How to move server from behind NAT to DMZ

Discussion in 'Cisco' started by Paul, Aug 9, 2005.

  1. Paul

    Paul Guest

    We have a block of IP addresses and have assigned various
    internet-facing servers public addresses using the following (on a
    1760):

    ip nat inside source static tcp i.i.i.i port e.e.e.e port extendable

    Incoming and outgoing mail works just fine until the mail server
    reports its name as mail.domain.com but with the public ip of the
    FastEthernet (NAT) interface. There are reverse dns issues and mail
    will occasionally be bounced:

    Received: from mail.domain.com (unknown [x.x.x.x])
    by mail.domain2.com

    (where x.x.x.x is the internet-facing interface of the 1760)

    I'd like this to happen:

    Received: from mail.domain.com (unknown [x.x.x.y])
    by mail.domain2.com

    (where x.x.x.y is the public ip assigned to the mail server)

    >From what I've read, the mail server should sit in a dmz with its own

    public ip address but I'm not too sure exactly how to make the change.

    Presumably I pick an unused FastEthernet interface, enter "no shutdown"
    and hang a switch off that... but do I give it an ip address? Do I give
    the mail server a public ip, does it keep its private ip, does it need
    a new private ip for the dmz, or both? How does the routing work?

    I think I know what to do but am stuck on how to go about it. A prod
    in the right direction would be very much appreciated.
     
    Paul, Aug 9, 2005
    #1
    1. Advertising

  2. Paul wrote:
    > We have a block of IP addresses and have assigned various
    > internet-facing servers public addresses using the following (on a
    > 1760):
    >
    > ip nat inside source static tcp i.i.i.i port e.e.e.e port extendable
    >
    > Incoming and outgoing mail works just fine until the mail server
    > reports its name as mail.domain.com but with the public ip of the
    > FastEthernet (NAT) interface. There are reverse dns issues and mail
    > will occasionally be bounced:
    >
    > Received: from mail.domain.com (unknown [x.x.x.x])
    > by mail.domain2.com
    >
    > (where x.x.x.x is the internet-facing interface of the 1760)
    >
    > I'd like this to happen:
    >
    > Received: from mail.domain.com (unknown [x.x.x.y])
    > by mail.domain2.com
    >
    > (where x.x.x.y is the public ip assigned to the mail server)
    >
    >>From what I've read, the mail server should sit in a dmz with its own

    > public ip address but I'm not too sure exactly how to make the change.
    >
    > Presumably I pick an unused FastEthernet interface, enter "no shutdown"
    > and hang a switch off that... but do I give it an ip address? Do I give
    > the mail server a public ip, does it keep its private ip, does it need
    > a new private ip for the dmz, or both? How does the routing work?
    >
    > I think I know what to do but am stuck on how to go about it. A prod
    > in the right direction would be very much appreciated.
    >

    This should solve your problem:
    http://www.cisco.com/en/US/products...s_configuration_example09186a008015efa9.shtml
    Be sure that you have the smtp fixup enabled.

    Andre
     
    Andre Janssen, Aug 10, 2005
    #2
    1. Advertising

  3. Paul

    Rod Dorman Guest

    In article <dddrvf$nkn$>, Andre Janssen <> wrote:
    >Paul wrote:
    > ...
    >Be sure that you have the smtp fixup enabled.


    Has that feature improved any or does it still clobber the 220
    response and refuse to accept EHLO?

    --
    -- Rod --
    rodd(at)polylogics(dot)com
     
    Rod Dorman, Aug 11, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Corbin O'Reilly
    Replies:
    2
    Views:
    3,207
    Corbin O'Reilly
    May 26, 2004
  2. Jose
    Replies:
    3
    Views:
    1,959
  3. JohnC
    Replies:
    9
    Views:
    872
    Walter Roberson
    Dec 7, 2004
  4. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,909
    Walter Roberson
    Sep 25, 2005
  5. Replies:
    3
    Views:
    940
Loading...

Share This Page