SMTP Port Forwarding

Discussion in 'Cisco' started by Robert Jacobs, Apr 28, 2009.

  1. Experts (thank you in advance),

    Our company recently purchased a new stand-alone spam filter. This
    device sits on the network, like any other system or server, receives
    incomming smtp traffic, filters the messages, and forwards any
    legitimate e-mails to the mail server for processing to the clients.

    There are two ways to set this feature up. The first is MX Records
    (which we really don't want to do). The second, and preferred method
    is via Port Forwarding.

    My question:

    The external IP address for our mail server is NAT translated to our
    internal server (which happens to also be our web server). Therefore,
    we need to set it up so when an e-mail comes into this external IP
    address, it is NAT translated to the new spam filter's IP address, but
    all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
    NAT translated to the web/e-mail server directly, without being
    forwarded throught the spam filter. How can I set this up?

    Any help is greatly appreciated. I have included the part of my
    router config that I THINK I need to be looking at, please let me know
    if you need anything I'm not thinking of, or if I'm just completely
    off base with what I'm attempting to do. Thank you so much!



    ip nat inside source route-map SDM_RMAP_1 pool NAT_Pool overload
    ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1 (I
    don't wish to enter my actual external IP)

    route-map rmap_1 permit 1
    match ip address NAT_ACL_1

    ip access-list extended NAT_ACL_1
    permit ip host 10.10.10.100 any
    Robert Jacobs, Apr 28, 2009
    #1
    1. Advertising

  2. Robert Jacobs

    Chino Guest

    >
    > The external IP address for our mail server is NAT translated to our
    > internal server (which happens to also be our web server). Therefore,
    > we need to set it up so when an e-mail comes into this external IP
    > address, it is NAT translated to the new spam filter's IP address, but
    > all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
    > NAT translated to the web/e-mail server directly, without being
    > forwarded throught the spam filter. How can I set this up?
    >


    You have to do Port translation instead of address translation.
    This mean you have to specify every single port you need to be accessed from
    the Internet.
    Something like

    ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    ip nat inside source static tcp 10.10.10.z 80 216.x.x.x 80
    ip nat inside source static tcp 10.10.10.z 443 216.x.x.x 443
    Chino, Apr 28, 2009
    #2
    1. Advertising

  3. On Apr 28, 10:04 am, "Chino" <> wrote:
    > > The external IP address for our mail server is NAT translated to our
    > > internal server (which happens to also be our web server).  Therefore,
    > > we need to set it up so when an e-mail comes into this external IP
    > > address, it is NAT translated to the new spam filter's IP address, but
    > > all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
    > > NAT translated to the web/e-mail server directly, without being
    > > forwarded throught the spam filter.  How can I set this up?

    >
    > You have to do Port translation instead of address translation.
    > This mean you have to specify every single port you need to be accessed from
    > the Internet.
    > Something like
    >
    > ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    > ip nat inside source static tcp 10.10.10.z 80 216.x.x.x 80
    > ip nat inside source static tcp 10.10.10.z 443 216.x.x.x 443


    Oh, OK. That sounds good. Question, though. If I want to only
    transfer port 25 to 10.10.10.y, and all others to 10.10.10.z, can I
    not do this?:

    ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    ip nat inside source static tcp 10.10.10.z 216.x.x.x

    Or would I have to specify every single port going to 10.10.10.z? I
    ask, because I'm not 100 percent sure if I know every port used to
    communicate with 10.10.10.z. Or would this be better?

    ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    ip nat inside source static tcp 10.10.10.z range 1 24 216.x.x.x range
    1 24
    ip nat inside source static tcp 10.10.10.z range 26 10000 216.x.x.x
    range 26 10000

    I'm not even sure that is the right syntax... I'm hoping my first
    example would suffice. Thanks again!
    Robert Jacobs, Apr 28, 2009
    #3
  4. Robert Jacobs

    Thrill5 Guest

    The best, easiest, and standard way to do this is usning MX records. The
    easiest way to do this without any downtime is to create another MX record
    that points to the new address of the SPAM filter with a lower priority of
    the existing server. The existing server will be used because it has a
    higher priority. After waiting the TTL time of the original MX record (so
    that the DNS record is expired by any DNS server that may be caching it),
    swap the priorities of the two MX records. Traffic will now go into the
    SPAM filter. After waiting another TTL interval, remove the original MX
    record. Very easy and simple.




    "Robert Jacobs" <> wrote in message
    news:...
    > Experts (thank you in advance),
    >
    > Our company recently purchased a new stand-alone spam filter. This
    > device sits on the network, like any other system or server, receives
    > incomming smtp traffic, filters the messages, and forwards any
    > legitimate e-mails to the mail server for processing to the clients.
    >
    > There are two ways to set this feature up. The first is MX Records
    > (which we really don't want to do). The second, and preferred method
    > is via Port Forwarding.
    >
    > My question:
    >
    > The external IP address for our mail server is NAT translated to our
    > internal server (which happens to also be our web server). Therefore,
    > we need to set it up so when an e-mail comes into this external IP
    > address, it is NAT translated to the new spam filter's IP address, but
    > all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
    > NAT translated to the web/e-mail server directly, without being
    > forwarded throught the spam filter. How can I set this up?
    >
    > Any help is greatly appreciated. I have included the part of my
    > router config that I THINK I need to be looking at, please let me know
    > if you need anything I'm not thinking of, or if I'm just completely
    > off base with what I'm attempting to do. Thank you so much!
    >
    >
    >
    > ip nat inside source route-map SDM_RMAP_1 pool NAT_Pool overload
    > ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1 (I
    > don't wish to enter my actual external IP)
    >
    > route-map rmap_1 permit 1
    > match ip address NAT_ACL_1
    >
    > ip access-list extended NAT_ACL_1
    > permit ip host 10.10.10.100 any
    Thrill5, Apr 28, 2009
    #4
  5. On Apr 28, 1:13 pm, "Thrill5" <> wrote:
    > The best, easiest, and standard way to do this is usning MX records.  The
    > easiest way to do this without any downtime is to create another MX record
    > that points to the new address of the SPAM filter with a lower priority of
    > the existing server.   The existing server will be used because it has a
    > higher priority.  After waiting the TTL time of the original MX record (so
    > that the DNS record is expired by any DNS server that may be caching it),
    > swap the priorities of the two MX records.  Traffic will now go into the
    > SPAM filter.  After waiting another TTL interval, remove the original MX
    > record.  Very easy and simple.
    >
    > "Robert Jacobs" <> wrote in message
    >
    > news:...
    >
    >
    >
    > > Experts (thank you in advance),

    >
    > > Our company recently purchased a new stand-alone spam filter.  This
    > > device sits on the network, like any other system or server, receives
    > > incomming smtp traffic, filters the messages, and forwards any
    > > legitimate e-mails to the mail server for processing to the clients.

    >
    > > There are two ways to set this feature up.  The first is MX Records
    > > (which we really don't want to do).  The second, and preferred method
    > > is via Port Forwarding.

    >
    > > My question:

    >
    > > The external IP address for our mail server is NAT translated to our
    > > internal server (which happens to also be our web server).  Therefore,
    > > we need to set it up so when an e-mail comes into this external IP
    > > address, it is NAT translated to the new spam filter's IP address, but
    > > all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
    > > NAT translated to the web/e-mail server directly, without being
    > > forwarded throught the spam filter.  How can I set this up?

    >
    > > Any help is greatly appreciated.  I have included the part of my
    > > router config that I THINK I need to be looking at, please let me know
    > > if you need anything I'm not thinking of, or if I'm just completely
    > > off base with what I'm attempting to do.  Thank you so much!

    >
    > > ip nat inside source route-map SDM_RMAP_1 pool NAT_Pool overload
    > > ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1 (I
    > > don't wish to enter my actual external IP)

    >
    > > route-map rmap_1 permit 1
    > > match ip address NAT_ACL_1

    >
    > > ip access-list extended NAT_ACL_1
    > > permit ip host 10.10.10.100 any- Hide quoted text -

    >
    > - Show quoted text -


    That does make sense, however, this existing server will still need to
    be the primary server for all http, ftp, and all other traffic, aside
    from SMTP. It is an enterprise iSeries server, and it is the main
    server for our company website, our ordering system, our mail server,
    and many other services.

    If I'm understanding it correctly, the only way the MX record would
    help, would be if we had another external IP address to forward only
    SMTP traffic coming to our domain name, but I'm not even sure that is
    a possibility. For these reasons, I think the port translations
    within NAT are really the best/only way to really accomplish what I'm
    looking to accomplish.

    Thank you very much for your insight, though, it is greatly
    appreciated. Do you by chance know how to do the NAT entry I put
    above would work?

    ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    ip nat inside source static tcp 10.10.10.z 216.x.x.x

    If I am understanding this correctly, it will take the first entry
    first, so if any SMTP traffic is coming to this IP address, translate
    it to the SPAM filter, else (if anything else), send it to our
    enterprise server.

