jimburris
MIS
- Dec 2, 2003
- 14
- 0
- 0
I have one server that I would like all traffic leaving the network natted to while all other servers and hosts use another address. Is this possible?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
NAT/PAT for email 2
- Thread starter jimburris
- Start date
- Status
-
1
- #2
- Thread starter
- #3
-
1
- #4
very much so. see example for static pat in this document
OK, then it should work with port translation:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp <filter_ip> smtp netmask 255.255.255.255 0 0
Anything coming in to port 25 will be redirected to the filter server. Anything going out, including from the filter server, will use the interface address. Substitute an actual address if needed.
If you have a special address set up for mail, then you could use the above lines plus "static (inside,outside) <outside_ip> <mailserver_ip> netmask 255.255.255.255 0 0". This would have all inbound traffic go to the mail server, except mail which would go to the filter server. Both servers would appear to be the same address.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp <filter_ip> smtp netmask 255.255.255.255 0 0
Anything coming in to port 25 will be redirected to the filter server. Anything going out, including from the filter server, will use the interface address. Substitute an actual address if needed.
If you have a special address set up for mail, then you could use the above lines plus "static (inside,outside) <outside_ip> <mailserver_ip> netmask 255.255.255.255 0 0". This would have all inbound traffic go to the mail server, except mail which would go to the filter server. Both servers would appear to be the same address.
- Thread starter
- #6
jimburris
MIS
- Dec 2, 2003
- 14
- 0
- 0
OK, I must be dense or something. I have posted part of the config below. IP addresses have been changed. All traffic on port 25 is coming into the email-filter server. The external IP for the filter server is 10.0.0.3. I have an email server on the internal network that I want all traffic leaving this server to use the IP address 10.0.0.3. This is the address of the filter server on the outside. Can both of these servers use the same external IP address even though the filter server will be receiving all traffic on port 25 and the email server will be sending all traffic outbound on port 25?
access-list 101 permit tcp any host 10.0.0.3 eq smtp
access-list 101 permit tcp any host 10.0.0.4 eq ftp
access-list 101 permit tcp any host 10.0.0.5 eq www
access-list 101 permit tcp any host 10.0.0.5 eq ftp
ip address outside 10.0.0.1 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 10.0.0.2
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.0.0.4 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.0.5 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.0.3 192.168.1.11 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-list 101 permit tcp any host 10.0.0.3 eq smtp
access-list 101 permit tcp any host 10.0.0.4 eq ftp
access-list 101 permit tcp any host 10.0.0.5 eq www
access-list 101 permit tcp any host 10.0.0.5 eq ftp
ip address outside 10.0.0.1 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 10.0.0.2
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.0.0.4 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.0.5 192.168.1.2 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.0.3 192.168.1.11 netmask 255.255.255.255 0 0
access-group 101 in interface outside
Let the outside address for the filter be 10.0.0.2 with the following statement
static (inside,outside) tcp 10.0.0.2 25 192.168.1.11 25 netmask 255.255.255.255 0 0
This will only translate traffic on tcp port 25 to the internal address .1.11. You need to adjust access-list 101 to also reflect that smtp is at 10.0.0.2
static (inside,outside) tcp 10.0.0.2 25 192.168.1.11 25 netmask 255.255.255.255 0 0
This will only translate traffic on tcp port 25 to the internal address .1.11. You need to adjust access-list 101 to also reflect that smtp is at 10.0.0.2
- Thread starter
- #8
jimburris
MIS
- Dec 2, 2003
- 14
- 0
- 0
Below is the message I get because the email server is getting NAT/PAT'ed to a different address than what is used when email enters the firewall. I want both internal addresses NAT/PAT'ed to the same external address as if they were one server. Email going out does not pass through the filter server. Email coming in goes to the filter server and if it passes a rule check, the email is then passed to the mail server. Am I asking for the impossible?
smtp;554 5.7.1 The server sending your mail [x.x.x.x] does not have a reverse DNS entry. Connection Rejected. Please contact your Dial-Up/DSL/Network ISP Provider. Default Reject!>
smtp;554 5.7.1 The server sending your mail [x.x.x.x] does not have a reverse DNS entry. Connection Rejected. Please contact your Dial-Up/DSL/Network ISP Provider. Default Reject!>
Why not just get reverse DNS set up for the hide address? There is absolutely no reason that the inbound and outbound addresss have to be the same. As long as the outbound address has reverse DNS you should be fine.
Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
Chris.
**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
- Thread starter
- #10
No. Like iproute said you can set up RDNS for the PAT address you'll be fine. It won't bother any other services.
You could use the same address for your separate inbound and outbound mail servers. Following up on 308win's configuration, use these two lines:
static (inside,outside) tcp 10.0.0.2 25 192.168.1.11 25 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.0.2 192.168.1.12 netmask 255.255.255.255 0 0
Assume that 10.0.0.2 is your public mail address, 192.168.1.11 is your filter server and 192.1.1.12 is your outgoing mail server. Inbound traffic to port 25 goes to the filter. All other inbound traffic (which actually should be blocked anyway) would go to the outbound server. When either server talks to the Internet, it appears as 10.0.0.2. Assuming you already have RDNS set up for 10.0.0.2, then just adding the second line above should do the trick.
You could use the same address for your separate inbound and outbound mail servers. Following up on 308win's configuration, use these two lines:
static (inside,outside) tcp 10.0.0.2 25 192.168.1.11 25 netmask 255.255.255.255 0 0
static (inside,outside) 10.0.0.2 192.168.1.12 netmask 255.255.255.255 0 0
Assume that 10.0.0.2 is your public mail address, 192.168.1.11 is your filter server and 192.1.1.12 is your outgoing mail server. Inbound traffic to port 25 goes to the filter. All other inbound traffic (which actually should be blocked anyway) would go to the outbound server. When either server talks to the Internet, it appears as 10.0.0.2. Assuming you already have RDNS set up for 10.0.0.2, then just adding the second line above should do the trick.
- Thread starter
- #12
- Thread starter
- #14
jimburris
MIS
- Dec 2, 2003
- 14
- 0
- 0
I did use the correct address in the static statements. You are cooorect that 10.0.0.2 is not correct. I had to change the addresses to protect the company. Let's say that 10.0.0.2 is used for all NAT/PAT on the network (general web traffic). I want both servers to appear as 10.0.0.3
- Status
Similar threads
- Locked
- Question
- Locked
- Question