Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > SMTP Port Forwarding

Reply
Thread Tools

SMTP Port Forwarding

 
 
Robert Jacobs
Guest
Posts: n/a
 
      04-28-2009
Experts (thank you in advance),

Our company recently purchased a new stand-alone spam filter. This
device sits on the network, like any other system or server, receives
incomming smtp traffic, filters the messages, and forwards any
legitimate e-mails to the mail server for processing to the clients.

There are two ways to set this feature up. The first is MX Records
(which we really don't want to do). The second, and preferred method
is via Port Forwarding.

My question:

The external IP address for our mail server is NAT translated to our
internal server (which happens to also be our web server). Therefore,
we need to set it up so when an e-mail comes into this external IP
address, it is NAT translated to the new spam filter's IP address, but
all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
NAT translated to the web/e-mail server directly, without being
forwarded throught the spam filter. How can I set this up?

Any help is greatly appreciated. I have included the part of my
router config that I THINK I need to be looking at, please let me know
if you need anything I'm not thinking of, or if I'm just completely
off base with what I'm attempting to do. Thank you so much!



ip nat inside source route-map SDM_RMAP_1 pool NAT_Pool overload
ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1 (I
don't wish to enter my actual external IP)

route-map rmap_1 permit 1
match ip address NAT_ACL_1

ip access-list extended NAT_ACL_1
permit ip host 10.10.10.100 any
 
Reply With Quote
 
 
 
 
Chino
Guest
Posts: n/a
 
      04-28-2009
>
> The external IP address for our mail server is NAT translated to our
> internal server (which happens to also be our web server). Therefore,
> we need to set it up so when an e-mail comes into this external IP
> address, it is NAT translated to the new spam filter's IP address, but
> all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
> NAT translated to the web/e-mail server directly, without being
> forwarded throught the spam filter. How can I set this up?
>


You have to do Port translation instead of address translation.
This mean you have to specify every single port you need to be accessed from
the Internet.
Something like

ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
ip nat inside source static tcp 10.10.10.z 80 216.x.x.x 80
ip nat inside source static tcp 10.10.10.z 443 216.x.x.x 443


 
Reply With Quote
 
 
 
 
Robert Jacobs
Guest
Posts: n/a
 
      04-28-2009
On Apr 28, 10:04*am, "Chino" <(E-Mail Removed)> wrote:
> > The external IP address for our mail server is NAT translated to our
> > internal server (which happens to also be our web server). *Therefore,
> > we need to set it up so when an e-mail comes into this external IP
> > address, it is NAT translated to the new spam filter's IP address, but
> > all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
> > NAT translated to the web/e-mail server directly, without being
> > forwarded throught the spam filter. *How can I set this up?

>
> You have to do Port translation instead of address translation.
> This mean you have to specify every single port you need to be accessed from
> the Internet.
> Something like
>
> ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
> ip nat inside source static tcp 10.10.10.z 80 216.x.x.x 80
> ip nat inside source static tcp 10.10.10.z 443 216.x.x.x 443


Oh, OK. That sounds good. Question, though. If I want to only
transfer port 25 to 10.10.10.y, and all others to 10.10.10.z, can I
not do this?:

ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
ip nat inside source static tcp 10.10.10.z 216.x.x.x

Or would I have to specify every single port going to 10.10.10.z? I
ask, because I'm not 100 percent sure if I know every port used to
communicate with 10.10.10.z. Or would this be better?

ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
ip nat inside source static tcp 10.10.10.z range 1 24 216.x.x.x range
1 24
ip nat inside source static tcp 10.10.10.z range 26 10000 216.x.x.x
range 26 10000

I'm not even sure that is the right syntax... I'm hoping my first
example would suffice. Thanks again!
 
Reply With Quote
 
Thrill5
Guest
Posts: n/a
 
      04-28-2009
The best, easiest, and standard way to do this is usning MX records. The
easiest way to do this without any downtime is to create another MX record
that points to the new address of the SPAM filter with a lower priority of
the existing server. The existing server will be used because it has a
higher priority. After waiting the TTL time of the original MX record (so
that the DNS record is expired by any DNS server that may be caching it),
swap the priorities of the two MX records. Traffic will now go into the
SPAM filter. After waiting another TTL interval, remove the original MX
record. Very easy and simple.




