PAT

[jfwebber]

Got a question on something I have never given any thought to before but the need may arise to implement this. Currently using PAT for our company access to the internet. Currently the public IP address used for PAT does not have a DNS entry. I cannot think of any reason that would cause any adverse affects should I give it one. Would rather not get into a discussion on why one may be needed.

Any advice would be appreciated. Thanks.

Jim W MCSE CCNA
Director of Network Services

 

[North323]

so what are you asking? are you only looking for the 'cons'?

 

[jfwebber]

Yes...just looking for the 'cons'. Thanks.

Jim W MCSE CCNA
Director of Network Services

 

[jfwebber]

Here is the situation. Recently implemented a data loss prevention solution (DLP). The solution will examine SMTP transmissions. In order for the solution to examine SMTP traffic I need to forward all SMTP to the DLP appliance. The DLP appliance inspects the traffic and if it passes the rules I have established it will forward to the email recipient.

Once the email has been has been forwarded by the DLP appliance it source IP is our PAT address. Many ISP's check for reverse DNS records and if one does not exist the email is rejected. Hence, my reasoning for thinking about adding an A and PTR record.

I am asking this in this forum as I am using an ASA5520.

Thanks.

Jim W MCSE CCNA
Director of Network Services

 

[North323]

I would not see a problem adding the reverse record. Anyone trying to exploit your domian could easily use the IP address instead. Not to mention if the ISP rejects the email, you may have unhappy clients not getting email. If you do not have a reverse record, what is the chances of becoming black listed when sending mail?

 

[jfwebber]

There is a chance of being black listed but I am more concerned with our customers, business partners, etc not receiving emails that they are expecting.

One of the biggest ISP that our customers use is Comcast. I know for a fact that Comcast will reject emails for last of a reverse record.

Thanks for your reply.

Jim W MCSE CCNA
Director of Network Services

 

[unclerico]

I'm sure that you had your own e-mail server setup before the DLP was in place?? Not only should you have your PTR created, but you should also create an SPF record.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jfwebber]

Yes I have my own e-mail server setup before the DLP solution was in place and do have a PTR record created. However, the source IP of the email once it is inspected and forwarded by the DLP solution is that of our PAT IP address and not that of our mail server.

Thanks for the reply.

Jim W MCSE CCNA
Director of Network Services

 

[Supergrrover]

It won't cause a problem. Do you need it to have an MX record as well??

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[jfwebber]

Supergrrover..thank for the reply. An MX record is not needed.

Jim W MCSE CCNA
Director of Network Services