 points or more

Could the admins create local /etc/host file entries for the server names so that the lookup will use the proper internal address and not the public dns records? The issue you have is that the pix will not route traffic back on the same interface upon which it was received. Your only other choice, to keep things clean, is to move one the dns server onto a different interface on the pix and use the no sysopt nodnsalias command inbound/outbound command to force the pix to do the dns a/mx record xlate.



Actions

This Discussion