[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Control which public IP exchange 2k3 uses to deliver mail?

Posted on 2007-09-27
25
Medium Priority
?
251 Views
Last Modified: 2012-08-14
I have recently been reports from users that email messages are getting bounced back to us from some of our clients.  The most recent error says: "Your IP xxx.xxx.xxx.130 does not have a reverse DNS entry"

The way our network is set up currently is basically like this: T1 > Cisco > Watchguard Firebox (doing the NAT) >  and our handful of public IPs are assigned on its interface: .130 - .136.  A few months ago, we moved our mail server (and accompanying DNS & reverse DNS) from .130 to .132 because we set up a dedicated exchange 2k3 server.  But, apparently, when our server connects to another to deliver mail, the .130 address is showing up, which doesn't match our DNS or rDNS.

Any ideas on how I can fix this?  The MX, in case anyone wants to do some checking, is mail.wrightengineers.com
0
Comment
Question by:David Williamson
  • 13
  • 7
  • 5
25 Comments
 
LVL 13

Expert Comment

by:bluetab
ID: 19975689
It doesn't look like you have rDNS setup for 204.118.126.232.  When I do a reverse lookup I get
Pinging host-204-118-126-232.hemonc1.com [204.118.126.232].  
I also looked up the IP on arin.net and it showed it belonging to Sprintlink rather than pointing to your company.
0
 
LVL 13

Expert Comment

by:bluetab
ID: 19975701
I also did a rDNS lookup at dnsstuff.com and got the following result (see link).  I would recommend contacting your ISP and having them set this up again.
http://www.dnsstuff.com/tools/ptr.ch?ip=204.118.126.232
0
 
LVL 2

Author Comment

by:David Williamson
ID: 19975705
you've got the wrong IP: its 204.118.126.132
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 2

Author Comment

by:David Williamson
ID: 19975713
where did you look that up, btw?  If you looked up mail.wrightengineers.com, you wouldn't have gotten a .232 address...
0
 
LVL 13

Assisted Solution

by:bluetab
bluetab earned 400 total points
ID: 19976340
Sorry about that.  I hate that fat finger of mine.  I went to www.dnsstuff.com.  Now that I type in the correct IP address it does show a correct rDNS.  I would recommend setting up a reverse entry for your .130 address.  The problem is that your Watchguard Firebox is masking the actual IP address of your mail server.  What model of firebox do you have?  It may be possible to configure it to pass on the Public IP address of the mail server rather than it's IP.
0
 
LVL 2

Author Comment

by:David Williamson
ID: 19979644
its the firebox Core X500.  I was thinking the same thing.  I may have to pony up for the live security subscription to even find out if that is possible.
0
 
LVL 13

Expert Comment

by:bluetab
ID: 19979952
I can't find anything telling me how to configure that firewall and I'm not familiar with that brand.  I would recommend setting up a rDNS record for .130 first.  Point that to mail.wrightengineers.com and that should take care of your problem.
0
 
LVL 2

Author Comment

by:David Williamson
ID: 19980015
will it matter that there are two rDNS entries that have two different public IPs pointing to the same domain name?
0
 
LVL 13

Expert Comment

by:bluetab
ID: 19980133
No it doesn't.  Actually it doesn't matter what the rDNS entry is.  When servers look up the rDNS entry they are just trying to see if "owned" by someone and doesn't have the default entry.  This would be the case for companies who host their mail somewhere and thus share the same Public IP with several others.  
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 19982963
As you wish to have reverse DNS working please use 1-1 NAT instead of having static NAT; let me explain:

By default WG would NAT anything going out using the external IP address; if you wish to have the FB send traffic out using specific IP address, then you can either configure 1-1 NAT or if you have WSM 9.0 in the policy itself you have the option to do that.

What is the version of WSM you have, the actual steps would depend on the version of the software.

Please look at this article from WG website about 1-1 NAT, please note you would need to have username/password for WG site to login and view the article:
https://www.watchguard.com/support/faqs/fireware/91/set_up_1to1nat.htm

Also, note if you have WG software version 8.3.1 or higher; you might not configure 1-1 NAT but choose under Policy Properties->Advanced->NAT; Dyanmic NAT, All traffic in this policy option and specify the public IP there.

Please implement and update.

Thank you.
0
 
LVL 2

Author Comment

by:David Williamson
ID: 19991578
The version I am running currently is 7.4.1 build 2550.  Your idea sounds like exactly what I want to do.
0
 
LVL 2

Author Comment

by:David Williamson
ID: 19991755
I went ahead and added a 1 to 1 NAT entry for the mail server.  How can I test it to verify that its now using the correct public IP for mail traffic?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20004857
On the mail server go to any website which shows the IP address, eg., http://www.whatismyip.com/

You should see the IP adderss listed as 1-1 NAT IP and not the external IP of the FB.

Please check and update.

Thank you.
0
 
LVL 2

Author Comment

by:David Williamson
ID: 20008223
I did that check from the mail server, and still got the .130 address.  I was hoping to see the .132.  Here is a screenshot of the setting in the firebox:

http://www.wrightengineers.com/screenshots/1to1nat.gif

That seems right, doesn't it?
0
 
LVL 2

Author Comment

by:David Williamson
ID: 20008230
Although, hold on; that site shows the IP for port 80.  Does that make a difference?  I suppose the 1 to 1 nat should NAT for all traffic to and from that IP...
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 1600 total points
ID: 20011025
To verify the configuration, I am listing the steps again:

1. Create 1-1 NAT: in Policy Manager, go to Setup->NAT->Advanced->1-1 NAT Setup -> Entry exists [per screenshot the configuration is correct]
2. Now click Dynamic NAT Exceptions; if no entry click Add; configure as below:
From: 192.168.33.210; To: external [from drop-down menu]; click OK all the way back to Policy Manager window; save settings to firebox.

This should do the trick.

You are right, 1-1 NAT is applicable for the entire traffic communication and not just one specific traffic type.

Please check and update.

Thank you.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20011191
Please also make sure that the .132 IP is not listed in the alias under external; in Policy Manager go to Network->Configuration; under External Interface click Aliases button; if .132 is listed here you would need to remove it.

Please note one single IP can either be used in 1-1 NAT or in alias not both; if you have any dependency then that would need to be taken care of.

Thank you.
0
 
LVL 2

Author Comment

by:David Williamson
ID: 20019001
yes!  Whatismyip worked; it now shows the right public IP.  I was missing that last step, the dynamic NAT exceptions.  That being the case, I think this issue is solved.  Thx dpk_wal!
0
 
LVL 2

Author Comment

by:David Williamson
ID: 20019111
I seem to have run into another issue with this...

Upon doing those settings above, the correct public IP was showing up, but with .132 set in 1 to 1 NAT, the exchange server can't smtp to any other.  Could it have something to do with the dynamic NAT exclusion setting?  If i take the 1 to 1 NAT setting out, as well as the dynamic NAT exception, a telnet to another mail server works.  Any ideas?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20019358
This should not be the case because we are configuring 1-1 NAT; please advice how have you configured the outgoing SMTP service; you can configure it as:
Outgoing Enabled and Allowed
From Any [if you wish any host on the internal network to be able to connect to outside SMTP server] OR
         192.16833.210 [if you wish to allow only your Exchange server to make outbound connections]
To Any

I tried mx/ns/a record lookup on your domain and everything looks good; also telnet on port 25 is going through and giving the banner; just for reference I tried from IP 122.167.1.200. The settings appear fine.

I would like to know when you do telnet to another mail server what happens.; you get blank screen or get connection time out.

Have you made sure that there is no alias under external for the .132 IP address. When we do 1-1 NAT we are telling FB that all incoming traffic on .132 should be forwarded to .210 IP, if allowed; and need NAT exceptions otherwise the packets would continue going out using .130 IP address. So, we need both the settings for the job.
Also what are the results if you do nslookup, tracerroute and pathping for those mail servers.

Please check and advice.
0
 
LVL 2

Author Comment

by:David Williamson
ID: 20019533
I missed the alias part, and I removed .132 from the external.  The outgoing smtp is Any Any.  the incoming is .132 > .210; is that correct?

Telnetting gives me a connection timeout, but I am about to try it after removing the alias...will advise.
0
 
LVL 2

Author Comment

by:David Williamson
ID: 20019561
well, that must have been it, because now the telnet works, the public IP still shows up as .132 to the outside world, and mail is flowing in and out.  Thanks again!  Strange how the alias setting is what was preventing all that...
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20019825
As you have removed alias; there is no way you can setup incoming as .132->.210; I think you should have now configured incoming as:
Enabled and Allowed; From Any; to .132

Good to know that the emails are flowing in and out! :)
0
 
LVL 2

Author Comment

by:David Williamson
ID: 20022549
This setting seems to be working, though: http://www.wrightengineers.com/screenshots/firebox_smtp.gif

Again, thank you for all your help!  I would have had to throw down a big chunk of money to renew my Live Security subscription for Watchguard tech support.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 20023232
As you have removed alias and have not modified the SMTP service the settings remain the way they are; if you were to delete the entry from To box you would not be add it again this way [due to the absence of alias]; after this the only option left with you would be to click Add, Add Other, and then add the public IP .132.

If fine with you, keep the settings the way they are.

Regards,
Deepak
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question