The SA520 I have is configured on one public IP address and an exchange server is behind it. THe exchange server is configured with an internal address and the SA520 is performing NAT translation to a unique public address for the email server itself which is independant of the SA520. It seems that the SA520 is sending email out the NAT address correctly at some time and at other times it seems to be sending the email traffic over the PAT address of the SA520 public address. When this happens the email gets blocked due to spam lists. Then the email will work again correctly.. and then go back. If I use a 3rd party website to test the IP address sometime I get the correct one and sometimes I get the wrong address.
Is there a way I can confirm that the SA520 NAT settings are correct to allow ALL outbound communications from the exchange server (which is behind the SA520)? I may have the SA520 configuration wrong and it is possible that the SA520 is only providing inbound PAT for port 25. How do I tell the SA520 to do a 1 to 1 NAT with the exchange server?
O.K update on this. It is a ONE to ONE NAT issue... it is not intermittent. has anyone had any issues
with the SA520 and trying to get a one to one NAT configured?
I have opened a case with small business support, they esculated to a TAC engineer in CA but no resolution. This is so simple... all I need is to have the SA device serve the internet and then create a ONE to ONE NAT with an internal mail server and the SA520 does not work. This is the most basic thing I can not beleive I am the only person (or the first person) in the world trying to create a one to one NAT with a mail server... Anyone have any ideas?
In order to establish a 1 to 1 NAT on the SA 500 series, as in your case, you must first you must first add an IP Alias for your 2nd WAN. Next, you create a Firewall rule to "force" all or selected traffic from your NATed server (LAN) to the WAN to go out thru the IP ALIAS address. Finally, we forward specific traffic from the WAN to your NATed Server (LAN) thru Firewall Rule(s). See sample wan2lan bitmaps attached. Do this for each of the services that you will allow to come in thru the SA 520 to your Server. As long as there are no other Firewall rules overlapping with the newly created rules, traffic to and from your NATed server will come/exit thru your ALIAS IP.
We can verify this by performing a WAN Packet Trace (Administration-->Diagnostics -->Packet Trace) After choosing Dedicated WAN as the Network to be captured, Click on Start to perform Packet Capture. Go to your NATed server, and perform the following, on a command prompt window Ping google.com, open a browser window and open google.com. On a remote machine, open a web page on your server (OWA?) to test incoming HTTP/HTTPS requests. Stop your capture, and save the packet capture file by pressing the Download button. Open file with Wireshark/Ethereal and observe the source and destination address of the packets. They should have the ALIAS address and not the WAN IP address.
If the above step is good, then we have to take a look as to if and why your SMTP or email services are not being routed out the ALIAS interface. Repeat capture steps as above, but this time send an outgoing email, and test an incoming email by emailing an internal account from an outside email acount (yahoo, gmail, hotmail).
If you still have failure, and you have IPS or ProtectLink enabled, can you run the steps that failed with IPS and/or ProtectLink both disabled?
If there are issues, you can post the captures as a personal message to me.
I hope the above will help narrow the issue a bit.
I have seen this issue before with a customer with a sa520 router. Your mail is getting blacklisted cause when they do a reverse dns it is pulling up your routers wan ip address and not the 1 to 1/ ip alias you have setup. The fix for my customer with this issue, he had to contact his internet service provider and have them setup an entry for reverse dns for his wan on his router. Once he did this him mail was not being blacklisted anymore.
davicarr - I will look into this... maybe it is the case.. Only issue is I have replaced an older PIX515 and it has been working for years..
Also - I do agree this is how you set up a proper 1to1 NAT with the SA520...
Very interesting.. seems because we are using an HTTP FILTER with the device (not just firewall and NAT for internet access)... the SA520 is PROXY'ing all traffic so the outbound traffic is showing from the GLOBAL (PAT) IP address of the firewall and not the 1to1 NAT settings (or a unique IP address for the mail server).. but a packet trace shows the correct 1to1 (NAT) address (going outbound) but all sites are seeing the PAT address (of the firewall).. Next step is I have to send some mail to a specific mail server (my own) and run a sniffer on the receiving end to prove that we are getting PAT address vs. NAT address at the receiving end... and show it to Cisco.. I was working with 2 developer Engineers on the product because they want to fix it, if this is the case..
All websites like www.whatismyipaddress.com and http://www.kloth.net/services/nslookup.php show that I am actually using the wrong IP (the IP address of the firewall) instead of the IP address of the 1to1 NAT settings I have in the SA520, to give the mail server a unique IP address. Again - all my mail is being blocked due to this because PC's in-house have spyware and it places the Global PAT address on blacklists with barracuda and others.
Thank you for the update ... your response, and reading through the previous posts makes me feel uneasy about this p
I have had no luck with the most basic Port Forwarding 101 setup ... see the next post.
Mike - should be easy... Just follow Julio's post pictures.... Do the first one and then the last two.. (wantolan). You need to make an alias first and then set up according to Julios last two pics..
Yeah ... I know it should be easy ... I have an old Linksys WRVS4400N that does it just fine.
My Firewall Rules match Julios'
I can telnet into port 25 fine on the local network - so I know it is listening
There is no firewall on the mail server - so I know its not blocked
The trace shows it times out.
Thanks for your help
I am going to call it quits for the night, give it fresh eyes in the morning