Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT Question

Status
Not open for further replies.

Novelluser

Technical User
Feb 9, 2004
26
IE
Hello,

I have one external public IP and I have to allow mail in to my exchange server on port 25, I am using NAT/PAT. The only problem is that the ISP host's the mail on three servers. Can I create an access list to allow SMTP in for each of the servers IP address or if I just allow all smtp traffic in am I leaving myself vunreble to spammers etc.

Thanks
 
You would normally have an open smtp port and anti-spam spam server software(such as GFI MailEssentials) on the mail server or gateway because you can receive smpt traffic from any number of servers. i.e. joepublic@whatever.com sends you and email. A DNS server resolves the MX record to your external IP address and is sent. This is the normal protcol for this, but I dont understand why you would have your ISP host email, then send it to your exchange server. Now if your ISP does in fact HOST your email and pushes all email traffic to you exchange server and you receive no other email services by any other means or method(besides personal web mail), then yes you can open smtp to only those 3 servers and would be a good idea in that case.

I don't know sir...I guess its broke.
 
Hey thanks for the reply!

I should of been more clear in my statement. Our ISP does host all our email and pushes the traffic directly to our exchange server after it has been scanned for spam and viruses. But my main question is what acl will I use to allow smtp from those servers??

access-list out_in permit tcp any host xxx.xx.xx.1 eq smtp
access-list out_in permit tcp any host xxx.xx.xx.2 eq smtp
access-list out_in permit tcp any host xxx.xx.xx.3 eq smtp

access-group out_in in int outside
 
Reverse the IP entries. The acl that you posted would allow any remote host to send SMTP traffic to the three internal servers. You want the opposite: allow those three hosts to send SMTP to any internal host.
 
Sure,

10.10.0.2 represents your internal Exchange Server.

access-list out_in permit tcp host xxx.xx.xx.1 host 10.10.0.2 eq smtp
access-list out_in permit tcp host xxx.xx.xx.2 host 10.10.0.2 eq smtp
access-list out_in permit tcp host xxx.xx.xx.3 host 10.10.0.2 eq smtp

I don't know sir...I guess its broke.
 
You can also use the conduit permit command:

conduit permit tcp host 10.10.0.2 eq smtp host xxx.xx.xx.1
conduit permit tcp host 10.10.0.2 eq smtp host xxx.xx.xx.2
conduit permit tcp host 10.10.0.2 eq smtp host xxx.xx.xx.3

Check this page out for more info/commands

Scroll down to "Allowing Untrusted Hosts Access to Hosts on Your Trusted Network"

I don't know sir...I guess its broke.
 
Thanks so much for your reply. One more question... Since I only have one IP I will have to create NAT mapping for incoming traffic. Is the following command correct and would it apply??


static (inside,outside) tcp xxx.xxx.xx.1 smtp 10.10.0.2 smtp netmask 255.255.255.255 0 0

Thanks
 
Your config is for port re-direction. You can use it if the only service coming into your Exchange server is going to be smtp or you can use a standard static mapping like this:

static (inside,outside) xxx.xxx.xx.1 10.10.0.2 netmask 255.255.255.255 0 0



I don't know sir...I guess its broke.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top