Same external IP Address for two devices

Hello all, I have a situation where our IT department has two Cisco 515e PIX (setup for fail-over) and now an internal server running GFI all resolving to the SAME external IP address (eg IP only 216.95.95.66 ) seeing as our VPN clients connect to our PIX 515e Firewall Named: ourcompanyPIXFW.MYcompany.com at IP 216.95.95.66 and we now have an Email server Named: MAILourcompany.MYcompany.com at IP 216.95.95.66

I need to know what problems we can expect or of we should change the MAILourcompany.MYcompany.com to it's own external IP address. I'm sure this needs to be changed I just cannot explain why. Any help will be appreciated, Terry

Reply to
theitman
Loading thread data ...

I am assuming that the IP address you are using is an external address and these other boxes are internal and the address is being NATed. If this is the case, there is nothing wrong with with running all of these services via the same IP provided the functions they provide do not have overlapping ports. In other words, you can run a web site (port 80 & 443), a VPN (UDP 500/10000), mail (25/110), all on the same NATed IP provided the rules are setup correctly to forward to an internal address based on port. However, you will have issues if you need to run say two mail servers, as you can't NAT to different internal IPs.

Once you cross the threshold of being a small office, it is a good idea to separate the addresses logically, but its all up to you.

Lastly, I'm assuming the PIXs are setup for redundancy and are where the REAL ip address is sitting. This is a fine configuration as one is backing up the other in case of failure.

Reply to
Trendkill

- Hello

In my example the the IP 216.95.95.66 is the external IP for the PIX The server named: MAILourcompany.MYcompany.com resolves to IP

216.95.95.66 (and our IT Guru created a MX record and rDNS record for this server name at this IP)

The PIX DOES NOT have any Rules directing Mail (or any ports) for or to this server at all.

The new MX record for this server MAILourcompany.MYcompany.com is preference 20 however our Mail Server named: OurMailSrv.Mycompany.com is preference

10 and has an external IP address and has NAT on the PIX

They did all this because our email header reports from the (AntiSpam server running GFI) MAILourcompany.MYcompany.com at IP 216.95.95.66 but the email can not be rDNS because the Exchange server have had the rDNS Setup on it's external IP ,.

Any more suggestions? I can provide you with the real names and IP in email if that will help you help me : ) Thanks, Terry

Reply to
theitman

I am missing something. It is impossible to have two servers with the same IP on the same network. Well I take that back, it is possible, but one will not work. I do not understand how you have a PIX and external mail server interface with the same IP address. From a fundamental networking level, the ISPs router (or your own if this is a DMZ) is going to ARP for the IP address of the mail server. The mail server will respond, which will then establish an arp entry in the router with the MAC of the mail server. At this time, the arp table will have the shared IP, but only the MAC of the mail server, which will then break any traffic that needs to go to the PIX. What am I missing here? Small drawing would help including routers/ firewalls/subnets and the pertinent servers.

Reply to
Trendkill

This is kinda hard to understand without the actual details of what's what. So you have a Pix with an external IP address and you have a mail server that resolves to the same IP address and an antispam box that also is NATed to the same IP address (so that forward and reverse DNS match).

There's no reason that the rDNS for your outgoing mail has to resolve to the same IP address that your MX record does (if the outbound server isn't the same as the inbound). As long as it had a valid 'A record' then it will be fine.

You can run any number of servers behind that pix and have them all resolve to the same IP address if you are port forwarding. This isn't an issue.

Chris.

Reply to
chris

- Hello, Here is what we have (Note: The IP's are NOT our real IP's)

PIX 515e (two of them for fail-over) PIX external IP is 216.95.95.66

Real Mail server is ExchangeMailServer.Mycompany.com 216.95.95.70 note: ExchangeMailServer.Mycompany.com 216.95.95.70 is NAT and has rules on the PIX for mail

AntiSpam-GFI-Server.Mycompany.com has NO External IP address, NO Rules in the PIX for any ports however, it report the PIX IP address as it's IP in the mail header as 216.95.95.66 Our IT guy created an MX Record for the server AntiSpam-GFI- Server.Mycompany.com at 216.95.95.66 Our IT guy created an rDNS PRT Record for the server AntiSpam-GFI- Server.Mycompany.com at 216.95.95.66

formatting link
I need to know if this will cause problem and why so I can insist on the Rule in the PIX (I know we need the rules I just can make them understand why)

Thanks for helping, Terry

Reply to
theitman

So you are saying that your anti-spam server has no inbound rules set for it, then what good is the anti-spam product for? Email should come in to the GFI server before it reaches the exchange mail server and your MX records do not show that is what is happening. So in essence your anti-spam device is doing nothing for you at this point. If this is what is intended then I can not see any problem with your current setup.

Reply to
Smokey

I agree with Smokey on this one. Your inbound mail is delivered to saamail.armlink.com, which I presume is your exchange server (NATed on the Pix to 216.95.169.70) and you are not filtering? However, if I connect to that host I get ..

220 SPAMFILTER.armlink.com Microsoft ESMTP MAIL Service

So now I'm more confused.

Anyway, your primary MX is working fine. If your outbound mail server is spamfilter.armlink.com and this is just PATed to the external address of the Pix, this is fine for outbound, as long as you have rDNS, which you seem to have.

66.169.95.216.in-addr.arpa. 1H IN PTR spamfilter.armlink.com

So, I don't see that you have any issues here. Your mail comes into

216.95.169.70 which is configured as a static on the Pix with the appropriate acl and your outbound mail server is just PAted out to the firewalls external address of 216.95.169.69.

What was the question again?

Chris.

Reply to
chris

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.