Methodman85
asked on
Static NAT with ISA 2004
Hello Everyone,
I need to do a static NAT for our mailserver. Right now it's going outbound with our general external NAT address, so it's failing on reverse lookups. I need to Static map it so that it goes out with a specific External IP all the time.
I need to do a static NAT for our mailserver. Right now it's going outbound with our general external NAT address, so it's failing on reverse lookups. I need to Static map it so that it goes out with a specific External IP all the time.
davorin
Can you explain your problem a little bit further? What reverse lookup you are talking about?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Some recipients SPAM filters perform a reverse lookup on the source address that they recieve for our exchange server. So our exchange server (10.0.0.24) leaves the network with a general NAT external address (208.113.63.70), same as all other hosts on our network that access the internet.
When the end users spam filter does a reverse lookup on 208.113.63.70, they of course do not find the appropriate record.
Would adding a PRT record that points to our mailserver work? Does it make sense to have a PRT record for a general NAT address?
When the end users spam filter does a reverse lookup on 208.113.63.70, they of course do not find the appropriate record.
Would adding a PRT record that points to our mailserver work? Does it make sense to have a PRT record for a general NAT address?
ASKER
Hi Leonov,
Can you explain in more detail, or point me to an article, i'm not sure what you mean
thanks
Can you explain in more detail, or point me to an article, i'm not sure what you mean
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The problem is that I can't set the same address as the MX record. The MX record points to .60, but the server goes out at .70 when it's natted. So a reverse PRT needs to point to .70, but that's the general NAT address of every host that leaves the firewall, won't this cause problems?
Leonov: I'm trying to understand what you mean. You're saying that you're getting your exchange server to use your firewalls DNS name and external IP address? So you're tricking the reverse lookup?
Leonov: I'm trying to understand what you mean. You're saying that you're getting your exchange server to use your firewalls DNS name and external IP address? So you're tricking the reverse lookup?
MX records are pointed to FQDNs, not to IP addresses. If IP addresses are not the same it will not cause you troubles. To check if anything is configured correctly you can use www.mxtoolbox.com site - SMTP test option.
The only thing that really needs to be the same is FQDN on rDNS and FQDN on SMTP banner.
The only thing that really needs to be the same is FQDN on rDNS and FQDN on SMTP banner.
No, I change External FDQN for mail server for SMTP purposes.
RDNS must say xx.xx.xx.xx PTR aaaa.com, before all operations starts. When I bought IP address xx.xx.xx.xx I said to ISP that it must resolve to aaaa.com.
RDNS must say xx.xx.xx.xx PTR aaaa.com, before all operations starts. When I bought IP address xx.xx.xx.xx I said to ISP that it must resolve to aaaa.com.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Keith,
So if I set a PRT record for that external nic address pointing to the FQDN of my exchange server, should that work on reverse lookups? and would it cause any issues with anything else?
So if I set a PRT record for that external nic address pointing to the FQDN of my exchange server, should that work on reverse lookups? and would it cause any issues with anything else?
Yes. But if your Exchange use external FDQN in HELO/EHLO commands will be better.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Everyone, I will give this a try on Saturday.
Since the PRT is the easier fix, I'll try that first, if I'm still getting connection refused errors based on failed reverse lookups, I will try leonov's method.
Since the PRT is the easier fix, I'll try that first, if I'm still getting connection refused errors based on failed reverse lookups, I will try leonov's method.