[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 343
  • Last Modified:

how to route the request to Exchange server

how to route the request to Exchange server

Let s say at the Registrar (GoDaddy.com) we have the following records:


Host record (A) = mail.company.com  64.64.64.64
MX record=  mail.company.com
PTR = 64.64.64.64 points to mail.company.com

When external users send us an email, in order to route their emails from our public interface to the exchange server mailbox, how  is the CISCO router or the firewall configured?
Can someone writethe commands here? I believe all it requires is NAT commands, if I am not wrong.

Thanks
0
jskfan
Asked:
jskfan
  • 6
  • 5
  • 3
2 Solutions
 
Ernie BeekCommented:
Well, it differs if you have a router or firewall.

For a router, look at: http://www.techrepublic.com/blog/networking/configure-static-nat-for-inbound-connections/264

For a firewall:

static (inside,outside) tcp outside_ip 25 inside_ip 25 netmask 255.255.255.255
access-list outside permit tcp any host outside_ip eq 25
access-group outside in interface outside


OR from ASA version > 8.3:

object network obj-inside_ip
host inside_ip
nat (inside,outside) static outside_ip service tcp 25

access-list outside_in extended permit tcp any host inside_ip eq 25
access-group outside in interface outside
0
 
jskfanAuthor Commented:
I need an example of a router.
The example in the TechRepublic website , not clear.
0
 
Ernie BeekCommented:
Ok,

So let's assume your router has an inside (ethernet 0/1) and an outside (ethernet 0/0) interface. Then it would be something like:

Router(config)# interface ethernet 0/1
Router(config-if )# ip address 192.168.1.1 255.255.255.0
Router(config-if )# ip nat inside



Router(config)# interface ethernet 0/0
Router(config-if )# ip address 64.64.64.64 255.255.255.0
Router(config-if )# ip nat outside


Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25

Assuming 192.168.1.2 is the internal address of your mailserver.

Let me know if this is clear enough ;)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
jskfanAuthor Commented:
Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25

the above command will route the smtp traffic from inside outside
 what about from outside inside ?

0
 
Ernie BeekCommented:
This will nat from the outside to the inside.

As per cisco command reference:

Port Static NAT

ip nat inside source static {{tcp | udp} {local-ip local-port global-ip global-port [extendable] [forced] [mapping-id map-id] [no-alias] [no-payload] [redundancy group-name] [route-map name [reversible]] [vrf name [match-in-vrf]] | interface global-port}}
0
 
jskfanAuthor Commented:
Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25

Are uou saying that the single above command can route the SMTP traffic from Exchange server to outside world and vice-versa ?

I thought fro outside -inside you will have to type :
ip nat outside source static tcp  64.64.64.64 192.168.1.2 25
0
 
Ernie BeekCommented:
No, this commands forwards incoming traffic on port 25 (on ip 64.64.64.64) to port 25 on internal ip 192.168.1.2.
If you want to have the server having a dedicated public address, you need to set up:

Router(config)# interface ethernet 0/1
Router(config-if )# ip address 192.168.1.1 255.255.255.0
Router(config-if )# ip nat inside


Router(config)# interface ethernet 0/0
Router(config-if )# ip address 64.64.64.65 255.255.255.0
Router(config-if )# ip nat outside

Router(config)# ip nat inside source static 192.168.1.2 64.64.64.64


Here the public address used is a differernt one than the address on the outside interface off course. Now the server is 1 on 1 natted to a public ip, so outside -in and vice versa. You can now allow incoming ports by means of an access-list.
0
 
jskfanAuthor Commented:
If I understood your statements... both incoming email to Exchange server and outgoing emails from exchange will work with this config:
Router(config)# ip nat inside source static tcp 192.168.1.2 25 64.64.64.64 25

Assuming 192.168.1.2 is the internal address of your mailserver.

0
 
Ernie BeekCommented:
Correct, but......
I see you use a PTR record for the mailserver. That means that if the mailserver (when connecting to the internet) is natted to another public ip, PTR check will fail resulting in NDR's if the receiving mailservers check for that PRT.
If you use ip nat inside source static 192.168.1.2 64.64.64.64 all the traffic is natted from 192.168.1.2 to 64.64.64.64 and vice versa so then it shouldn't be a problem.
Because I have no insight in the config of your router I'm trying to give as much info a possible (you understand of course :)
0
 
azeempatelCommented:
1. You will have to NAT public Ip on your front end device.
2. on yourdomain.com mx enter the this natted ip address.

You do not not have to enter mx record on mail.yourdomain.com
0
 
jskfanAuthor Commented:
azeempatel:

if you write and example, it would make more sense.
 thanks
0
 
azeempatelCommented:
Public IP: 192.168.1.1
Front End Device : IronPort / Exchange Edge /  Symantec Bright mail, etc or Router / Firewall
domain : yourdomain.com

When you open DNS console > Click on yourdomain.com

Under MX add your public IP and hostname will be your frondend device so <ironport.yourdomain.com>

0
 
azeempatelCommented:
The attached image should help you.

Your Frontend will be natted with public IP
your dns console will have entry for frontend device.

yourdomain.JPG
0
 
jskfanAuthor Commented:
thanks
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 6
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now