[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Separate IP Address for outgoing SMTP traffic.

Posted on 2007-08-08
16
Medium Priority
?
1,022 Views
Last Modified: 2012-05-05
I would like to setup my Cisco PIX-515E to use a different IP address for outgoing SMTP traffic than all other outgoing traffic.  Is this possible?  Currently all traffic is using the same external IP address.  This is fine except for the fact that my MX record with my ISP is different than the actual IP address it is using.  I am currently setup to recieve SMTP traffic for that MX record.  I would like to have my out going SMTP traffic use the address of my MX record with all other traffic to use the current IP Address that everything is using now.
0
Comment
Question by:w33mhz
16 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 19658463
Is your mail server on its own machine behind the firewall that a single fixed static entry in and out for that machine will work and does the public MX IP belong to the assigned IPs transitting through the PIX?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 19658482
Hi

For the smtp to have its own exclusive ip address, it would need to have a seperate static to the rest of the natted traffic.  ie. you may see lines in your PIX config natting traffic and using PAT to translate your smtp server
e.g.

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
static (inside,outside) tcp interface 25 [smtp server] 25 netmask 255.255.255.255

In this example all internal network is natted to the interface (which is the outside interface ip) as is the smtp server.  

You would need to change your smtp translation to a different ip by removing the static above and entering:
static (inside,outside) [public ip] [smtp server] netmask 255.255.255.255

And changing any related access-lists for this new address.  Do you have a free ip address to do this with?
hth
0
 

Expert Comment

by:andrewmcgrath_au
ID: 19659356
does it matter where mail leaves from? Thats not a responsibility of mx records is it? Mx is for incomming mail and telling the world where to send it...

just send it out via another net connection through another firewall / router? Whats the drama :S?

Or you can just pass on mail to another smtp server and have it deal with it, therefore not releasing your IP to the piblic (which i assume is why nyou are doing this?). They could tho see the header info and where it origionated from, but most likley that'd be an internal IP anyway, and in that case who cares.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 5

Expert Comment

by:kmotaweh
ID: 19660754
i will try to talk to you from the server side not from the pix side you can add an extra ip to the server and add a nat command to the pix to resolve the ip address that you added to the server
0
 
LVL 4

Author Comment

by:w33mhz
ID: 19661468
OK, to answer all the questions

Yes it is on it own box, Yes I have an external IP I can give it.  The external IP address of the outgoing mail does NOT have to be the same as the MX record, but these days with all the spam firewalls and blacklisting, if your sending IP address doesn't match your MX you can (not saying definitely will) get classified as SPAM because the 2 aren't the same.  That is my "drama", we got blacklisted a week or so ago and I am still trying to clean up the residules from that mess.  Now that we did get off the blacklist we still aren't free and clear.
Yes I could try to pass the mail on to my ISP's mail server, but quite frankly I don't trust them, in the respects that my mail would get delivered in a timely manner.  I just had an insident the other day where I had to use other DNS servers for my forwarder instead of my ISP's because they were having issues with them, not an uncommon thing for them, but this is all besides the point.
I don't believe on my config there is any lines that state:
nat (inside) x.x.x.x 0.0.0.0  or
global (outside) 1 interface
but i will check again, i do miss things now and then.  I do think you are on to something with that though, I just really don't now the syntax for it real well.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19661634
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 19662017
If your MX server is not the same as your outbound relay server, you will not get blacklisted.  There are just too many companies and providers that split these functions with different [sets] of servers.

If you truly want to minimize spam:

1) Force all company traffic to use the relay mail server by blocking port 25 except to your own relay server
2) Use SPF records
3) Quickly follow-up on complaints and respond with a description on how you handled the offender
4) Make sure forward and inverse DNS for your outbound mail server match
5) If you're using a *nix mail relay server, optionally install MailScanner+Spamassassin+Clamav
0
 
LVL 4

Author Comment

by:w33mhz
ID: 19663410
OK, like I said before I do miss things now and then, but here we go.
I have the following listed
global (outside) 2 x.x.x.x
global (outside) 3 InetServices
global (outside) 5 SMTPAccess
global (DMZ) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 2 DSM_LAN 255.255.0.0 0 0
nat (inside) 2 WAN_Networks 255.255.0.0 0 0

The "SMTPAccess" is the address of my MX record, so I think I am half way there, already but I need to do like jesper sugested and block all smtp traffic outbound except for my mail server.  But how do I force that allowed traffic to you a different IP address? Would the following cmd be correct to limit my smtp traffic?

access-list mail permit ip host SMTPOut any

SMTPout is the internal IP address of my mail server
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 19664442
Are you asking how to create an ACL to limit outbound port 25 connections?
0
 
LVL 4

Author Comment

by:w33mhz
ID: 19664660
Yes that is what I am asking.
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 2000 total points
ID: 19665256
If the internal IP address of your mail server is 192.168.1.11:

access-list in_inbound permit host 192.168.1.11 any eq 25
access-list in_inbound deny any any eq 25
access-list in_inbound permit ip any any

access-group in_inbound in interface inside
0
 
LVL 4

Author Comment

by:w33mhz
ID: 19665360
Awesome now how do I have all traffic with port 25 use a certain IP address
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 19665807
Is port 25 traffic going to originate from more than one machine and is the IP that you want to use part of the public network block on the firewall?
0
 
LVL 4

Author Comment

by:w33mhz
ID: 19666137
It is currently one machine.  I will have another later down the road.  I believe I can just use an object-group for that can't I?
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 19666329
You can use objects but I wouldn't if it is simpler to add a single line to the access for one machine.

192.168.1.11 == private IP
172.16.1.1      == public IP

! translate all inside packets from this private IP to this public IP
static (outside,inside) 192.168.1.11 172.16.1.1 netmask 255.255.255.255

! translate all outside packets for this public IP to this private IP
! only necessary when the outside needs to establish a session with this public IP
static (inside,outside) 172.16.1.1 192.168.1.11 netmast 255.255.255.255

0
 
LVL 4

Author Comment

by:w33mhz
ID: 19666364
Thank You, I will try that out.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question