Link to home
Start Free TrialLog in
Avatar of jskfan
jskfanFlag for Cyprus

asked on

how to route the request to Exchange server

how to route the request to Exchange server

Let s say at the Registrar (GoDaddy.com) we have the following records:


Host record (A) = mail.company.com  64.64.64.64
MX record=  mail.company.com
PTR = 64.64.64.64 points to mail.company.com

When external users send us an email, in order to route their emails from our public interface to the exchange server mailbox, how  is the CISCO router or the firewall configured?
Can someone writethe commands here? I believe all it requires is NAT commands, if I am not wrong.

Thanks
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

Well, it differs if you have a router or firewall.

For a router, look at: http://www.techrepublic.com/blog/networking/configure-static-nat-for-inbound-connections/264

For a firewall:

static (inside,outside) tcp outside_ip 25 inside_ip 25 netmask 255.255.255.255
access-list outside permit tcp any host outside_ip eq 25
access-group outside in interface outside


OR from ASA version > 8.3:

object network obj-inside_ip
host inside_ip
nat (inside,outside) static outside_ip service tcp 25

access-list outside_in extended permit tcp any host inside_ip eq 25
access-group outside in interface outside
Avatar of jskfan

ASKER

I need an example of a router.
The example in the TechRepublic website , not clear.
ASKER CERTIFIED SOLUTION
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jskfan

ASKER

Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25

the above command will route the smtp traffic from inside outside
 what about from outside inside ?

This will nat from the outside to the inside.

As per cisco command reference:

Port Static NAT

ip nat inside source static {{tcp | udp} {local-ip local-port global-ip global-port [extendable] [forced] [mapping-id map-id] [no-alias] [no-payload] [redundancy group-name] [route-map name [reversible]] [vrf name [match-in-vrf]] | interface global-port}}
Avatar of jskfan

ASKER

Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25

Are uou saying that the single above command can route the SMTP traffic from Exchange server to outside world and vice-versa ?

I thought fro outside -inside you will have to type :
ip nat outside source static tcp  64.64.64.64 192.168.1.2 25
No, this commands forwards incoming traffic on port 25 (on ip 64.64.64.64) to port 25 on internal ip 192.168.1.2.
If you want to have the server having a dedicated public address, you need to set up:

Router(config)# interface ethernet 0/1
Router(config-if )# ip address 192.168.1.1 255.255.255.0
Router(config-if )# ip nat inside


Router(config)# interface ethernet 0/0
Router(config-if )# ip address 64.64.64.65 255.255.255.0
Router(config-if )# ip nat outside

Router(config)# ip nat inside source static 192.168.1.2 64.64.64.64


Here the public address used is a differernt one than the address on the outside interface off course. Now the server is 1 on 1 natted to a public ip, so outside -in and vice versa. You can now allow incoming ports by means of an access-list.
Avatar of jskfan

ASKER

If I understood your statements... both incoming email to Exchange server and outgoing emails from exchange will work with this config:
Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25

Assuming 192.168.1.2 is the internal address of your mailserver.

Correct, but......
I see you use a PTR record for the mailserver. That means that if the mailserver (when connecting to the internet) is natted to another public ip, PTR check will fail resulting in NDR's if the receiving mailservers check for that PRT.
If you use ip nat inside source static 192.168.1.2 64.64.64.64 all the traffic is natted from 192.168.1.2 to 64.64.64.64 and vice versa so then it shouldn't be a problem.
Because I have no insight in the config of your router I'm trying to give as much info a possible (you understand of course :)
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jskfan

ASKER

azeempatel:

if you write and example, it would make more sense.
 thanks
Public IP: 192.168.1.1
Front End Device : IronPort / Exchange Edge /  Symantec Bright mail, etc or Router / Firewall
domain : yourdomain.com

When you open DNS console > Click on yourdomain.com

Under MX add your public IP and hostname will be your frondend device so <ironport.yourdomain.com>

The attached image should help you.

Your Frontend will be natted with public IP
your dns console will have entry for frontend device.

yourdomain.JPG
Avatar of jskfan

ASKER

thanks