Static NAT with ISA 2004

Hello Everyone,

I need to do a static NAT for our mailserver. Right now it's going outbound with our general external NAT address, so it's failing on reverse lookups. I need to Static map it so that it goes out with a specific External IP all the time.
LVL 1
Methodman85Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

davorinCommented:
Can you explain your problem a little bit further? What reverse lookup you are talking about?
0
leonov_alexCommented:
ISA can't Static NAT. Only Publish Rule.

On your mail server you need set up, that SMTP service tell ISA's host name.
0
Methodman85Author Commented:
Some recipients SPAM filters perform a reverse lookup on the source address that they recieve for our exchange server. So our exchange server (10.0.0.24) leaves the network with a general NAT external address (208.113.63.70), same as all other hosts on our network that access the internet.
When the end users spam filter does a reverse lookup on 208.113.63.70, they of course do not find the appropriate record.

Would adding a PRT record that points to our mailserver work? Does it make sense to have a PRT record for a general NAT address?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Methodman85Author Commented:
Hi Leonov,

Can you explain in more detail, or point me to an article, i'm not sure what you mean

thanks
0
leonov_alexCommented:
There is my case:
1) My firewall xx.xx.xx.xx has FDQN and revers name aaaa.com
2) My Exchange 2007 behind fw has 192.168.0.5 and FDQN exch.my.firm

I go "Server Configuration" - "Hub transport" - "Receive coonectors" - "Default" - "Properties"
and set "Specify FDQN for EHLO and HELO" to aaaa.com

When Exchange connects to external SMTP throw NAT it gets xx.xx.xx.xx address, and say "EHLO aaaa.com"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davorinCommented:
Hi,
you are right, you have to add PTR or rDNS record that is using your external IP address, your external FQDN mail server address (noramlly same as MX record) and you soulh have the same FQDN address in yout SMTP banner. rDNS record normally sets your ISP provider.
0
Methodman85Author Commented:
The problem is that I can't set the same address as the MX record. The MX record points to .60, but the server goes out at .70 when it's natted. So a reverse PRT needs to point to .70, but that's the general NAT address of every host that leaves the firewall, won't this cause problems?

Leonov: I'm trying to understand what you mean. You're saying that you're getting your exchange server to use your firewalls DNS name and external IP address? So you're tricking the reverse lookup?
0
davorinCommented:
MX records are pointed to FQDNs, not to IP addresses. If IP addresses are not the same it will not cause you troubles. To check if anything is configured correctly you can use www.mxtoolbox.com site - SMTP test option.
The only thing that really needs to be the same is FQDN on rDNS and FQDN on SMTP banner.
0
leonov_alexCommented:
No, I change External FDQN for mail server for SMTP purposes.

RDNS must say xx.xx.xx.xx PTR aaaa.com, before all operations starts. When I bought IP address xx.xx.xx.xx I said to ISP that it must resolve to aaaa.com.
0
Keith AlabasterEnterprise ArchitectCommented:
It cannot be done - ISA does not support what you are trying to do.
Traffic will leave ISA with the main ip address set on the ISA external nic. Sorry.

Keith
ISA Forefront MVP
0
Methodman85Author Commented:
Hi Keith,
So if I set a PRT record for that external nic address pointing to the FQDN of my exchange server, should that work on reverse lookups? and would it cause any issues with anything else?
0
leonov_alexCommented:
Yes. But if your Exchange use external FDQN in HELO/EHLO commands will be better.
0
Keith AlabasterEnterprise ArchitectCommented:
Yes - it should but bear in mind that the MX record also needs to be associated with the same fqdn. They all have to tie up.
No it will not cause any conflicts with anything else.
0
Methodman85Author Commented:
Thanks Everyone, I will give this a try on Saturday.
Since the PRT is the easier fix, I'll try that first, if I'm still getting connection refused errors based on failed reverse lookups, I will try leonov's method.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.