Same external IP Address for two devices

Discussion in 'Cisco' started by theitman, Mar 1, 2007.

  1. theitman

    theitman Guest

    Hello all,
    I have a situation where our IT department has two Cisco 515e PIX
    (setup for fail-over) and now an internal server running GFI all
    resolving to the SAME external IP address (eg IP only 216.95.95.66 )
    seeing as our VPN clients connect to our PIX 515e Firewall
    Named: ourcompanyPIXFW.MYcompany.com at IP 216.95.95.66
    and we now have an Email server
    Named: MAILourcompany.MYcompany.com at IP 216.95.95.66

    I need to know what problems we can expect or of we should change the
    MAILourcompany.MYcompany.com to it's own external IP address. I'm
    sure this needs to be changed I just cannot explain why.
    Any help will be appreciated, Terry
     
    theitman, Mar 1, 2007
    #1
    1. Advertising

  2. theitman

    Trendkill Guest

    On Mar 1, 12:32 pm, "theitman" <> wrote:
    > Hello all,
    > I have a situation where our IT department has two Cisco 515e PIX
    > (setup for fail-over) and now an internal server running GFI all
    > resolving to the SAME external IP address (eg IP only 216.95.95.66 )
    > seeing as our VPN clients connect to our PIX 515e Firewall
    > Named: ourcompanyPIXFW.MYcompany.com at IP 216.95.95.66
    > and we now have an Email server
    > Named: MAILourcompany.MYcompany.com at IP 216.95.95.66
    >
    > I need to know what problems we can expect or of we should change the
    > MAILourcompany.MYcompany.com to it's own external IP address. I'm
    > sure this needs to be changed I just cannot explain why.
    > Any help will be appreciated, Terry


    I am assuming that the IP address you are using is an external address
    and these other boxes are internal and the address is being NATed. If
    this is the case, there is nothing wrong with with running all of
    these services via the same IP provided the functions they provide do
    not have overlapping ports. In other words, you can run a web site
    (port 80 & 443), a VPN (UDP 500/10000), mail (25/110), all on the same
    NATed IP provided the rules are setup correctly to forward to an
    internal address based on port. However, you will have issues if you
    need to run say two mail servers, as you can't NAT to different
    internal IPs.

    Once you cross the threshold of being a small office, it is a good
    idea to separate the addresses logically, but its all up to you.

    Lastly, I'm assuming the PIXs are setup for redundancy and are where
    the REAL ip address is sitting. This is a fine configuration as one
    is backing up the other in case of failure.
     
    Trendkill, Mar 1, 2007
    #2
    1. Advertising

  3. theitman

    theitman Guest

    On Mar 1, 1:10 pm, "Trendkill" <> wrote:
    > On Mar 1, 12:32 pm, "theitman" <> wrote:
    >
    > > Hello all,
    > > I have a situation where our IT department has two Cisco 515e PIX
    > > (setup for fail-over) and now an internal server running GFI all
    > > resolving to the SAME external IP address (eg IP only 216.95.95.66 )
    > > seeing as our VPN clients connect to our PIX 515e Firewall
    > > Named: ourcompanyPIXFW.MYcompany.com at IP 216.95.95.66
    > > and we now have an Email server
    > > Named: MAILourcompany.MYcompany.com at IP 216.95.95.66

    >
    > > I need to know what problems we can expect or of we should change the
    > > MAILourcompany.MYcompany.com to it's own external IP address. I'm
    > > sure this needs to be changed I just cannot explain why.
    > > Any help will be appreciated, Terry

    >
    > I am assuming that the IP address you are using is an external address
    > and these other boxes are internal and the address is being NATed. If
    > this is the case, there is nothing wrong with with running all of
    > these services via the same IP provided the functions they provide do
    > not have overlapping ports. In other words, you can run a web site
    > (port 80 & 443), a VPN (UDP 500/10000), mail (25/110), all on the same
    > NATed IP provided the rules are setup correctly to forward to an
    > internal address based on port. However, you will have issues if you
    > need to run say two mail servers, as you can't NAT to different
    > internal IPs.
    >
    > Once you cross the threshold of being a small office, it is a good
    > idea to separate the addresses logically, but its all up to you.
    >
    > Lastly, I'm assuming the PIXs are setup for redundancy and are where
    > the REAL ip address is sitting. This is a fine configuration as one
    > is backing up the other in case of failure.


