cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
693
Views
0
Helpful
11
Replies

mail to outside address

mjhagen
Level 1
Level 1

I have two servers on the dmz interface both with static nat tranlations. One of the servers needs to send mail to the others static address because of dns lookups. Is it possible to allow this traffic in. Would this be done with the alias command.

11 Replies 11

jasobrown
Level 1
Level 1

IF you are running older code you would use the alias command but if you are using new code you would use the dns feature in the static.

static (dmz,outside) public private netmask 255.255.255.255 dns

I am using version 5.2(4)

I apologize .. The alias command wont work for you situation but the dns fixup would (and you dont have that in 5.2.4)

The only thing that I can suggest at this point would be to put an entry in your host file for the MX record.

Are both servers off of the same pix interface? Can you diagram the topology? You cannot have the pix send traffic out the same interface on which it was received.

ehirsel
Level 6
Level 6

Are both servers off of the same pix interface? Can you diagram the topology? You cannot have the pix send traffic out the same interface on which it was received.

Yes both servers are on the same dmz interface.

Would like to only use public DNS server to supply the Public IP of severs. There lies the problem. Currently using and internal DNS server that I would like to eliminate

Topology explanation:

1. 3 vlans behind DMZ

2. public DNS server on first vlan

3. CSS / Loadbalancer connects other 2 vlans to DMZ

4. 2 servers behind CSS.

If I were to draw your topology off of the pix dmz interface it would look like this:

pix---css---servers

The pix and css have one vlan in common and the public dns server is on that vlan. The other vlans are behind the css where the two servers reside.

If I did not draw this correctly. let me know.

Assuming that I did, the pix will not see any server to server traffic. You need to employ NAT/PAT on the css. This is true unless you are running pix code 6.3.

The 6.3 code allows you to do logical interfaces, now we can create two vlans between on the dmz phy interface to force the traffic to flow between the css and the pix to get to the public dns server. The public dns server show have the pix as the default route and the pix should employ statics to hide the true ip address of the pub dns server, otherwise the css will route traffic direct to it, bypassing the pix.

Before I go any further, let me know if I drew the topology correctly.

This is correct."The pix and css have one vlan in common and the public dns server is on that vlan. The other vlans are behind the css where the two servers reside."

Is there a reason you want one server to see the other's static address? You should have them connect direct to each other. The pix should not see the traffic. You could setup logical interfaces on the pix if you use 6.3 code, however the css also does stateful filering that could make everything complex. You would need to setup dest nat as well as source nat on the pix to get the flow mapping correct on the css.

Could you move the public dns server to another interface on the pix that connects to a switch other than the css?

They do connect directly now but the server admins are requsting that they be able see the mail on there static public address because of dns lookups.

Could the admins create local /etc/host file entries for the server names so that the lookup will use the proper internal address and not the public dns records? The issue you have is that the pix will not route traffic back on the same interface upon which it was received. Your only other choice, to keep things clean, is to move one the dns server onto a different interface on the pix and use the no sysopt nodnsalias command inbound/outbound command to force the pix to do the dns a/mx record xlate.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: