I sure hope someone can help with this. The problem is that some mail servers see my firewall's IP address as the address of the incoming SMTP connection when my mail server tries to send mail to them.
My mail server is behind my firewall with an internal IP. The firewall (a Cisco 1841) is performing static NAT for the internal IP to a valid public IP.
Under what circustances would the destination of my connection see my mail server's IP as the firewall's IP?
comp.dcom.sys.cisco would be a better place for Cisco-specific messages.
The destination would see the firewalls' IP instead of the mail server's IP if the NAT (network address translation) for outgoing SMTP connections is not configured to use the mail server's IP.
For example, the Cisco PIX equivilent of this situation would be:
255.255.255.255 nat (inside) 1 0.0.0.0 0.0.0.0 global (outside) 1 interface
In this configuration, the static translation between SERVERPUBLICIP and SERVERPRIVATEIP would only apply when a TCP packet arrived at the outside interface addressed to SERVERPUBLICIP tcp 25, or when a TCP packet arrives at the inside interface with its source address being SERVERPRIVATEIP and the source port tcp 25. Outgoing smtp requests, however, would have some random high-numbered port as the source port, and so would not match the static rule, and so would get translated under the nat/global rule that says to use the firewall's outside IP address ("interface") as the source IP address for the packet.
In the PIX example above, the PIX mechanism to indicate that all outgoing connections from SERVERPRIVATEIP should use SERVERPUBLICIP as the source, would be
notice the lack of port or protocol specification.
The Cisco 1841 has similar concepts, but with a noticably different syntax. I can't quote the rule syntaxes at the moment for the way that IOS does it (which has varied). Look for "ip nat" statements that either name an access list or else have an access list in-line; you will likely find one that applies to incoming smtp connections but which does not apply to outgoing smtp connections.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.