    Thanks again everybody for your speedy response. This is, hopefully,
    the last answer I will need to complete this project!
    Robert Jacobs, Apr 28, 2009
    #5
  6. Robert Jacobs

    bod43 Guest

    On 28 Apr, 19:29, Robert Jacobs <> wrote:
    > On Apr 28, 1:13 pm, "Thrill5" <> wrote:
    >
    >
    >
    > > The best, easiest, and standard way to do this is usning MX records.  The
    > > easiest way to do this without any downtime is to create another MX record
    > > that points to the new address of the SPAM filter with a lower priority of
    > > the existing server.   The existing server will be used because it has a
    > > higher priority.  After waiting the TTL time of the original MX record (so
    > > that the DNS record is expired by any DNS server that may be caching it),
    > > swap the priorities of the two MX records.  Traffic will now go into the
    > > SPAM filter.  After waiting another TTL interval, remove the original MX
    > > record.  Very easy and simple.

    >
    > > "Robert Jacobs" <> wrote in message

    >
    > >news:...

    >
    > > > Experts (thank you in advance),

    >
    > > > Our company recently purchased a new stand-alone spam filter.  This
    > > > device sits on the network, like any other system or server, receives
    > > > incomming smtp traffic, filters the messages, and forwards any
    > > > legitimate e-mails to the mail server for processing to the clients.

    >
    > > > There are two ways to set this feature up.  The first is MX Records
    > > > (which we really don't want to do).  The second, and preferred method
    > > > is via Port Forwarding.

    >
    > > > My question:

    >
    > > > The external IP address for our mail server is NAT translated to our
    > > > internal server (which happens to also be our web server).  Therefore,
    > > > we need to set it up so when an e-mail comes into this external IP
    > > > address, it is NAT translated to the new spam filter's IP address, but
    > > > all other traffic coming in (FTP, HTTP, etc.), needs to continue to be
    > > > NAT translated to the web/e-mail server directly, without being
    > > > forwarded throught the spam filter.  How can I set this up?

    >
    > > > Any help is greatly appreciated.  I have included the part of my
    > > > router config that I THINK I need to be looking at, please let me know
    > > > if you need anything I'm not thinking of, or if I'm just completely
    > > > off base with what I'm attempting to do.  Thank you so much!

    >
    > > > ip nat inside source route-map SDM_RMAP_1 pool NAT_Pool overload
    > > > ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1 (I
    > > > don't wish to enter my actual external IP)

    >
    > > > route-map rmap_1 permit 1
    > > > match ip address NAT_ACL_1

    >
    > > > ip access-list extended NAT_ACL_1
    > > > permit ip host 10.10.10.100 any- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > That does make sense, however, this existing server will still need to
    > be the primary server for all http, ftp, and all other traffic, aside
    > from SMTP.  It is an enterprise iSeries server, and it is the main
    > server for our company website, our ordering system, our mail server,
    > and many other services.
    >
    > If I'm understanding it correctly, the only way the MX record would
    > help, would be if we had another external IP address to forward only
    > SMTP traffic coming to our domain name, but I'm not even sure that is
    > a possibility.  For these reasons, I think the port translations
    > within NAT are really the best/only way to really accomplish what I'm
    > looking to accomplish.
    >
    > Thank you very much for your insight, though, it is greatly
    > appreciated.  Do you by chance know how to do the NAT entry I put
    > above would work?
    >
    > ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    > ip nat inside source static tcp 10.10.10.z 216.x.x.x
    >
    > If I am understanding this correctly, it will take the first entry
    > first, so if any SMTP traffic is coming to this IP address, translate
    > it to the SPAM filter, else (if anything else), send it to our
    > enterprise server.
    >
    > Thanks again everybody for your speedy response.  This is, hopefully,
    > the last answer I will need to complete this project!


    For sure you can accomplish what you want. No problem at all.

    My guess is that your syntax will work however the best
    thing to do is to try it out.

    If you don't have a lab then you can test with dynamips

    telnet ....... 25
    telnet ....... other-ports

    sh ip nat tr

    Not everyone makes these exact changes every day
    and I for one forget precise details quite quickly:(
    bod43, Apr 29, 2009
    #6
  7. Robert Jacobs

    Chino Guest


    >ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    >ip nat inside source static tcp 10.10.10.z 216.x.x.x


    >ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    >ip nat inside source static tcp 10.10.10.z range 1 24 216.x.x.x range

    1 24
    >ip nat inside source static tcp 10.10.10.z range 26 10000 216.x.x.x

    range 26 10000

    >I'm not even sure that is the right syntax... I'm hoping my first
    >example would suffice. Thanks again!



