07-31-2006 06:38 AM - edited 03-09-2019 03:45 PM
I sure hope someone can help with this. The problem is that some mail servers see my firewall's IP address as the address of the incoming SMTP connection when my mail server tries to send mail to them.
My mail server is behind my firewall with an internal IP. The firewall (a Cisco 1841) is performing static NAT for the internal IP to a valid public IP.
Under what circustances would the destination of my connection see my mail server's IP as the firewall's IP?
07-31-2006 06:57 AM
Hi,
Try to disable the router's proxyarp feature on the interface hosting the mail server. In router, proxyarp is turn on by default. The router (here functioned as firewall) normally will respond to the request on behalf of devices behind it (including your mail svr).
Hope it helps.
Rgds,
AK
07-31-2006 09:21 AM
AK, thanks for your response. Can you elaborate by way of example on your comment - "The router (here functioned as firewall) normally will respond to the request on behalf of devices behind it (including your mail svr)"? And which interface are you referring to disabling proxyarp on? Do you mean the external interface, or the internal interface?
And here's a descriptive diagram (I hope) showing what is happening:
my mail server (A) -> my router (B) -> dest mail server (C)
Mail server "C" sees incoming connection from mail server "A" as my router "B" IP address instead of the NAT address. Why?
07-31-2006 10:40 AM
My bet is, since you're running NAT (static), and with the proxy-arp enabled, the router could be the one who reply and seen by the remote mail servers.
With static NAT, the internal mail server's address should be seen by external mail servers as the NATted IP (public IP) without being represented by 'other' address.
BTW, the proxy-arp normally disabled on the Fastethernet interface facing the servers.
Same goes to firewall, like Pix, where there are instances that PIX was replying on behalf of the clients when it was not needed to do so. This is where the 'sysopt noproxyarp' comes in, which is more or less similar to router's "no ip proxy-arp".
Rgds,
AK
07-31-2006 12:46 PM
Hmmm... AK, I just checked and I have 'no ip proxy-arp' on both interfaces. So I guess it's not an unintended proxy-arp problem. But that sure sounded good!
Any other ideas?
07-31-2006 10:06 AM
are you natting the port (25) also?
07-31-2006 12:47 PM
Mmorris11: Thanks for the reply.
I not restricting the NAT, so yes, I'm NAT'ing on port 25 and everything else for that static NAT. (I control access to the inside via ACL's.) Did you have some issue in mind? TIA
08-01-2006 12:23 PM
What's the NAT config looks like?
Rgds,
AK
08-02-2006 06:24 AM
The relevant lines relating to my NAT are:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static 192.168.x.28 209.60.67.8 route-map No_NAT-to-VPNs
My inside interface has an 'ip nat inside' and my outside interface has an 'ip nat outside' statement.
The route maps are to prevent NAT'ing when a connection comes in from a a sister office over a VPN. However, that VPN is no longer active... I just haven't gotten around to removing the route-map clauses yet.
08-02-2006 06:53 AM
so you are not specifying the port in your static translation for your mail server?
08-02-2006 09:44 AM
That's right - I'm not specifying a port. I controll access to the machine via ACL's and essentially only SMTP, SSL (port 443), and POP3 is allowed to the machine from external sources.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: