Static NAT with ISA 2004

Hello Everyone,

I need to do a static NAT for our mailserver. Right now it's going outbound with our general external NAT address, so it's failing on reverse lookups. I need to Static map it so that it goes out with a specific External IP all the time.
LVL 1
Methodman85Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
leonov_alexConnect With a Mentor Commented:
There is my case:
1) My firewall xx.xx.xx.xx has FDQN and revers name aaaa.com
2) My Exchange 2007 behind fw has 192.168.0.5 and FDQN exch.my.firm

I go "Server Configuration" - "Hub transport" - "Receive coonectors" - "Default" - "Properties"
and set "Specify FDQN for EHLO and HELO" to aaaa.com

When Exchange connects to external SMTP throw NAT it gets xx.xx.xx.xx address, and say "EHLO aaaa.com"
0
 
davorinCommented:
Can you explain your problem a little bit further? What reverse lookup you are talking about?
0
 
leonov_alexConnect With a Mentor Commented:
ISA can't Static NAT. Only Publish Rule.

On your mail server you need set up, that SMTP service tell ISA's host name.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
Methodman85Author Commented:
Some recipients SPAM filters perform a reverse lookup on the source address that they recieve for our exchange server. So our exchange server (10.0.0.24) leaves the network with a general NAT external address (208.113.63.70), same as all other hosts on our network that access the internet.
When the end users spam filter does a reverse lookup on 208.113.63.70, they of course do not find the appropriate record.

Would adding a PRT record that points to our mailserver work? Does it make sense to have a PRT record for a general NAT address?
0
 
Methodman85Author Commented:
Hi Leonov,

Can you explain in more detail, or point me to an article, i'm not sure what you mean

thanks
0
 
davorinConnect With a Mentor Commented:
Hi,
you are right, you have to add PTR or rDNS record that is using your external IP address, your external FQDN mail server address (noramlly same as MX record) and you soulh have the same FQDN address in yout SMTP banner. rDNS record normally sets your ISP provider.
0
 
Methodman85Author Commented:
The problem is that I can't set the same address as the MX record. The MX record points to .60, but the server goes out at .70 when it's natted. So a reverse PRT needs to point to .70, but that's the general NAT address of every host that leaves the firewall, won't this cause problems?

Leonov: I'm trying to understand what you mean. You're saying that you're getting your exchange server to use your firewalls DNS name and external IP address? So you're tricking the reverse lookup?
0
 
davorinCommented:
MX records are pointed to FQDNs, not to IP addresses. If IP addresses are not the same it will not cause you troubles. To check if anything is configured correctly you can use www.mxtoolbox.com site - SMTP test option.
The only thing that really needs to be the same is FQDN on rDNS and FQDN on SMTP banner.
0
 
leonov_alexCommented:
No, I change External FDQN for mail server for SMTP purposes.

RDNS must say xx.xx.xx.xx PTR aaaa.com, before all operations starts. When I bought IP address xx.xx.xx.xx I said to ISP that it must resolve to aaaa.com.
0
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
It cannot be done - ISA does not support what you are trying to do.
Traffic will leave ISA with the main ip address set on the ISA external nic. Sorry.

Keith
ISA Forefront MVP
0
 
Methodman85Author Commented:
Hi Keith,
So if I set a PRT record for that external nic address pointing to the FQDN of my exchange server, should that work on reverse lookups? and would it cause any issues with anything else?
0
 
leonov_alexCommented:
Yes. But if your Exchange use external FDQN in HELO/EHLO commands will be better.
0
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
Yes - it should but bear in mind that the MX record also needs to be associated with the same fqdn. They all have to tie up.
No it will not cause any conflicts with anything else.
0
 
Methodman85Author Commented:
Thanks Everyone, I will give this a try on Saturday.
Since the PRT is the easier fix, I'll try that first, if I'm still getting connection refused errors based on failed reverse lookups, I will try leonov's method.
0
All Courses

From novice to tech pro — start learning today.