    I just don't know, never tried it out.
    If you're going to do some test, please let us know the results.
    Chino, Apr 29, 2009
    #7
  8. On Apr 29, 4:37 am, "Chino" <> wrote:
    > >ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    > >ip nat inside source static tcp 10.10.10.z 216.x.x.x
    > >ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    > >ip nat inside source static tcp 10.10.10.z range 1 24 216.x.x.x range

    > 1 24
    > >ip nat inside source static tcp 10.10.10.z range 26 10000 216.x.x.x

    >
    > range 26 10000
    >
    > >I'm not even sure that is the right syntax...  I'm hoping my first
    > >example would suffice.  Thanks again!

    >
    > I just don't know, never tried it out.
    > If you're going to do some test, please let us know the results.


    I don't have the equipment to do any tests, and I don't have the know
    what dynamips is (and I wouldn't know how to re-create my scenario
    even if I did). We are planning on doing this change tomorrown night
    (4/30/09 - EOM), and I will make sure to come out here and let you
    know what happens. Thanks again for your help, and if anybody sees
    this post before then, who knows for sure that my syntax will or will
    not work, please let me know. Thank you.
    Robert Jacobs, Apr 29, 2009
    #8
  9. On Apr 29, 4:37 am, "Chino" <> wrote:
    > >ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    > >ip nat inside source static tcp 10.10.10.z 216.x.x.x
    > >ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25
    > >ip nat inside source static tcp 10.10.10.z range 1 24 216.x.x.x range

    > 1 24
    > >ip nat inside source static tcp 10.10.10.z range 26 10000 216.x.x.x

    >
    > range 26 10000
    >
    > >I'm not even sure that is the right syntax...  I'm hoping my first
    > >example would suffice.  Thanks again!

    >
    > I just don't know, never tried it out.
    > If you're going to do some test, please let us know the result


    I replied to this earlier, but it didn't show up. I don't have the
    equipment or lines to test this with, and I don't know what dynamips
    is (and wouldn't know how to recreate my exact scenario, even if I
    did. I plan on making this change tomorrow night (04/30/09 - EOM),
    and I will make sure to re-post with my conclusion.

    Also, if anybody does happen to come across the correct syntax before
    then, please let me know. And, just to verify, in my original post, I
    wrote that my config looked like this:

    ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1

    But all posts afterwards have left out the 'route-map rmap_1'. Is it
    still okay to include that at the end of the nat translation when
    specifying the port to translate as well? I'm assumin so, but you
    know what they say about people that assume.

    Thanks again, you guys have been awesome.
    Robert Jacobs, Apr 29, 2009
    #9
  10. Alright everybody, I was able to get this working. Here's what I had
    to do:

    1. I had to remove ip nat inside/outside on interfaces then clear the
    ip nat translations:

    i.e.
    interface Ethernet0
    no ip nat inside
    exit
    interface Ethernet1
    no ip nat outside
    exit
    do clear ip nat translation forced

    2. I removed my NAT_ACL_1 and route-map rmap_1 just as a precaution
    (I didn't know if I needed to, so I did it to be safe.

    3. Add the ip nat inside source - to specify the port, I had to put
    'tcp' before the ip address, but I didn't want it when specifying
    everything other than smtp traffic:

    i.e.
    ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25 route-map
    rmap_1
    ip nat inside source static 10.10.10.z 216.x.x.x route-map rmap_1

    4. Re-added the NAT_ACL_1 and route-map rmap_1.

    5. Re-apply ip nat inside and ip nat outside to respective
    interfaces.

    Done :) Thanks again for your help everybody.
    Robert Jacobs, May 1, 2009
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Robert Orso

    strange NAT behaviour with SMTP port

    Robert Orso, Jul 16, 2004, in forum: Cisco
    Replies:
    2
    Views:
    750
    Chris
    Jul 17, 2004
  2. Rodney Hall
    Replies:
    9
    Views:
    8,408
    Walter Roberson
    Jan 13, 2005
  3. cptkirkh

    close ports and limit port smtp

    cptkirkh, Aug 21, 2006, in forum: Cisco
    Replies:
    1
    Views:
    492
    Walter Roberson
    Aug 21, 2006
  4. ToyalP2
    Replies:
    7
    Views:
    1,516
    ToyalP2
    Jan 7, 2008
  5. Frank Williams

    Clear.net SMTP port Number

    Frank Williams, Aug 10, 2012, in forum: NZ Computing
    Replies:
    5
    Views:
    1,925
    Ralph Fox
    Aug 11, 2012
Loading...

Share This Page