NAT Question

[Novelluser]

Hello,

I have one external public IP and I have to allow mail in to my exchange server on port 25, I am using NAT/PAT. The only problem is that the ISP host's the mail on three servers. Can I create an access list to allow SMTP in for each of the servers IP address or if I just allow all smtp traffic in am I leaving myself vunreble to spammers etc.

Thanks

 

[Smeglor]

You would normally have an open smtp port and anti-spam spam server software(such as GFI MailEssentials) on the mail server or gateway because you can receive smpt traffic from any number of servers. i.e. joepublic@whatever.com sends you and email. A DNS server resolves the MX record to your external IP address and is sent. This is the normal protcol for this, but I dont understand why you would have your ISP host email, then send it to your exchange server. Now if your ISP does in fact HOST your email and pushes all email traffic to you exchange server and you receive no other email services by any other means or method(besides personal web mail), then yes you can open smtp to only those 3 servers and would be a good idea in that case.

I don't know sir...I guess its broke.

 

[Novelluser]

Hey thanks for the reply!

I should of been more clear in my statement. Our ISP does host all our email and pushes the traffic directly to our exchange server after it has been scanned for spam and viruses. But my main question is what acl will I use to allow smtp from those servers??

access-list out_in permit tcp any host xxx.xx.xx.1 eq smtp
access-list out_in permit tcp any host xxx.xx.xx.2 eq smtp
access-list out_in permit tcp any host xxx.xx.xx.3 eq smtp

access-group out_in in int outside

 

[lgarner]

Reverse the IP entries. The acl that you posted would allow any remote host to send SMTP traffic to the three internal servers. You want the opposite: allow those three hosts to send SMTP to any internal host.

 

[Novelluser]

Can you post a sample of what you mean?

Thanks

 

[Smeglor]

Sure,

10.10.0.2 represents your internal Exchange Server.

access-list out_in permit tcp host xxx.xx.xx.1 host 10.10.0.2 eq smtp
access-list out_in permit tcp host xxx.xx.xx.2 host 10.10.0.2 eq smtp
access-list out_in permit tcp host xxx.xx.xx.3 host 10.10.0.2 eq smtp

I don't know sir...I guess its broke.

 

[Smeglor]

You can also use the conduit permit command:

conduit permit tcp host 10.10.0.2 eq smtp host xxx.xx.xx.1
conduit permit tcp host 10.10.0.2 eq smtp host xxx.xx.xx.2
conduit permit tcp host 10.10.0.2 eq smtp host xxx.xx.xx.3

Check this page out for more info/commands

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aad.shtml

Scroll down to "Allowing Untrusted Hosts Access to Hosts on Your Trusted Network"

I don't know sir...I guess its broke.

 

[Novelluser]

Thanks so much for your reply. One more question... Since I only have one IP I will have to create NAT mapping for incoming traffic. Is the following command correct and would it apply??


static (inside,outside) tcp xxx.xxx.xx.1 smtp 10.10.0.2 smtp netmask 255.255.255.255 0 0

Thanks

 

[Smeglor]

Your config is for port re-direction. You can use it if the only service coming into your Exchange server is going to be smtp or you can use a standard static mapping like this:

static (inside,outside) xxx.xxx.xx.1 10.10.0.2 netmask 255.255.255.255 0 0



I don't know sir...I guess its broke.