Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Bounced emails - possible PAT issue?

Status
Not open for further replies.
w4nn4b1337

w4nn4b1337

IS-IT--Management
Apr 14, 2009
42
US
I posted this in the MS Exchange area as well because I am unable to isolate the problem.

We brought up a new site about a year ago. The purpose was to provide email services and nothing else. No Internet browsing, FTP, etc. is being used on this circuit. It is strictly SMTP. The problem is in the last month or so email is not being delivered to AOL or hotmail and maybe a few more.
This is a typical configuration of a T1 circuit, Cisco ASA firewall, with a public IP with a Static NAT to our inside private exchange server. Lets say the outside IP for the firewall is 1.1.1.14 and the exchange server is using 1.1.1.15.
The problem is the email notice we recieve is saying the source address doesn't match the reverse lookup.
The address it is reporting is from our firewall outside interface 1.1.1.14.
We have checked all DNS records with a popular DNS testing website and all DNS records show the FQDN is resolving to 1.1.1.15 as it should. The reverse lookup matches the SMTP banner.
Lets say the Exchange server is using private address 192.168.0.20/24. I have created a PAT rule for outside 1.1.1.15:25 to translate to inside 192.168.0.20:25 on the firewall. Email traffic flows but as previously mentioned email appears to be sent from 1.1.1.14.

The question is if DNS is correct, SNMP banner is correct how can AOL be recieving email from 1.1.1.14 (our firewall) and not 1.1.1.15 (our exchange server) ?



Network+ / Security+ / C|EH /CCNA
Working towards CCNP and CWNA.
 
Sort by date Sort by votes
I would try using policy NAT
Code: 
global (outside) 1 interface
[b]global (outside) 2 1.1.1.15 netmask 255.255.255.248[/b]
nat (inside) 1 192.168.0.0 255.255.255.0
[b]nat (inside) 2 access-list e-mail_out[/b]

[b]access-list e-mail_out extended permit tcp host 192.168.0.20 any eq smtp[/b]

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Post a config. You might be using pat instead of Nat.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
I am using PAT. Should it be a static NAT config?

Network+ / Security+ / C|EH /CCNA
Working towards CCNP and CWNA.
 
Upvote 0 Downvote
Your responses have helped isolate the problem.
It appears AOL is looking at the IP address of where the email came from. Our SMTP is registered to a seperate public address assigned to us. (1.1.1.15) Everything resolves fine and most email flowed ok. Problem is our outgoing SMTP traffic is orignating from 1.1.1.14. So AOL sees that incoming traffic from 1.1.1.14 but that addresss will not resolve to anything with a reverse DNS and it doesn't match SMTP banners, etc.

I guess my question is, is the outgoing mail being sent from the exchange front end (192.168.0.20) or back end (192.168.0.19)? (I'm not getting a straight answer from the exchange admin)

If I have a static, one-to-one NAT from the mail server that is sending email to 1.1.1.15 would it then show the originating address as 1.1.1.15 or would it still be the FW outsite interface IP 1.1.1.14? (This would solve the problem)

Otherwise it seems the solution appears to be 1to1 NAT the email server to 1.1.1.14 and re-register our MX/PTR/SPF/etc. records and domain to 1.1.1.14(FW outside IP) instead of 1.1.1.15(alternate public IP) with the ISP DNS hostmaster and with who we registered the domain with. This would obviously create a possible outage to a shop that runs 24/7. Considering the office is our surveilance and security department this could be painful.

Thanks for any suggestions.



Network+ / Security+ / C|EH /CCNA
Working towards CCNP and CWNA.
 
Upvote 0 Downvote
The Static NAT entry will work and any communications sourced from your mail server will be from the public IP of 1.1.1.15. The Policy NAT example I gave will source only SMTP traffic from your mail server from 1.1.1.15 and will still allow you to use PAT for the address. I would use the Policy NAT config if you are worried about conserving addresses and the Static NAT config if you are not concerned about conserving addresses. That is of course my opinion, you are free to choose whatever fits your environment.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I really do appreciate the help. I have set a static 1-to-1 NAT with the front end exchange server 192.168.0.20 to 1.1.1.15. Conserving addresses is not an issue as the only service we are hosting is SMTP/HTTPS(OWA) on this circuit.

Thanks, it appears traffic is not being held up for AOL now.



Network+ / Security+ / C|EH /CCNA
Working towards CCNP and CWNA.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
247
nnaarrnn
nnaarrnn
Jimbo2015
  • Locked
  • Question
Avaya - Watch guard issue with keep alives
Replies
1
Views
90
hairlessupportmonkey
hairlessupportmonkey
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
102
kythri
kythri
chitownbrit
  • Locked
  • Question
Sonicwall Fiber Connection Issue
Replies
0
Views
60
chitownbrit
chitownbrit
nosebreaker
  • Locked
  • Question
8.4 PAT/NAT question
Replies
1
Views
56
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top