"Robert Jacobs" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Experts (thank you in advance),
>
> Our company recently purchased a new stand-alone spam filter. This
> device sits on the network, like any other system or server, receives
> incomming smtp traffic, filters the messages, and forwards any
> legitimate e-mails to the mail server for processing to the clients.
>
> There are two ways to set this feature up. The first is MX Records
> (which we really don't want to do). The second, and preferred method
> is via Port Forwarding.
>
> My question:
>
> The external IP address for our mail server is NAT translated to our
> internal server (which happens to also be our web server). Therefore,
> we need to set it up so when an e-mail comes into this external IP
> address, it is NAT translated to the new spam filter's IP address, but
> all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
> NAT translated to the web/e-mail server directly, without being
> forwarded throught the spam filter. How can I set this up?
>
> Any help is greatly appreciated. I have included the part of my
> router config that I THINK I need to be looking at, please let me know
> if you need anything I'm not thinking of, or if I'm just completely
> off base with what I'm attempting to do. Thank you so much!
>
>
>
> ip nat inside source route-map SDM_RMAP_1 pool NAT_Pool overload
> ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1 (I
> don't wish to enter my actual external IP)
>
> route-map rmap_1 permit 1
> match ip address NAT_ACL_1
>
> ip access-list extended NAT_ACL_1
> permit ip host 10.10.10.100 any



 
Reply With Quote
 
Robert Jacobs
Guest
Posts: n/a
 
      04-28-2009
On Apr 28, 1:13*pm, "Thrill5" <(E-Mail Removed)> wrote:
> The best, easiest, and standard way to do this is usning MX records. *The
> easiest way to do this without any downtime is to create another MX record
> that points to the new address of the SPAM filter with a lower priority of
> the existing server. * The existing server will be used because it has a
> higher priority. *After waiting the TTL time of the original MX record (so
> that the DNS record is expired by any DNS server that may be caching it),
> swap the priorities of the two MX records. *Traffic will now go into the
> SPAM filter. *After waiting another TTL interval, remove the original MX
> record. *Very easy and simple.
>
> "Robert Jacobs" <(E-Mail Removed)> wrote in message
>
> news:(E-Mail Removed)...
>
>
>
> > Experts (thank you in advance),

>
> > Our company recently purchased a new stand-alone spam filter. *This
> > device sits on the network, like any other system or server, receives
> > incomming smtp traffic, filters the messages, and forwards any
> > legitimate e-mails to the mail server for processing to the clients.

>
> > There are two ways to set this feature up. *The first is MX Records
> > (which we really don't want to do). *The second, and preferred method
> > is via Port Forwarding.

>
> > My question:

>
> > The external IP address for our mail server is NAT translated to our
> > internal server (which happens to also be our web server). *Therefore,
> > we need to set it up so when an e-mail comes into this external IP
> > address, it is NAT translated to the new spam filter's IP address, but
> > all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
> > NAT translated to the web/e-mail server directly, without being
> > forwarded throught the spam filter. *How can I set this up?

>
> > Any help is greatly appreciated. *I have included the part of my
> > router config that I THINK I need to be looking at, please let me know
> > if you need anything I'm not thinking of, or if I'm just completely
> > off base with what I'm attempting to do. *Thank you so much!

>
> > ip nat inside source route-map SDM_RMAP_1 pool NAT_Pool overload
> > ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1 (I
> > don't wish to enter my actual external IP)

>
> > route-map rmap_1 permit 1
> > match ip address NAT_ACL_1

>
> > ip access-list extended NAT_ACL_1
> > permit ip host 10.10.10.100 any- Hide quoted text -

>
> - Show quoted text -


That does make sense, however, this existing server will still need to
be the primary server for all http, ftp, and all other traffic, aside
from SMTP. It is an enterprise iSeries server, and it is the main
server for our company website, our ordering system, our mail server,
and many other services.

If I'm understanding it correctly, the only way the MX record would
help, would be if we had another external IP address to forward only
SMTP traffic coming to our domain name, but I'm not even sure that is
a possibility. For these reasons, I think the port translations
within NAT are really the best/only way to really accomplish what I'm
looking to accomplish.

Thank you very much for your insight, though, it is greatly
appreciated. Do you by chance know how to do the NAT entry I put
above would work?

ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
ip nat inside source static tcp 10.10.10.z 216.x.x.x

If I am understanding this correctly, it will take the first entry
first, so if any SMTP traffic is coming to this IP address, translate
it to the SPAM filter, else (if anything else), send it to our
enterprise server.

