Issues w/ Exchange and NAT on a Cisco PIX 501
Posted on 2006-03-21
I recently deployed an exchange server, and am getting some messages kicked back from large ISP's like AOL and comcast. Whenever the message gets kicked back, I get a message from the System Administrator that includes the following:
<xxxx01.x.CORP #5.5.0 smtp;521-EHLO/HELO from sender xxx.xxx.xxx.122 does not map to xxxx01.x.corp in DNS>
I am assuming this means that AOL is doing a reverse DNS lookup of the originating ip address and finding that it does not match the reverse DNS entry, and is classifying it as spam. That is easy enough, but the problem is that my mail should be originating from .123 which matches the reverse DNS entry.
My network is configured with my exchange server on the inside of the PIX with a static translation from 10.0.1.11 to the .123 adress. I think the problems resides with another entry on my pix :
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
As far as I can tell, this entry is translating all of my private address to the interface address of .122, which conflicts with the static translation referenced above, but is consistent with my problem. My two servers reside at .10 and .11, and my workstations use the range .100 - .255. I think I need to remove the NAT entry above, and replace it with one that specifies translation of the workstation range to a few public ip's .125 and .126, but I don't know how to write that command. Any help?