Need some DNS help

[Joemonkey]

We have an IP block of x.x.x.0 - x.x.x.15

PIX is set up with the x.x.x.14 address. Mail server set up as x.x.x.8 address. We have OWA, and the line in the PIX that allows this is

access-list acl_out permit tcp any host x.x.x.8 eq https

This also allows for our PocketPC phones to connect to Exchange ActiveSync.

The globals are set up as
global (outside) 1 x.x.x.9-x.x.x.13
global (outside) 1 x.x.x.14

We get errors when sending emails to servers that do not allow allow emails to be sent without a reverse DNS entry. When I look up the mail server, I get:

Answer:
x.x.x.8 PTR record: mail.company.com.

However, in the SMTP logs of people we can't send to we see this:

3264 00:03:33.748 Got: <EHLO mail.company.com>
3264 00:03:33.779 Event - No PTR record for <x.x.x.14>, rejecting
3264 00:03:33.779 message <554 No SMTP service here>

Now, my question is, do I need to fix something in our router, PIX, or ISP DNS server?

 

[tweekah]

I ran an nslookup and your PTR record is fine. However there is no reverse DNS on your x.x.x.14.

 

[Joemonkey]

Thats the problem. For some reason the reverse lookup for our mail server is showing as x.x.x.14 in other company's SMTP logs instead of x.x.x.8

 

[spidey07]

the pix is natting everything to .14.

If you don't want .8 to be natted then you need to tell the pix not to nat it with nat (0)

 

[Joemonkey]

Originally posted by: spidey07
the pix is natting everything to .14.

If you don't want .8 to be natted then you need to tell the pix not to nat it with nat (0)

Sounds good, could you run me through the commands, or tell me some existing settings I would need to cut and paste? i know very little about how to configure the PIX, but here is what i get with "show nat"

nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

and i also don't get why when I go to ipchicken.com my IP is x.x.x.12 when I don't see any setting for that in the PIX either

 

[spidey07]

I'd need a full diagram to do any config.

Here's some good info.

Without knowing the config of the PIX I can't say why your IP is .12.

You could post the nat and global and static statements.

 

[Joemonkey]

Nat:

nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0


Global:

global (outside) 1 x.x.x.9-x.x.x.13
global (outside) 1 x.x.x.14


Static:

static (inside,outside) x.x.x.5 192.168.1.237 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.6 192.168.1.127 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.7 192.168.1.20 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.8 192.168.1.35 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.4 192.168.1.21 netmask 255.255.255.255 0 0


Also, dunno if this matters, but:

ip address outside x.x.x.2 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0

 

[bgroff]

Okay party people.

I'm making some assumptions here since you didn't post your access-groups for the outside interface. But...

You need to use a STATIC for the mail server. You tie the .8 address to the inside IP. You do still want it natted, otherwise the pix will just pass the private address out to the internet.

The reason you are showing your IP as .12 is because of this:
global (outside) 1 x.x.x.9-x.x.x.13
global (outside) 1 x.x.x.14

The first 5 people to connect out to the internet are getting 1 to 1 Nat. You happened to be one of them. After those 5 connections are done, everything else is PAT translated. There's no real reason to configure a pix like that. You can safell remove the "global (outside) 1 x.x.x.9-x.x.x.13" and let everything get PATted when browsing/whatever. Then define statics for inside servers (unless <shudder> you still have conduits, in which case you have to jack with conduits...)

 

[Joemonkey]

Originally posted by: bgroff
Okay party people.

I'm making some assumptions here since you didn't post your access-groups for the outside interface. But...

You need to use a STATIC for the mail server. You tie the .8 address to the inside IP. You do still want it natted, otherwise the pix will just pass the private address out to the internet.

The reason you are showing your IP as .12 is because of this:
global (outside) 1 x.x.x.9-x.x.x.13
global (outside) 1 x.x.x.14

The first 5 people to connect out to the internet are getting 1 to 1 Nat. You happened to be one of them. After those 5 connections are done, everything else is PAT translated. There's no real reason to configure a pix like that. You can safell remove the "global (outside) 1 x.x.x.9-x.x.x.13" and let everything get PATted when browsing/whatever. Then define statics for inside servers (unless <shudder> you still have conduits, in which case you have to jack with conduits...)

I did not set up this PIX, and I'm sure there is some cleanup that needs to be done.