Thanks again everybody for your speedy response. This is, hopefully,
the last answer I will need to complete this project!
 
Reply With Quote
 
bod43
Guest
Posts: n/a
 
      04-28-2009
On 28 Apr, 19:29, Robert Jacobs <(E-Mail Removed)> wrote:
> On Apr 28, 1:13*pm, "Thrill5" <(E-Mail Removed)> wrote:
>
>
>
> > The best, easiest, and standard way to do this is usning MX records. *The
> > easiest way to do this without any downtime is to create another MX record
> > that points to the new address of the SPAM filter with a lower priority of
> > the existing server. * The existing server will be used because it has a
> > higher priority. *After waiting the TTL time of the original MX record (so
> > that the DNS record is expired by any DNS server that may be caching it),
> > swap the priorities of the two MX records. *Traffic will now go into the
> > SPAM filter. *After waiting another TTL interval, remove the original MX
> > record. *Very easy and simple.

>
> > "Robert Jacobs" <(E-Mail Removed)> wrote in message

>
> >news:(E-Mail Removed)...

>
> > > Experts (thank you in advance),

>
> > > Our company recently purchased a new stand-alone spam filter. *This
> > > device sits on the network, like any other system or server, receives
> > > incomming smtp traffic, filters the messages, and forwards any
> > > legitimate e-mails to the mail server for processing to the clients.

>
> > > There are two ways to set this feature up. *The first is MX Records
> > > (which we really don't want to do). *The second, and preferred method
> > > is via Port Forwarding.

>
> > > My question:

>
> > > The external IP address for our mail server is NAT translated to our
> > > internal server (which happens to also be our web server). *Therefore,
> > > we need to set it up so when an e-mail comes into this external IP
> > > address, it is NAT translated to the new spam filter's IP address, but
> > > all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
> > > NAT translated to the web/e-mail server directly, without being
> > > forwarded throught the spam filter. *How can I set this up?

>
> > > Any help is greatly appreciated. *I have included the part of my
> > > router config that I THINK I need to be looking at, please let me know
> > > if you need anything I'm not thinking of, or if I'm just completely
> > > off base with what I'm attempting to do. *Thank you so much!

>
> > > ip nat inside source route-map SDM_RMAP_1 pool NAT_Pool overload
> > > ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1 (I
> > > don't wish to enter my actual external IP)

>
> > > route-map rmap_1 permit 1
> > > match ip address NAT_ACL_1

>
> > > ip access-list extended NAT_ACL_1
> > > permit ip host 10.10.10.100 any- Hide quoted text -

>
> > - Show quoted text -

>
> That does make sense, however, this existing server will still need to
> be the primary server for all http, ftp, and all other traffic, aside
> from SMTP. *It is an enterprise iSeries server, and it is the main
> server for our company website, our ordering system, our mail server,
> and many other services.
>
> If I'm understanding it correctly, the only way the MX record would
> help, would be if we had another external IP address to forward only
> SMTP traffic coming to our domain name, but I'm not even sure that is
> a possibility. *For these reasons, I think the port translations
> within NAT are really the best/only way to really accomplish what I'm
> looking to accomplish.
>
> Thank you very much for your insight, though, it is greatly
> appreciated. *Do you by chance know how to do the NAT entry I put
> above would work?
>
> ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
> ip nat inside source static tcp 10.10.10.z 216.x.x.x
>
> If I am understanding this correctly, it will take the first entry
> first, so if any SMTP traffic is coming to this IP address, translate
> it to the SPAM filter, else (if anything else), send it to our
> enterprise server.
>
> Thanks again everybody for your speedy response. *This is, hopefully,
> the last answer I will need to complete this project!


For sure you can accomplish what you want. No problem at all.

My guess is that your syntax will work however the best
thing to do is to try it out.

If you don't have a lab then you can test with dynamips

telnet ....... 25
telnet ....... other-ports

sh ip nat tr

Not everyone makes these exact changes every day
and I for one forget precise details quite quickly

 
Reply With Quote
 
Chino
Guest
Posts: n/a
 
      04-29-2009

>ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
>ip nat inside source static tcp 10.10.10.z 216.x.x.x


>ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
>ip nat inside source static tcp 10.10.10.z range 1 24 216.x.x.x range

1 24
>ip nat inside source static tcp 10.10.10.z range 26 10000 216.x.x.x

range 26 10000

>I'm not even sure that is the right syntax... I'm hoping my first
>example would suffice. Thanks again!



