SMTP Port Forwarding

Experts (thank you in advance),

Our company recently purchased a new stand-alone spam filter. This device sits on the network, like any other system or server, receives incomming smtp traffic, filters the messages, and forwards any legitimate e-mails to the mail server for processing to the clients.

There are two ways to set this feature up. The first is MX Records (which we really don't want to do). The second, and preferred method is via Port Forwarding.

My question:

The external IP address for our mail server is NAT translated to our internal server (which happens to also be our web server). Therefore, we need to set it up so when an e-mail comes into this external IP address, it is NAT translated to the new spam filter's IP address, but all other traffic coming in (FTP, HTTP, etc.), needs to continue to be NAT translated to the web/e-mail server directly, without being forwarded throught the spam filter. How can I set this up?

Any help is greatly appreciated. I have included the part of my router config that I THINK I need to be looking at, please let me know if you need anything I'm not thinking of, or if I'm just completely off base with what I'm attempting to do. Thank you so much!

ip nat inside source route-map SDM_RMAP_1 pool NAT_Pool overload ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1 (I don't wish to enter my actual external IP)

route-map rmap_1 permit 1 match ip address NAT_ACL_1

ip access-list extended NAT_ACL_1 permit ip host 10.10.10.100 any

Reply to
Robert Jacobs
Loading thread data ...

You have to do Port translation instead of address translation. This mean you have to specify every single port you need to be accessed from the Internet. Something like

ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25 ip nat inside source static tcp 10.10.10.z 80 216.x.x.x 80 ip nat inside source static tcp 10.10.10.z 443 216.x.x.x 443

Reply to
Chino

Oh, OK. That sounds good. Question, though. If I want to only transfer port 25 to 10.10.10.y, and all others to 10.10.10.z, can I not do this?:

ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25 ip nat inside source static tcp 10.10.10.z 216.x.x.x

Or would I have to specify every single port going to 10.10.10.z? I ask, because I'm not 100 percent sure if I know every port used to communicate with 10.10.10.z. Or would this be better?

ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25 ip nat inside source static tcp 10.10.10.z range 1 24 216.x.x.x range

1 24 ip nat inside source static tcp 10.10.10.z range 26 10000 216.x.x.x range 26 10000

I'm not even sure that is the right syntax... I'm hoping my first example would suffice. Thanks again!

Reply to
Robert Jacobs

The best, easiest, and standard way to do this is usning MX records. The easiest way to do this without any downtime is to create another MX record that points to the new address of the SPAM filter with a lower priority of the existing server. The existing server will be used because it has a higher priority. After waiting the TTL time of the original MX record (so that the DNS record is expired by any DNS server that may be caching it), swap the priorities of the two MX records. Traffic will now go into the SPAM filter. After waiting another TTL interval, remove the original MX record. Very easy and simple.

Reply to
Thrill5

That does make sense, however, this existing server will still need to be the primary server for all http, ftp, and all other traffic, aside from SMTP. It is an enterprise iSeries server, and it is the main server for our company website, our ordering system, our mail server, and many other services.

If I'm understanding it correctly, the only way the MX record would help, would be if we had another external IP address to forward only SMTP traffic coming to our domain name, but I'm not even sure that is a possibility. For these reasons, I think the port translations within NAT are really the best/only way to really accomplish what I'm looking to accomplish.

Thank you very much for your insight, though, it is greatly appreciated. Do you by chance know how to do the NAT entry I put above would work?

ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25 ip nat inside source static tcp 10.10.10.z 216.x.x.x

If I am understanding this correctly, it will take the first entry first, so if any SMTP traffic is coming to this IP address, translate it to the SPAM filter, else (if anything else), send it to our enterprise server.

Thanks again everybody for your speedy response. This is, hopefully, the last answer I will need to complete this project!

Reply to
Robert Jacobs

For sure you can accomplish what you want. No problem at all.

My guess is that your syntax will work however the best thing to do is to try it out.

If you don't have a lab then you can test with dynamips

telnet ....... 25 telnet ....... other-ports

sh ip nat tr

Not everyone makes these exact changes every day and I for one forget precise details quite quickly:(

Reply to
bod43

I just don't know, never tried it out. If you're going to do some test, please let us know the results.

Reply to
Chino

I don't have the equipment to do any tests, and I don't have the know what dynamips is (and I wouldn't know how to re-create my scenario even if I did). We are planning on doing this change tomorrown night (4/30/09 - EOM), and I will make sure to come out here and let you know what happens. Thanks again for your help, and if anybody sees this post before then, who knows for sure that my syntax will or will not work, please let me know. Thank you.

Reply to
Robert Jacobs

I replied to this earlier, but it didn't show up. I don't have the equipment or lines to test this with, and I don't know what dynamips is (and wouldn't know how to recreate my exact scenario, even if I did. I plan on making this change tomorrow night (04/30/09 - EOM), and I will make sure to re-post with my conclusion.

Also, if anybody does happen to come across the correct syntax before then, please let me know. And, just to verify, in my original post, I wrote that my config looked like this:

ip nat inside source static 10.10.10.100 216.x.x.x route-map rmap_1

But all posts afterwards have left out the 'route-map rmap_1'. Is it still okay to include that at the end of the nat translation when specifying the port to translate as well? I'm assumin so, but you know what they say about people that assume.

Thanks again, you guys have been awesome.

Reply to
Robert Jacobs

Alright everybody, I was able to get this working. Here's what I had to do:

  1. I had to remove ip nat inside/outside on interfaces then clear the ip nat translations:

i.e. interface Ethernet0 no ip nat inside exit interface Ethernet1 no ip nat outside exit do clear ip nat translation forced

  1. I removed my NAT_ACL_1 and route-map rmap_1 just as a precaution (I didn't know if I needed to, so I did it to be safe.

  1. Add the ip nat inside source - to specify the port, I had to put 'tcp' before the ip address, but I didn't want it when specifying everything other than smtp traffic:

i.e. ip nat inside source static tcp 10.10.10.y 25 216.x.x.x 25 route-map rmap_1 ip nat inside source static 10.10.10.z 216.x.x.x route-map rmap_1

  1. Re-added the NAT_ACL_1 and route-map rmap_1.

  1. Re-apply ip nat inside and ip nat outside to respective interfaces.

Done :) Thanks again for your help everybody.

Reply to
Robert Jacobs

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.