Re: Nat question. faking dynamic, but only allow incoming to 1 h

ksuchewie · ‎05-04-2010

I have 1 external IP address that is used for incomming mail. That address is pointed via static to my Barracuda web filter. My xchange server falls under the standard dynamic nat policy. One some domains I have been getting NDR bounce backs because the source IP address does not mach my MX record address (reverse dns).

IE..

123.123.123.123 is the external IP address for my internal host 172.16.1.1 (my barracuda)

123.123.123.223 is the external IP address for my internal dynamic nat. (so all other hosts appear under this address, which includes my exchage server).

Is it possible to mask / fake so that my exchange server appears to have the same external address as my barracuda to prevent these NDR reverse dns issues? However I do not want anything that goes to 123.123.123.123 to go directly to the exchange server.

astripat · ‎05-05-2010

Hi,

I assume that we have the following configuration:

static (inside,outside) 123.123.123.123 172.16.1.1

global (outside) 1 123.123.123.223

nat (inside) 1 0 0

Try the following:

no static (inside,outside) 123.123.123.123 172.16.1.1

static (inside,outside) tcp 123.123.123.123 25 172.16.1.1 25

no global (outside) 1 123.123.123.223

global (outside) 1 123.123.123.123

clear xlate

clear local

Let me know if that resolves the issue.

HTH

Ashu.

bob.bartlett · ‎05-05-2010

You should not do that as if the exchange server gets hit with a virus or mass mailing bot you will get on the SPAM list and could have issues with the server. You should point your exchange server at the Barracuda as an SMTP smarthost and have it scan outbound.

Nat question. faking dynamic, but only allow incoming to 1 host