    -
    Hello

    In my example the
    the IP 216.95.95.66 is the external IP for the PIX
    The server named: MAILourcompany.MYcompany.com resolves to IP
    216.95.95.66
    (and our IT Guru created a MX record and rDNS record for this server
    name at this IP)

    The PIX DOES NOT have any Rules directing Mail (or any ports) for or
    to this server at all.

    The new MX record for this server MAILourcompany.MYcompany.com is
    preference 20
    however our Mail Server named: OurMailSrv.Mycompany.com is preference
    10 and has an external IP address and has NAT on the PIX

    They did all this because our email header reports from the (AntiSpam
    server running GFI) MAILourcompany.MYcompany.com at IP 216.95.95.66
    but the email can not be rDNS because the Exchange server have had the
    rDNS Setup on it's external IP ,.

    Any more suggestions? I can provide you with the real names and IP in
    email if that will help you help me : )
    Thanks, Terry
     
    theitman, Mar 1, 2007
    #3
  4. theitman

    Trendkill Guest

    On Mar 1, 1:37 pm, "theitman" <> wrote:
    > On Mar 1, 1:10 pm, "Trendkill" <> wrote:
    >
    >
    >
    > > On Mar 1, 12:32 pm, "theitman" <> wrote:

    >
    > > > Hello all,
    > > > I have a situation where our IT department has two Cisco 515e PIX
    > > > (setup for fail-over) and now an internal server running GFI all
    > > > resolving to the SAME external IP address (eg IP only 216.95.95.66 )
    > > > seeing as our VPN clients connect to our PIX 515e Firewall
    > > > Named: ourcompanyPIXFW.MYcompany.com at IP 216.95.95.66
    > > > and we now have an Email server
    > > > Named: MAILourcompany.MYcompany.com at IP 216.95.95.66

    >
    > > > I need to know what problems we can expect or of we should change the
    > > > MAILourcompany.MYcompany.com to it's own external IP address. I'm
    > > > sure this needs to be changed I just cannot explain why.
    > > > Any help will be appreciated, Terry

    >
    > > I am assuming that the IP address you are using is an external address
    > > and these other boxes are internal and the address is being NATed. If
    > > this is the case, there is nothing wrong with with running all of
    > > these services via the same IP provided the functions they provide do
    > > not have overlapping ports. In other words, you can run a web site
    > > (port 80 & 443), a VPN (UDP 500/10000), mail (25/110), all on the same
    > > NATed IP provided the rules are setup correctly to forward to an
    > > internal address based on port. However, you will have issues if you
    > > need to run say two mail servers, as you can't NAT to different
    > > internal IPs.

    >
    > > Once you cross the threshold of being a small office, it is a good
    > > idea to separate the addresses logically, but its all up to you.

    >
    > > Lastly, I'm assuming the PIXs are setup for redundancy and are where
    > > the REAL ip address is sitting. This is a fine configuration as one
    > > is backing up the other in case of failure.

    >
    > -
    > Hello
    >
    > In my example the
    > the IP 216.95.95.66 is the external IP for the PIX
    > The server named: MAILourcompany.MYcompany.com resolves to IP
    > 216.95.95.66
    > (and our IT Guru created a MX record and rDNS record for this server
    > name at this IP)
    >
    > The PIX DOES NOT have any Rules directing Mail (or any ports) for or
    > to this server at all.
    >
    > The new MX record for this server MAILourcompany.MYcompany.com is
    > preference 20
    > however our Mail Server named: OurMailSrv.Mycompany.com is preference
    > 10 and has an external IP address and has NAT on the PIX
    >
    > They did all this because our email header reports from the (AntiSpam
    > server running GFI) MAILourcompany.MYcompany.com at IP 216.95.95.66
    > but the email can not be rDNS because the Exchange server have had the
    > rDNS Setup on it's external IP ,.
    >
    > Any more suggestions? I can provide you with the real names and IP in
    > email if that will help you help me : )
    > Thanks, Terry


    I am missing something. It is impossible to have two servers with the
    same IP on the same network. Well I take that back, it is possible,
    but one will not work. I do not understand how you have a PIX and
    external mail server interface with the same IP address. From a
    fundamental networking level, the ISPs router (or your own if this is
    a DMZ) is going to ARP for the IP address of the mail server. The
    mail server will respond, which will then establish an arp entry in
    the router with the MAC of the mail server. At this time, the arp
    table will have the shared IP, but only the MAC of the mail server,
    which will then break any traffic that needs to go to the PIX. What
    am I missing here? Small drawing would help including routers/
    firewalls/subnets and the pertinent servers.
     
    Trendkill, Mar 1, 2007
    #4
  5. theitman

    chris Guest

    "theitman" <> wrote in message
    news:...
    > On Mar 1, 1:10 pm, "Trendkill" <> wrote:
    >> On Mar 1, 12:32 pm, "theitman" <> wrote:
    >>
    >> > Hello all,
    >> > I have a situation where our IT department has two Cisco 515e PIX
    >> > (setup for fail-over) and now an internal server running GFI all
    >> > resolving to the SAME external IP address (eg IP only 216.95.95.66 )
    >> > seeing as our VPN clients connect to our PIX 515e Firewall
    >> > Named: ourcompanyPIXFW.MYcompany.com at IP 216.95.95.66
    >> > and we now have an Email server
    >> > Named: MAILourcompany.MYcompany.com at IP 216.95.95.66

    >>
    >> > I need to know what problems we can expect or of we should change the
    >> > MAILourcompany.MYcompany.com to it's own external IP address. I'm
    >> > sure this needs to be changed I just cannot explain why.
    >> > Any help will be appreciated, Terry

    >>
    >> I am assuming that the IP address you are using is an external address
    >> and these other boxes are internal and the address is being NATed. If
    >> this is the case, there is nothing wrong with with running all of
    >> these services via the same IP provided the functions they provide do
    >> not have overlapping ports. In other words, you can run a web site
    >> (port 80 & 443), a VPN (UDP 500/10000), mail (25/110), all on the same
    >> NATed IP provided the rules are setup correctly to forward to an
    >> internal address based on port. However, you will have issues if you
    >> need to run say two mail servers, as you can't NAT to different
    >> internal IPs.
    >>
    >> Once you cross the threshold of being a small office, it is a good
    >> idea to separate the addresses logically, but its all up to you.
    >>
    >> Lastly, I'm assuming the PIXs are setup for redundancy and are where
    >> the REAL ip address is sitting. This is a fine configuration as one
    >> is backing up the other in case of failure.

    >
    > -
    > Hello
    >
    > In my example the
    > the IP 216.95.95.66 is the external IP for the PIX
    > The server named: MAILourcompany.MYcompany.com resolves to IP
    > 216.95.95.66
    > (and our IT Guru created a MX record and rDNS record for this server
    > name at this IP)
    >
    > The PIX DOES NOT have any Rules directing Mail (or any ports) for or
    > to this server at all.
    >
    > The new MX record for this server MAILourcompany.MYcompany.com is
    > preference 20
    > however our Mail Server named: OurMailSrv.Mycompany.com is preference
    > 10 and has an external IP address and has NAT on the PIX
    >
    > They did all this because our email header reports from the (AntiSpam
    > server running GFI) MAILourcompany.MYcompany.com at IP 216.95.95.66
    > but the email can not be rDNS because the Exchange server have had the
    > rDNS Setup on it's external IP ,.
    >
    > Any more suggestions? I can provide you with the real names and IP in
    > email if that will help you help me : )
    > Thanks, Terry
    >


    This is kinda hard to understand without the actual details of what's what.
    So you have a Pix with an external IP address and you have a mail server
    that resolves to the same IP address and an antispam box that also is NATed
    to the same IP address (so that forward and reverse DNS match).

    There's no reason that the rDNS for your outgoing mail has to resolve to the
    same IP address that your MX record does (if the outbound server isn't the
    same as the inbound). As long as it had a valid 'A record' then it will be
    fine.

    You can run any number of servers behind that pix and have them all resolve
    to the same IP address if you are port forwarding. This isn't an issue.

    Chris.
     
    chris, Mar 1, 2007
    #5
  6. theitman

    theitman Guest

    On Mar 1, 1:57 pm, "chris" <> wrote:
    > "theitman" <> wrote in message
    >
    > news:...
    >
    >
    >
    >
    >
    > > On Mar 1, 1:10 pm, "Trendkill" <> wrote:
    > >> On Mar 1, 12:32 pm, "theitman" <> wrote:

    >
    > >> > Hello all,
    > >> > I have a situation where our IT department has two Cisco 515e PIX
    > >> > (setup for fail-over) and now an internal server running GFI all
    > >> > resolving to the SAME external IP address (eg IP only 216.95.95.66 )
    > >> > seeing as our VPN clients connect to our PIX 515e Firewall
    > >> > Named: ourcompanyPIXFW.MYcompany.com at IP 216.95.95.66
    > >> > and we now have an Email server
    > >> > Named: MAILourcompany.MYcompany.com at IP 216.95.95.66

    >
    > >> > I need to know what problems we can expect or of we should change the
    > >> > MAILourcompany.MYcompany.com to it's own external IP address. I'm
    > >> > sure this needs to be changed I just cannot explain why.
    > >> > Any help will be appreciated, Terry

    >
    > >> I am assuming that the IP address you are using is an external address
    > >> and these other boxes are internal and the address is being NATed. If
    > >> this is the case, there is nothing wrong with with running all of
    > >> these services via the same IP provided the functions they provide do
    > >> not have overlapping ports. In other words, you can run a web site
    > >> (port 80 & 443), a VPN (UDP 500/10000), mail (25/110), all on the same
    > >> NATed IP provided the rules are setup correctly to forward to an
    > >> internal address based on port. However, you will have issues if you
    > >> need to run say two mail servers, as you can't NAT to different
    > >> internal IPs.

    >
    > >> Once you cross the threshold of being a small office, it is a good
    > >> idea to separate the addresses logically, but its all up to you.

    >
    > >> Lastly, I'm assuming the PIXs are setup for redundancy and are where
    > >> the REAL ip address is sitting. This is a fine configuration as one
    > >> is backing up the other in case of failure.

    >
    > > -
    > > Hello

    >
    > > In my example the
    > > the IP 216.95.95.66 is the external IP for the PIX
    > > The server named: MAILourcompany.MYcompany.com resolves to IP
    > > 216.95.95.66
    > > (and our IT Guru created a MX record and rDNS record for this server
    > > name at this IP)

    >
    > > The PIX DOES NOT have any Rules directing Mail (or any ports) for or
    > > to this server at all.

    >
    > > The new MX record for this server MAILourcompany.MYcompany.com is
    > > preference 20
    > > however our Mail Server named: OurMailSrv.Mycompany.com is preference
    > > 10 and has an external IP address and has NAT on the PIX

    >
    > > They did all this because our email header reports from the (AntiSpam
    > > server running GFI) MAILourcompany.MYcompany.com at IP 216.95.95.66
    > > but the email can not be rDNS because the Exchange server have had the
    > > rDNS Setup on it's external IP ,.

    >
    > > Any more suggestions? I can provide you with the real names and IP in
    > > email if that will help you help me : )
    > > Thanks, Terry

    >
    > This is kinda hard to understand without the actual details of what's what.
    > So you have a Pix with an external IP address and you have a mail server
    > that resolves to the same IP address and an antispam box that also is NATed
    > to the same IP address (so that forward and reverse DNS match).
    >
    > There's no reason that the rDNS for your outgoing mail has to resolve to the
    > same IP address that your MX record does (if the outbound server isn't the
    > same as the inbound). As long as it had a valid 'A record' then it will be
    > fine.
    >
    > You can run any number of servers behind that pix and have them all resolve
    > to the same IP address if you are port forwarding. This isn't an issue.
    >
    > Chris.- Hide quoted text -
    >
    > - Show quoted text -


    -
    Hello,
    Here is what we have
    (Note: The IP's are NOT our real IP's)

    PIX 515e (two of them for fail-over) PIX external IP is 216.95.95.66

    Real Mail server is ExchangeMailServer.Mycompany.com 216.95.95.70
    note: ExchangeMailServer.Mycompany.com 216.95.95.70 is NAT and has
    rules on the PIX for mail

    AntiSpam-GFI-Server.Mycompany.com has NO External IP address, NO Rules
    in the PIX for any ports
    however, it report the PIX IP address as it's IP in the mail header
    as 216.95.95.66
    Our IT guy created an MX Record for the server AntiSpam-GFI-
    Server.Mycompany.com at 216.95.95.66
    Our IT guy created an rDNS PRT Record for the server AntiSpam-GFI-
    Server.Mycompany.com at 216.95.95.66

    http://www.dnsstuff.com/tools/lookup.ch?name=armlink.com&type=ALL

    I need to know if this will cause problem and why so I can insist on
    the Rule in the PIX (I know we need the rules I just can make them
    understand why)


    Thanks for helping, Terry
     
    theitman, Mar 1, 2007
    #6
  7. theitman

    Smokey Guest

    theitman wrote:
    > On Mar 1, 1:57 pm, "chris" <> wrote:
    >> "theitman" <> wrote in message