I just don't know, never tried it out.
If you're going to do some test, please let us know the results.


 
Reply With Quote
 
Robert Jacobs
Guest
Posts: n/a
 
      04-29-2009
On Apr 29, 4:37*am, "Chino" <(E-Mail Removed)> wrote:
> >ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
> >ip nat inside source static tcp 10.10.10.z 216.x.x.x
> >ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
> >ip nat inside source static tcp 10.10.10.z range 1 24 216.x.x.x range

> 1 24
> >ip nat inside source static tcp 10.10.10.z range 26 10000 216.x.x.x

>
> range 26 10000
>
> >I'm not even sure that is the right syntax... *I'm hoping my first
> >example would suffice. *Thanks again!

>
> I just don't know, never tried it out.
> If you're going to do some test, please let us know the results.


I don't have the equipment to do any tests, and I don't have the know
what dynamips is (and I wouldn't know how to re-create my scenario
even if I did). We are planning on doing this change tomorrown night
(4/30/09 - EOM), and I will make sure to come out here and let you
know what happens. Thanks again for your help, and if anybody sees
this post before then, who knows for sure that my syntax will or will
not work, please let me know. Thank you.
 
Reply With Quote
 
Robert Jacobs
Guest
Posts: n/a
 
      04-29-2009
On Apr 29, 4:37*am, "Chino" <(E-Mail Removed)> wrote:
> >ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
> >ip nat inside source static tcp 10.10.10.z 216.x.x.x
> >ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
> >ip nat inside source static tcp 10.10.10.z range 1 24 216.x.x.x range

> 1 24
> >ip nat inside source static tcp 10.10.10.z range 26 10000 216.x.x.x

>
> range 26 10000
>
> >I'm not even sure that is the right syntax... *I'm hoping my first
> >example would suffice. *Thanks again!

>
> I just don't know, never tried it out.
> If you're going to do some test, please let us know the result


I replied to this earlier, but it didn't show up. I don't have the
equipment or lines to test this with, and I don't know what dynamips
is (and wouldn't know how to recreate my exact scenario, even if I
did. I plan on making this change tomorrow night (04/30/09 - EOM),
and I will make sure to re-post with my conclusion.

Also, if anybody does happen to come across the correct syntax before
then, please let me know. And, just to verify, in my original post, I
wrote that my config looked like this:

ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1

But all posts afterwards have left out the 'route-map rmap_1'. Is it
still okay to include that at the end of the nat translation when
specifying the port to translate as well? I'm assumin so, but you
know what they say about people that assume.

Thanks again, you guys have been awesome.
 
Reply With Quote
 
Robert Jacobs
Guest
Posts: n/a
 
      05-01-2009
Alright everybody, I was able to get this working. Here's what I had
to do:

1. I had to remove ip nat inside/outside on interfaces then clear the
ip nat translations:

i.e.
interface Ethernet0
no ip nat inside
exit
interface Ethernet1
no ip nat outside
exit
do clear ip nat translation forced

2. I removed my NAT_ACL_1 and route-map rmap_1 just as a precaution
(I didn't know if I needed to, so I did it to be safe.

3. Add the ip nat inside source - to specify the port, I had to put
'tcp' before the ip address, but I didn't want it when specifying
everything other than smtp traffic:

i.e.
ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25 route-map
rmap_1
ip nat inside source static 10.10.10.z 216.x.x.x route-map rmap_1

4. Re-added the NAT_ACL_1 and route-map rmap_1.

5. Re-apply ip nat inside and ip nat outside to respective
interfaces.

Done Thanks again for your help everybody.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
forwarding Args&&... vs forwarding Args... Andrew Tomazos C++ 5 01-05-2012 11:15 PM
Router Port forwarding/port triggering WHAT DO THEY DO? ToyalP2 Computer Support 7 01-07-2008 08:08 AM
Sending SMTP mail when SMTP server is unavailable matthewjbarr@gmail.com Java 3 01-24-2006 06:53 PM
HELP With Cisco PIX 506E routing/port forwarding with SMTP????? Rodney Hall Cisco 9 01-13-2005 07:57 PM
sending of mail (smtp) - connection refused - but smtp server isrunning! Alex Hunsley Python 4 06-29-2004 04:30 PM



Advertisments