Advertisement

10.15.2008 at 11:30AM PDT, ID: 23817793
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.3

Why does Exchange Server Send From Firewall External IP?

Asked by briant97 in Simple Mail Transfer Protocol (SMTP), SBS Small Business Server, Networking Hardware Firewalls

Tags: , , , ,

We setup an Exchange SBS server behind a Cisco Firewall.  The Exchange Server external ip is xxx.xxx.xxx.130 and the Cisco external IP is xxx.xxx.xxx.132.  We setup a reverse record for our domain as the Exchange server IP address and we were getting a large number of "bounces."  In the receiving messages our Exchange Server is reported as the firewall external IP address.  So we changed the reverse record to point to the firewall IP and now everything appears to be going out, but occassionally some users get bounces like this:

You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <mail.server.local #5.7.1 smtp;550 5.7.1 <joe@mailserver.com>... Relaying denied. IP name possibly forged [xxx.xxx.xxx.132]>

How can I change this setup to get the Exchange Server reported as the correct IP address?  Here is the config of my cisco.  Any help would be greatly appreciated.

Current configuration : 4790 bytes
!
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
memory-size iomem 25
aaa new-model
!
!
no ip source-route
!
!
no ip domain lookup
!
no ip bootp server
ip cef
ip inspect name Firewall cuseeme
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall icmp
ip inspect name Firewall netshow
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
ip inspect name Firewall http java-list 50
ip audit po max-events 100
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key xxxxx address xxx.xxx.xxx.xxx no-xauth
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map secure 1 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set security-association lifetime seconds 28800
 set transform-set myset
 match address 110
!
!
!
interface Tunnel0
 description Connected to xxxx
 ip address 192.168.201.2 255.255.255.252
 tunnel source Ethernet0
 tunnel destination xxx.xxx.xxx.xxx
!
interface Ethernet0
 description Internet DSL
 ip address xxx.xxx.xxx.132 255.255.255.248
 ip access-group 101 in
 ip nat outside
 ip inspect Firewall out
 no ip route-cache cef
 no ip route-cache
 full-duplex
 no cdp enable
!
interface FastEthernet0
 description connected to EthernetLAN
 ip address 172.16.237.1 255.255.255.0
 ip access-group 100 in
 ip helper-address 192.168.1.2
 ip nat inside
 ip tcp adjust-mss 1300
 speed auto
 no cdp enable
!
ip nat pool natpool-1 xxx.xxx.xxx.130 xxx.xxx.xxx.134 netmask 255.255.255.248
ip nat inside source route-map mustnat interface Ethernet0 overload
ip nat inside source static tcp 172.16.237.14 3389 xxx.xxx.xxx.130 3389 extendable
ip nat inside source static tcp 172.16.237.14 1723 xxx.xxx.xxx.130 1723 extendable
ip nat inside source static tcp 172.16.237.14 25 xxx.xxx.xxx.130 25 extendable
ip nat inside source static tcp 172.16.237.14 443 xxx.xxx.xxx.130 443 extendable
ip nat inside source static tcp 172.16.237.14 80 xxx.xxx.xxx.130 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.129
ip route 192.168.1.0 255.255.255.0 192.168.201.1
ip http server
no ip http secure-server
!
!
access-list 1 permit 172.16.237.0 0.0.0.255
access-list 50 permit any
access-list 100 permit ip any any
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit gre any any
access-list 101 permit gre host xxx.xxx.xxx.xxx any
access-list 101 permit udp host xxx.xxx.xxx.xxx any eq isakmp
access-list 101 permit esp host xxx.xxx.xxx.xxx any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit tcp any host xxx.xxx.xxx.130 eq 3389
access-list 101 permit tcp any host xxx.xxx.xxx.130 eq 443
access-list 101 permit tcp any host xxx.xxx.xxx.130 eq 1723
access-list 101 permit tcp xxx.xxx.xxx.xxx 0.0.0.31 host xxx.xxx.xxx.130 eq smtp
access-list 101 permit tcp xxx.xxx.xxx.xxx 0.0.0.31 host xxx.xxx.xxx.130 eq smtp
access-list 101 permit tcp any host xxx.xxx.xxx.130 eq www
access-list 105 permit ip 172.16.237.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 172.16.237.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny   ip 172.16.237.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 172.16.237.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map mustnat permit 10
 match ip address 120
!
snmp-server enable traps tty
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 access-class 105 in
 exec-timeout 240 0
!
end
Start Free Trial
[+][-]10.15.2008 at 11:33AM PDT, ID: 22724119

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Simple Mail Transfer Protocol (SMTP), SBS Small Business Server, Networking Hardware Firewalls
Tags: Microsoft, Windows 2003 SBS Exchange, SP2, Cisco, 1710 series Security Router
Sign Up Now!
Solution Provided By: Mikealcl
Participating Experts: 2
Solution Grade: A
 
 
[+][-]10.15.2008 at 11:43AM PDT, ID: 22724216

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 - Hierarchy / EE_QW_2_20070628