Re: Destination of my connections see my firewall's IP instead o

twhite · ‎07-31-2006

I sure hope someone can help with this. The problem is that some mail servers see my firewall's IP address as the address of the incoming SMTP connection when my mail server tries to send mail to them.

My mail server is behind my firewall with an internal IP. The firewall (a Cisco 1841) is performing static NAT for the internal IP to a valid public IP.

Under what circustances would the destination of my connection see my mail server's IP as the firewall's IP?

a.kiprawih · ‎07-31-2006

Hi,

Try to disable the router's proxyarp feature on the interface hosting the mail server. In router, proxyarp is turn on by default. The router (here functioned as firewall) normally will respond to the request on behalf of devices behind it (including your mail svr).

Hope it helps.

Rgds,

AK

twhite · ‎07-31-2006

AK, thanks for your response. Can you elaborate by way of example on your comment - "The router (here functioned as firewall) normally will respond to the request on behalf of devices behind it (including your mail svr)"? And which interface are you referring to disabling proxyarp on? Do you mean the external interface, or the internal interface?

And here's a descriptive diagram (I hope) showing what is happening:

my mail server (A) -> my router (B) -> dest mail server (C)

Mail server "C" sees incoming connection from mail server "A" as my router "B" IP address instead of the NAT address. Why?

a.kiprawih · ‎07-31-2006

My bet is, since you're running NAT (static), and with the proxy-arp enabled, the router could be the one who reply and seen by the remote mail servers.

With static NAT, the internal mail server's address should be seen by external mail servers as the NATted IP (public IP) without being represented by 'other' address.

BTW, the proxy-arp normally disabled on the Fastethernet interface facing the servers.

Same goes to firewall, like Pix, where there are instances that PIX was replying on behalf of the clients when it was not needed to do so. This is where the 'sysopt noproxyarp' comes in, which is more or less similar to router's "no ip proxy-arp".

Rgds,

AK

twhite · ‎07-31-2006

Hmmm... AK, I just checked and I have 'no ip proxy-arp' on both interfaces. So I guess it's not an unintended proxy-arp problem. But that sure sounded good!

Any other ideas?

mmorris11 · ‎07-31-2006

are you natting the port (25) also?

twhite · ‎07-31-2006

Mmorris11: Thanks for the reply.

I not restricting the NAT, so yes, I'm NAT'ing on port 25 and everything else for that static NAT. (I control access to the inside via ACL's.) Did you have some issue in mind? TIA

a.kiprawih · ‎08-01-2006

What's the NAT config looks like?

Rgds,

AK

twhite · ‎08-02-2006

The relevant lines relating to my NAT are:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

ip nat inside source static 192.168.x.28 209.60.67.8 route-map No_NAT-to-VPNs

My inside interface has an 'ip nat inside' and my outside interface has an 'ip nat outside' statement.

The route maps are to prevent NAT'ing when a connection comes in from a a sister office over a VPN. However, that VPN is no longer active... I just haven't gotten around to removing the route-map clauses yet.

mmorris11 · ‎08-02-2006

so you are not specifying the port in your static translation for your mail server?

twhite · ‎08-02-2006

That's right - I'm not specifying a port. I controll access to the machine via ACL's and essentially only SMTP, SSL (port 443), and POP3 is allowed to the machine from external sources.

Destination of my connections see my firewall's IP instead of NAT'ed IP