    > Hello,
    > Here is what we have
    > (Note: The IP's are NOT our real IP's)
    >
    > PIX 515e (two of them for fail-over) PIX external IP is 216.95.95.66
    >
    > Real Mail server is ExchangeMailServer.Mycompany.com 216.95.95.70
    > note: ExchangeMailServer.Mycompany.com 216.95.95.70 is NAT and has
    > rules on the PIX for mail
    >
    > AntiSpam-GFI-Server.Mycompany.com has NO External IP address, NO Rules
    > in the PIX for any ports
    > however, it report the PIX IP address as it's IP in the mail header
    > as 216.95.95.66
    > Our IT guy created an MX Record for the server AntiSpam-GFI-
    > Server.Mycompany.com at 216.95.95.66
    > Our IT guy created an rDNS PRT Record for the server AntiSpam-GFI-
    > Server.Mycompany.com at 216.95.95.66
    >


    So you are saying that your anti-spam server has no inbound rules set
    for it, then what good is the anti-spam product for? Email should come
    in to the GFI server before it reaches the exchange mail server and your
    MX records do not show that is what is happening. So in essence your
    anti-spam device is doing nothing for you at this point. If this is what
    is intended then I can not see any problem with your current setup.
     
    Smokey, Mar 1, 2007
    #7
  8. theitman

    chris Guest

    "Smokey" <> wrote in message
    news:...
    > theitman wrote:
    >> On Mar 1, 1:57 pm, "chris" <> wrote:
    >>> "theitman" <> wrote in message

    >> Hello,
    >> Here is what we have
    >> (Note: The IP's are NOT our real IP's)
    >>
    >> PIX 515e (two of them for fail-over) PIX external IP is 216.95.95.66
    >>
    >> Real Mail server is ExchangeMailServer.Mycompany.com 216.95.95.70
    >> note: ExchangeMailServer.Mycompany.com 216.95.95.70 is NAT and has
    >> rules on the PIX for mail
    >>
    >> AntiSpam-GFI-Server.Mycompany.com has NO External IP address, NO Rules
    >> in the PIX for any ports
    >> however, it report the PIX IP address as it's IP in the mail header
    >> as 216.95.95.66
    >> Our IT guy created an MX Record for the server AntiSpam-GFI-
    >> Server.Mycompany.com at 216.95.95.66
    >> Our IT guy created an rDNS PRT Record for the server AntiSpam-GFI-
    >> Server.Mycompany.com at 216.95.95.66
    >>

    >
    > So you are saying that your anti-spam server has no inbound rules set for
    > it, then what good is the anti-spam product for? Email should come in to
    > the GFI server before it reaches the exchange mail server and your MX
    > records do not show that is what is happening. So in essence your
    > anti-spam device is doing nothing for you at this point. If this is what
    > is intended then I can not see any problem with your current setup.


    I agree with Smokey on this one. Your inbound mail is delivered to
    saamail.armlink.com, which I presume is your exchange server (NATed on the
    Pix to 216.95.169.70) and you are not filtering? However, if I connect to
    that host I get ..

    220 SPAMFILTER.armlink.com Microsoft ESMTP MAIL Service

    So now I'm more confused.

    Anyway, your primary MX is working fine. If your outbound mail server is
    spamfilter.armlink.com and this is just PATed to the external address of the
    Pix, this is fine for outbound, as long as you have rDNS, which you seem to
    have.

    66.169.95.216.in-addr.arpa. 1H IN PTR spamfilter.armlink.com

    So, I don't see that you have any issues here. Your mail comes into
    216.95.169.70 which is configured as a static on the Pix with the
    appropriate acl and your outbound mail server is just PAted out to the
    firewalls external address of 216.95.169.69.

    What was the question again?

    Chris.
     
    chris, Mar 1, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. This Old Man
    Replies:
    4
    Views:
    691
    This Old Man
    Oct 20, 2003
  2. ZaMir
    Replies:
    3
    Views:
    490
    ZaMir
    Jan 30, 2005
  3. Manikandan
    Replies:
    0
    Views:
    1,659
    Manikandan
    Feb 1, 2008
  4. Giuen
    Replies:
    0
    Views:
    1,049
    Giuen
    Sep 12, 2008
  5. barret bondon
    Replies:
    3
    Views:
    1,167
    Ciscohite
    Apr 25, 2012
Loading...

Share This Page