jskfan
asked on
how to route the request to Exchange server
how to route the request to Exchange server
Let s say at the Registrar (GoDaddy.com) we have the following records:
Host record (A) = mail.company.com 64.64.64.64
MX record= mail.company.com
PTR = 64.64.64.64 points to mail.company.com
When external users send us an email, in order to route their emails from our public interface to the exchange server mailbox, how is the CISCO router or the firewall configured?
Can someone writethe commands here? I believe all it requires is NAT commands, if I am not wrong.
Thanks
Let s say at the Registrar (GoDaddy.com) we have the following records:
Host record (A) = mail.company.com 64.64.64.64
MX record= mail.company.com
PTR = 64.64.64.64 points to mail.company.com
When external users send us an email, in order to route their emails from our public interface to the exchange server mailbox, how is the CISCO router or the firewall configured?
Can someone writethe commands here? I believe all it requires is NAT commands, if I am not wrong.
Thanks
ASKER
I need an example of a router.
The example in the TechRepublic website , not clear.
The example in the TechRepublic website , not clear.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25
the above command will route the smtp traffic from inside outside
what about from outside inside ?
the above command will route the smtp traffic from inside outside
what about from outside inside ?
This will nat from the outside to the inside.
As per cisco command reference:
Port Static NAT
ip nat inside source static {{tcp | udp} {local-ip local-port global-ip global-port [extendable] [forced] [mapping-id map-id] [no-alias] [no-payload] [redundancy group-name] [route-map name [reversible]] [vrf name [match-in-vrf]] | interface global-port}}
As per cisco command reference:
Port Static NAT
ip nat inside source static {{tcp | udp} {local-ip local-port global-ip global-port [extendable] [forced] [mapping-id map-id] [no-alias] [no-payload] [redundancy group-name] [route-map name [reversible]] [vrf name [match-in-vrf]] | interface global-port}}
ASKER
Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25
Are uou saying that the single above command can route the SMTP traffic from Exchange server to outside world and vice-versa ?
I thought fro outside -inside you will have to type :
ip nat outside source static tcp 64.64.64.64 192.168.1.2 25
Are uou saying that the single above command can route the SMTP traffic from Exchange server to outside world and vice-versa ?
I thought fro outside -inside you will have to type :
ip nat outside source static tcp 64.64.64.64 192.168.1.2 25
No, this commands forwards incoming traffic on port 25 (on ip 64.64.64.64) to port 25 on internal ip 192.168.1.2.
If you want to have the server having a dedicated public address, you need to set up:
Router(config)# interface ethernet 0/1
Router(config-if )# ip address 192.168.1.1 255.255.255.0
Router(config-if )# ip nat inside
Router(config)# interface ethernet 0/0
Router(config-if )# ip address 64.64.64.65 255.255.255.0
Router(config-if )# ip nat outside
Router(config)# ip nat inside source static 192.168.1.2 64.64.64.64
Here the public address used is a differernt one than the address on the outside interface off course. Now the server is 1 on 1 natted to a public ip, so outside -in and vice versa. You can now allow incoming ports by means of an access-list.
If you want to have the server having a dedicated public address, you need to set up:
Router(config)# interface ethernet 0/1
Router(config-if )# ip address 192.168.1.1 255.255.255.0
Router(config-if )# ip nat inside
Router(config)# interface ethernet 0/0
Router(config-if )# ip address 64.64.64.65 255.255.255.0
Router(config-if )# ip nat outside
Router(config)# ip nat inside source static 192.168.1.2 64.64.64.64
Here the public address used is a differernt one than the address on the outside interface off course. Now the server is 1 on 1 natted to a public ip, so outside -in and vice versa. You can now allow incoming ports by means of an access-list.
ASKER
If I understood your statements... both incoming email to Exchange server and outgoing emails from exchange will work with this config:
Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25
Assuming 192.168.1.2 is the internal address of your mailserver.
Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25
Assuming 192.168.1.2 is the internal address of your mailserver.
Correct, but......
I see you use a PTR record for the mailserver. That means that if the mailserver (when connecting to the internet) is natted to another public ip, PTR check will fail resulting in NDR's if the receiving mailservers check for that PRT.
If you use ip nat inside source static 192.168.1.2 64.64.64.64 all the traffic is natted from 192.168.1.2 to 64.64.64.64 and vice versa so then it shouldn't be a problem.
Because I have no insight in the config of your router I'm trying to give as much info a possible (you understand of course :)
I see you use a PTR record for the mailserver. That means that if the mailserver (when connecting to the internet) is natted to another public ip, PTR check will fail resulting in NDR's if the receiving mailservers check for that PRT.
If you use ip nat inside source static 192.168.1.2 64.64.64.64 all the traffic is natted from 192.168.1.2 to 64.64.64.64 and vice versa so then it shouldn't be a problem.
Because I have no insight in the config of your router I'm trying to give as much info a possible (you understand of course :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
azeempatel:
if you write and example, it would make more sense.
thanks
if you write and example, it would make more sense.
thanks
Public IP: 192.168.1.1
Front End Device : IronPort / Exchange Edge / Symantec Bright mail, etc or Router / Firewall
domain : yourdomain.com
When you open DNS console > Click on yourdomain.com
Under MX add your public IP and hostname will be your frondend device so <ironport.yourdomain.com>
Front End Device : IronPort / Exchange Edge / Symantec Bright mail, etc or Router / Firewall
domain : yourdomain.com
When you open DNS console > Click on yourdomain.com
Under MX add your public IP and hostname will be your frondend device so <ironport.yourdomain.com>
The attached image should help you.
Your Frontend will be natted with public IP
your dns console will have entry for frontend device.
yourdomain.JPG
Your Frontend will be natted with public IP
your dns console will have entry for frontend device.
yourdomain.JPG
ASKER
thanks
For a router, look at: http://www.techrepublic.com/blog/networking/configure-static-nat-for-inbound-connections/264
For a firewall:
static (inside,outside) tcp outside_ip 25 inside_ip 25 netmask 255.255.255.255
access-list outside permit tcp any host outside_ip eq 25
access-group outside in interface outside
OR from ASA version > 8.3:
object network obj-inside_ip
host inside_ip
nat (inside,outside) static outside_ip service tcp 25
access-list outside_in extended permit tcp any host inside_ip eq 25
access-group outside in interface outside