However, in my previous post, I posted the static and the mail server is in there:

static (inside,outside) x.x.x.8 192.168.1.35 netmask 255.255.255.255 0 0

The show access-list is freaking huge, but I'll post it up if it will help

 

[bgroff]

Originally posted by: Joemonkey

I did not set up this PIX, and I'm sure there is some cleanup that needs to be done.

However, in my previous post, I posted the static and the mail server is in there:

static (inside,outside) x.x.x.8 192.168.1.35 netmask 255.255.255.255 0 0

The show access-list is freaking huge, but I'll post it up if it will help

Not the access-list, the access-group. But you're obviously getting mail in... Does your mailserver have more than 1 IP on it? The reason you're getting the error "No PTR record for <x.x.x.14>, rejecting" is because the pix isn't catching the internal mailserver IP and tying it to .8 outbound. Instead its getting PATted on .14. Something has to be causing that... If you have more than 1 IP on your mailserver, that could be it. Maybe you have something that is overlapping with the statics. Your nat 0 can't be doing it, because then there would never be mail delivered...

 

[Joemonkey]

no, mail server has 1 IP only

and the "something has to be causing that" is what i'm having trouble figuring out

show access-group gets me this, which doesn't seem to mean much

access-group acl_out in interface outside
access-group acl_in in interface inside

 

[bgroff]

The access group is what applies the access list to an interface. Do you see the word "conduit" in your config anywhere, and are you running a recent version of pix code? I'm assuming this is a two interface pix...

 

[Joemonkey]

There is no conduit anything anywhere in my config.

PIX is a 506, software is 6.3... screw it here is the entire config!

PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 10baset
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxx encrypted
passwd xxxxx encrypted
hostname xxx-pix
domain-name company.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out deny ip 0.0.0.0 255.0.0.0 any
access-list acl_out deny ip 10.0.0.0 255.0.0.0 any
access-list acl_out deny ip 127.0.0.0 255.0.0.0 any
access-list acl_out deny ip 169.254.0.0 255.255.0.0 any
access-list acl_out deny ip 172.16.0.0 255.240.0.0 any
access-list acl_out deny ip 192.0.2.0 255.255.255.0 any
access-list acl_out deny ip 224.0.0.0 240.0.0.0 any
access-list acl_out deny ip 240.0.0.0 248.0.0.0 any
access-list acl_out deny ip 248.0.0.0 248.0.0.0 any
access-list acl_out deny ip host 255.255.255.255 any
access-list acl_out permit tcp any host x.x.x.5 eq www
access-list acl_out permit tcp any host x.x.x.5 eq citrix-ica
access-list acl_out deny ip host 207.218.200.172 any
access-list acl_out deny ip host 64.83.112.3 any
access-list acl_out permit tcp host 213.35.101.4 any range ftp-data ftp
access-list acl_out deny udp any any eq netbios-ns
access-list acl_out deny tcp any any eq 137
access-list acl_out deny udp any any eq netbios-dgm
access-list acl_out deny tcp any any eq 138
access-list acl_out deny udp any any eq 139
access-list acl_out deny tcp any any eq netbios-ssn
access-list acl_out permit tcp any host x.x.x.5 eq https
access-list acl_out permit tcp any host x.x.x.7 eq smtp
access-list acl_out permit tcp any host x.x.x.8 eq https
access-list acl_out permit tcp any host x.x.x.4 eq www
access-list acl_in deny tcp any any range 137 netbios-ssn
access-list acl_in deny udp any any range netbios-ns 139
access-list acl_in deny icmp any any
access-list acl_in permit ip any any
access-list acl_vpn-asi permit ip 192.168.1.128 255.255.255.128 192.168.11.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list acl_vpn-client permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list acl_in2 permit ip host 192.168.1.127 any
access-list acl_in2 deny tcp any any range 137 netbios-ssn
access-list acl_in2 deny udp any any range netbios-ns 139
access-list acl_in2 deny icmp any any
access-list acl_in2 permit ip any any
pager lines 24
logging on
logging trap warnings
logging host inside 192.168.1.240
logging host inside 192.168.1.248
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.2 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclient 192.168.2.1-192.168.2.10
ip local pool fmbclient 192.168.200.1-192.168.200.10
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.9-x.x.x.13
global (outside) 1 x.x.x.14
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.5 192.168.1.237 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.6 192.168.1.127 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.7 192.168.1.20 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.8 192.168.1.35 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.4 192.168.1.21 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_in in interface inside
rip inside passive version 1
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
route inside 192.168.2.0 255.255.255.0 192.168.1.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor websense host 192.168.1.22 timeout 5 protocol TCP version 1
filter url http 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0
http server enable
snmp-server host outside 12.154.98.144 poll
snmp-server host inside 12.154.98.144
snmp-server location xxxxxxxx
no snmp-server contact
snmp-server community xxx-300
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNDialin address-pool xxxclient
vpngroup VPNDialin dns-server 192.168.1.20
vpngroup VPNDialin wins-server 192.168.1.20
vpngroup VPNDialin default-domain company.com
vpngroup VPNDialin split-tunnel acl_vpn-client
vpngroup VPNDialin idle-time 1800
vpngroup VPNDialin password ********
telnet 192.168.1.224 255.255.255.240 outside
telnet 10.1.120.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.224 255.255.255.240 inside
telnet timeout 5
ssh 12.30.175.0 255.255.255.0 outside
ssh timeout 60
console timeout 0
url-block url-mempool 1500
url-block url-size 4
terminal width 80

