Exchange Cluster NAT translation on PIX fails 1

[kbunce]

I have an exchange 2K active/passive cluster cluster which has seperate IP's for each node and the cluster. My PIX has a static statement which between public and private for the cluster IP. This is fine for incoming mail but reverse DNS lookups fail for outbound SMTP traffic because the active host advertises itself as the global NAT'd IP address instead of the public IP for the mail cluster. Anyone got any ideas on how I fix this at the firewall?

Thanks in advance,

Ken

 

[netwalker1]

simply , you will not be able to solve this problem ..
the servers will work fine when some one call the cluster IP ..
but when it will work , it will talk with it's internal IP as a source !
unfortunatly no solution ..


Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]
CCNP,CCA,MCSE,MCSA

 

[kbunce]

Ouch.... the pain is being felt. Would a static map to each node help?

 

[netwalker1]

Yes.
But then , you will receive connection on the cluster natted IP , and send through another !

If this acceptable , do it ..

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]
CCNP,CCA,MCSE,MCSA

 

[BuckWeet]

Could you do this maybe?

Setup another NAT group just for those 2 or 3 internal IP's

like:
nat (dmz) 2 192.168.1.1 255.255.255.255
nat (dmz) 2 192.168.1.2 255.255.255.255
nat (dmz) 2 192.168.1.3 255.255.255.255

global (outside) 2 <external IP>

then for your incoming statics

just do like

static (dmz, outside) tcp x.x.x.x <port#> internal_ip <port#>


i'm sure that sytax is for the static (can't remember)

But that should work


BuckWeet

 

[netwalker1]

they all deal with the same port , so u can't use port redirection with this situation !!



Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]
CCNP,CCA,MCSE,MCSA

 

[BuckWeet]

I thought you just needed to direct it to the cluster IP or am I incorrect?? which is like a virtual IP that a master server assumes?

BuckWeet

 

[kbunce]

Inbound smtp is fine pointing at the virtual but telnet tests other systems on port 25 show that I am showing up at the remote systems as the global nat'd ip instead of my public ip for the mail cluster. The firewall is translating on the actual ip of the active cluster node instead of the virtual ip of the cluster.

 

[netwalker1]

And this is the problem which I mentioned it before :
- Clustering is used only for listening , it can't be used to Call ...

So if you listen , the virtual Cluster IP will answer ..

But when you telnet , then you are calling [green]( you are the one who initiate the connection )[/green] Then you will talk by your own IP [red]--> NO Soultion
[/red]





Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]
CCNP,CCA,MCSE,MCSA

 

[BuckWeet]

And this is the problem which I mentioned it before :
- Clustering is used only for listening , it can't be used to Call ...

So if you listen , the virtual Cluster IP will answer ..

But when you telnet , then you are calling ( you are the one who initiate the connection )


_____________________


That taken from netwalker1

If thats the case, then what i proposed should work.. If the virtual IP is the one answering then all you need to do is forward that TCP port for that global IP to the virtual IP. Then for all your outbound connections you setup the 2nd NAT group, which you have all of those same machines using the same global IP..

Is this the case?


BuckWeet

 

[netwalker1]

Thanks BuckWeet ..
I think this will solve a lot of problems in Clustering cases

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]
CCNP,CCA,MCSE,MCSA