Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Destination of my connections see my firewall's IP instead of NAT'ed IP

I sure hope someone can help with this. The problem is that some mail servers see my firewall's IP address as the address of the incoming SMTP connection when my mail server tries to send mail to them.

My mail server is behind my firewall with an internal IP. The firewall (a Cisco 1841) is performing static NAT for the internal IP to a valid public IP.

Under what circustances would the destination of my connection see my mail server's IP as the firewall's IP?

10 REPLIES

Re: Destination of my connections see my firewall's IP instead o

Hi,

Try to disable the router's proxyarp feature on the interface hosting the mail server. In router, proxyarp is turn on by default. The router (here functioned as firewall) normally will respond to the request on behalf of devices behind it (including your mail svr).

Hope it helps.

Rgds,

AK

New Member

Re: Destination of my connections see my firewall's IP instead o

AK, thanks for your response. Can you elaborate by way of example on your comment - "The router (here functioned as firewall) normally will respond to the request on behalf of devices behind it (including your mail svr)"? And which interface are you referring to disabling proxyarp on? Do you mean the external interface, or the internal interface?

And here's a descriptive diagram (I hope) showing what is happening:

my mail server (A) -> my router (B) -> dest mail server (C)

Mail server "C" sees incoming connection from mail server "A" as my router "B" IP address instead of the NAT address. Why?

Re: Destination of my connections see my firewall's IP instead o

My bet is, since you're running NAT (static), and with the proxy-arp enabled, the router could be the one who reply and seen by the remote mail servers.

With static NAT, the internal mail server's address should be seen by external mail servers as the NATted IP (public IP) without being represented by 'other' address.

BTW, the proxy-arp normally disabled on the Fastethernet interface facing the servers.

Same goes to firewall, like Pix, where there are instances that PIX was replying on behalf of the clients when it was not needed to do so. This is where the 'sysopt noproxyarp' comes in, which is more or less similar to router's "no ip proxy-arp".

Rgds,

AK

New Member

Re: Destination of my connections see my firewall's IP instead o

Hmmm... AK, I just checked and I have 'no ip proxy-arp' on both interfaces. So I guess it's not an unintended proxy-arp problem. But that sure sounded good!

Any other ideas?

Silver

Re: Destination of my connections see my firewall's IP instead o

are you natting the port (25) also?

New Member

Re: Destination of my connections see my firewall's IP instead o

Mmorris11: Thanks for the reply.

I not restricting the NAT, so yes, I'm NAT'ing on port 25 and everything else for that static NAT. (I control access to the inside via ACL's.) Did you have some issue in mind? TIA

Re: Destination of my connections see my firewall's IP instead o

What's the NAT config looks like?

Rgds,

AK

New Member

Re: Destination of my connections see my firewall's IP instead o

The relevant lines relating to my NAT are:

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

ip nat inside source static 192.168.x.28 209.60.67.8 route-map No_NAT-to-VPNs

My inside interface has an 'ip nat inside' and my outside interface has an 'ip nat outside' statement.

The route maps are to prevent NAT'ing when a connection comes in from a a sister office over a VPN. However, that VPN is no longer active... I just haven't gotten around to removing the route-map clauses yet.

Silver

Re: Destination of my connections see my firewall's IP instead o

so you are not specifying the port in your static translation for your mail server?

New Member

Re: Destination of my connections see my firewall's IP instead o

That's right - I'm not specifying a port. I controll access to the machine via ACL's and essentially only SMTP, SSL (port 443), and POP3 is allowed to the machine from external sources.

128
Views
0
Helpful
10
Replies
CreatePlease login to create content