 

[bgroff]

What's interesting is that mail can't be delivered from the internet to .8... Its not allowed. It has to be delivered to .7. The access list says so. The way it works is that the access group ties an access list to a interface and filters traffic from an inbound perspective. The statics point the public ip to an internal IP.

access-group acl_out in interface outside

access-list acl_out permit tcp any host x.x.x.7 eq smtp
access-list acl_out permit tcp any host x.x.x.8 eq https

static (inside,outside) x.x.x.7 192.168.1.20 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.8 192.168.1.35 netmask 255.255.255.255 0 0

At this point you should dig in with "show xlate" and "clear xlate" commands. They show you how the pix perceives NAT translations. Also, play with your external IP checker to see what IP is getting used by those boxes. If windows is configured with more than 1 IP, sometimes it chooses the wrong one... Which will screw up the statics on the NAT, since it matches by internal source address.

 

[Joemonkey]

Originally posted by: bgroff
What's interesting is that mail can't be delivered from the internet to .8... Its not allowed. It has to be delivered to .7. The access list says so. The way it works is that the access group ties an access list to a interface and filters traffic from an inbound perspective. The statics point the public ip to an internal IP.

access-group acl_out in interface outside

access-list acl_out permit tcp any host x.x.x.7 eq smtp
access-list acl_out permit tcp any host x.x.x.8 eq https

static (inside,outside) x.x.x.7 192.168.1.20 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.8 192.168.1.35 netmask 255.255.255.255 0 0

At this point you should dig in with "show xlate" and "clear xlate" commands. They show you how the pix perceives NAT translations. Also, play with your external IP checker to see what IP is getting used by those boxes. If windows is configured with more than 1 IP, sometimes it chooses the wrong one... Which will screw up the statics on the NAT, since it matches by internal source address.

I see I left out a very important part of the equation. We run Mailfrontier on the x.x.x.7 machine, which is a spam/fraud filtering software. Incoming mail goes to x.x.x.7 then to the mail server on x.x.x.8 after it has been filtered.

 

[Joemonkey]

even after posting the config still no help?

 

[bgroff]

Its not a config problem in the pix. Something on your Lan isn't quite right...

 

[Joemonkey]

bumping this, still having the issue

 

[Goosemaster]

Basically I helped him narrow it down to to issues:

1) The ISP has some configuration issues that are causing PTR errors

x.x.x.69 says that 14.x.x.x.in-addr.arpa. is a CNAME pointing to 14.0/28.x.x.x.in-addr.arpa.

No one seems to know why the CIDR notation is in there other than it might be defining his blcok of public IPs. Either way, AOL and other are checking x.x.x.14 PTR and getting an error.
I would assume (not sure if this is correct) that there would have to be a specific entry for 14.x.x.x.in-addr.arpa and not jsut a CNAME for the entire block of IPs.




2) The are indeed clearly stated static routes that should allow the .8 server to be visible, and do indeed make it visible to OWA. For some reason though when mail is sent from x.x.x.8 the recipiants see x.x.x.14, as if the traffic is being natted. Since the PTR for x.x.x.14 is broken as per problem 1, it still fails.



I would think that although problem 2 is confusing, it might not have to be resolved immediate if the PTR records for x.x.x.14 can simply be fixed. Although, I would suggest the routing issue,
or ACL issue if that is the case, be fixed.