Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What the heck was that....MX help!

Status
Not open for further replies.

makemorebeer

Technical User
Jun 6, 2007
96
US
it has recently come to my attentiont hat although my e-mail is working correctly it seems to be sending from the wrong IP address. we have a block of five Ip addresses, let say they are 101, 102, etc. well the MX record uses address 101 for inbound e-mail. nat rules are working smashingly. the the default outbound route for internet is 102. yes we're keeping internet and e-mail seperate. it appears that the outbound e-mail from my company is leaving with the 102 address as the originating Ip even though the MX is the 101 address. i'd like to somehow make the port 25 traffic exit the router on the 101 address instead of the 102 address. we are using exchange 2003, sunmicro's mailfoundry, and the router is a Cisco 1811. Tell me what you guys think.
 
I would assume that your static for your mail server is merely forwarding port 25 to said server. Merely remove the tcp port and make it a normal static.


For example

ip nat inside source static tcp 10.10.10.1 25 172.16.130.2 25

Change to

ip nat inside source static 10.10.10.1 172.16.130.2

Then

clear ip nat translations
 
i'm not sure I follow....Woulnd't that just open up all the ports on that address insteadd of restricting it to 25?
 
No, Nat statements such as that control the mapping of public ip addresses to private ip addresses. You use an access-list to restrict ports.
 
starting to make a little more sense. how does that play into my OWA though. i've got a static on port 25 to our spam filter which then forwards to exchange, and then i've got another static to the exchange server on port 80 for OWA. if i do a straight static like that wouldn't it break my OWA connection? Without specifying a port i couldn't send the same external IP to two different internal IP's, can I?
 
Post your nat and relevant access-lists ... be sure to mask public ip addresses.
 
ip nat inside source route-map SDM_RMAP_1 interface x.x.x.121 overload (nat rule to allow things like internet, and other inbound outbound services)
ip nat inside source static tcp 10.0.0.25 22 x.x.x.125 22 extendable (nat rule to allow only port 22 for maint. reasons)
ip nat inside source static tcp 10.0.0.25 25 x.x.x.125 25 extendable (to allow SMTP traffic)
ip nat inside source static tcp 10.1.254.3 80 x.x.x.125 80 extendable (to allow OWA)
ip nat inside source static tcp 10.0.0.25 110 x.x.x.125 110 extendable (To allow port 110 POP3, not used though)

inbound ACL's
permit tcp any eq x.x.x.121
permit tcp any host x.x.x.125 eq smtp
permit tcp any host x.x.x.125 eq www
deny ip any host x.x.x.125

Outbound ACL (DMZ)
permit tcp host 10.0.0.21 any eq is a proxy web filter)
permit tcp host 10.0.0.21 any eq 443
permit ip host 10.0.0.25 10.1.0.0 0.0.255.255
permit ip host 10.0.0.25 any (10.0.0.25 is a spam filter)
deny ip any any

Outbound ACL (Corp Network)
permit tcp 10.1.0.0 0.0.255.255 host 10.0.0.21 eq 80
permit tcp 10.1.0.0 0.0.255.255 10.0.0.0 0.0.255.255 eq www
deny tcp 10.1.0.0 0.0.255.255 any eq www
deny ip any any log

Acl's have been edited to contain only relevant information.
 
i had a similar problem where my mail was being sent via a different ip then what the mx record showed as and it was causing issues on some mail servers..
as youll see below i was using the same internal address for different services but using different external addresses. my static nats and pats were conflicting with each other resulting in my mail coming from my wan address which was supposed to be just for
i ended up fixing it by using static nats with route-maps

the below config isnt exactly what i was using.. and the config has been changed but this is basically what i remember using..

example
x.x.x = internal ip
y.y.y = public ip

! - SMTP nat statement
ip nat inside source static x.x.x.10 y.y.y.245 route-map SMTP extendable
! - WAN nat statement
ip nat inside source static x.x.x.10 y.y.y.253 route-map WAN extendable


route-map SMTP deny 10
match ip address WAN
!
route-map SMTP permit 20
match ip address SMTP

route-map WAN deny 10
match ip address SMTP
!
route-map WAN permit 20
match ip address WAN


ip access-list extended SMTP
permit tcp host x.x.x.10 any eq smtp
deny ip any

ip access-list extended WAN
deny tcp host x.x.x.10 eq smtp any
permit ip x.x.x.0 0.0.0.255 any

let me know if that helps at all...
 
Sorry i didn't get a chance to tryt his out until now. Worked like a charm. Thanks for the help.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top