Have a seldom issue that I would like to resolve by way of address translation, if possible.
Mail Server is inside the private LAN and a Email Spam filter system in the DMZ. All incoming SMTP traffic is directed to the filter using a static command and then sent to the mail server. All outgoing smtp traffic is sent out from the mail server directly to the destination mail system.
My issue is when the mail server establishes an smtp connection with the remote system. To the receiving end, the mail server's IP address appears as our publicly NATed address, which is different then the registered public IP address in DNS for the same mail server. At times remote mail servers reject our mail because the reverse lookup do not match, ie my NATed address is different than the mail server public address. Some systems reject because it appears as relayed email.
I was looking at adding another translation (global and nat) rule for the internal mail server only so that all traffic looks like it is coming from the DNS registered IP address and not our current NATed address.
I am just not sure if the PIX will be happy with me using a global command with an address that will also be used in a static command. I need that static command for all incoming smtp traffic to be forwarded to the filter in the dmz, as mention earlier.
Has anyone come across this or can shed some light on a possible alternative.
The public MX record IP is different than my public NATed address, but both are in the same subnet block.
Issue is when my Internal Mail Server establishes an smtp connection to an external mail server, the source address appears as the NATed address (which is fine and makes sense), but for some reason some external mail systems perform a reverse lookup for my MX record IP and since the MX is different than what the server sees as the connection source, they assume that the message is being relayed and so it gets rejected.
"...change the IP appears in MX record to your public IP."
I have considered doing this, but will the PIX have an issue with me using the same public IP address in a global command for outbound NAT and in a static command for inbound smtp traffic translation.
"The public MX record IP is different than my public NATed address, but both are in the same subnet block"
So that means we can create a static for mail server and seperate it from the PAT statement. We wont have to change the MX record.
" the same public IP address in a global command for outbound NAT and in a static command for inbound smtp traffic translation."
Hmm we have a some kind of problem here I think. You said that the IP stated in MX record is in same subnet with your current NATed public IP correct? Here is an example
Lets say that 188.8.131.52 255.255.255.248 is your NATed outside IP. .248 mask means you own and control the 184.108.40.206-220.127.116.11 range. And lets assume that your MX record has an IP of 18.104.22.168. Then here is what you have to do
access-list inbound permit tcp any host 22.214.171.124 eq smtp
access-list outbound permit tcp host insidemailserverip any eq smtp
So my goal is to be able to translate(NAT) outbound smtp traffic from my insidemailserver with the public MX record ip address 126.96.36.199 instead of 188.8.131.52, that way the source ip address of all outbound smtp traffic matches that of my public MX record ip and I would not get any relay rejections.
Just not sure if the PIX would be happy with using an IP address on a global command and in a static command.
"Just not sure if the PIX would be happy with using an IP address on a global command and in a static command"
You are not using the same IP in static and in global. Config looks fine
"access-list outbound permit tcp host insidemailserverip any eq smtp "
If you are newly adding an ACL to the dmz interface just for this mail traffic, you dont have to. Traffic from higher sec leveled interface to low sec lev interface is permit by default. But if you were filtering the traffic already with that ACL (it was already existing), then you can add the above specific ACE in your ACL.
Assuming that you have a public IP assigned to outside interface, you can use the interface IP as global with following command
global (outside) 1 interface
global (outside) 1 184.108.40.206 netmask 255.255.255.248
Do you have statics for communication between mail filter and mail server? Can they communicate atm?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...