I sure hope someone can help with this. The problem is that some mail servers see my firewall's IP address as the address of the incoming SMTP connection when my mail server tries to send mail to them.
My mail server is behind my firewall with an internal IP. The firewall (a Cisco 1841) is performing static NAT for the internal IP to a valid public IP.
Under what circustances would the destination of my connection see my mail server's IP as the firewall's IP?
Try to disable the router's proxyarp feature on the interface hosting the mail server. In router, proxyarp is turn on by default. The router (here functioned as firewall) normally will respond to the request on behalf of devices behind it (including your mail svr).
Hope it helps.
AK, thanks for your response. Can you elaborate by way of example on your comment - "The router (here functioned as firewall) normally will respond to the request on behalf of devices behind it (including your mail svr)"? And which interface are you referring to disabling proxyarp on? Do you mean the external interface, or the internal interface?
And here's a descriptive diagram (I hope) showing what is happening:
my mail server (A) -> my router (B) -> dest mail server (C)
Mail server "C" sees incoming connection from mail server "A" as my router "B" IP address instead of the NAT address. Why?
My bet is, since you're running NAT (static), and with the proxy-arp enabled, the router could be the one who reply and seen by the remote mail servers.
With static NAT, the internal mail server's address should be seen by external mail servers as the NATted IP (public IP) without being represented by 'other' address.
BTW, the proxy-arp normally disabled on the Fastethernet interface facing the servers.
Same goes to firewall, like Pix, where there are instances that PIX was replying on behalf of the clients when it was not needed to do so. This is where the 'sysopt noproxyarp' comes in, which is more or less similar to router's "no ip proxy-arp".
Hmmm... AK, I just checked and I have 'no ip proxy-arp' on both interfaces. So I guess it's not an unintended proxy-arp problem. But that sure sounded good!
Any other ideas?
Mmorris11: Thanks for the reply.
I not restricting the NAT, so yes, I'm NAT'ing on port 25 and everything else for that static NAT. (I control access to the inside via ACL's.) Did you have some issue in mind? TIA
The relevant lines relating to my NAT are:
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static 192.168.x.28 220.127.116.11 route-map No_NAT-to-VPNs
My inside interface has an 'ip nat inside' and my outside interface has an 'ip nat outside' statement.
The route maps are to prevent NAT'ing when a connection comes in from a a sister office over a VPN. However, that VPN is no longer active... I just haven't gotten around to removing the route-map clauses yet.
That's right - I'm not specifying a port. I controll access to the machine via ACL's and essentially only SMTP, SSL (port 443), and POP3 is allowed to the machine from external sources.