ISA as a gateway behind a gateway? (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure



Message

Chadwick24 -> ISA as a gateway behind a gateway? (27.Jun.2008 4:44:19 PM)

Hi,

I am having trouble implimenting ISA as a backend firewall. I have a Cisco PIX that uses NAT to translate out external IPs to the internal DMZ between the ISA external interface and the PIX internal interface. However, untill the web server is rebuilt all websites are on a server behind the ISA. they are not working well. We have 3 External IP's that need to translate or map to the WebSites behind the ISA, each with its own internal IP address. the problem is that PIX is routing from external to three addresses in the DMZ between the PIX and ISA. no how wouls I reroute them from the ISA's external int to its Internal int.

The idea is this. External IPs => PIX => translated to 192.168.3.178, 192.168.3.174, 192.168.3.172 => ISA => translated to 192.168.1.178 etc. I have it working... somewhat. I can send and receive e-mail. but all the sent email is leaving the pix as the wrong IP. it is leaving as the Websites IP. in fact everything leaves as the websites IP.

I set up publishe servers on ISA and gave the proper IP addresses. I think the problem is when things are leaving they are not translating back to their proper 192.168.3.0 address. they must all be going back to the same ip in the DMZ and then out to the same external IP on the PIX.

I'm at a loss with how to configure the ISA as a gateway. what do I set in routing and remote access?

Thanks



pwindell -> RE: ISA as a gateway behind a gateway? (30.Jun.2008 9:50:02 AM)

Publishing is for inbound traffic
Publishing has no effect on outbound traffic

Outbound Mail Traffic will always come from the Primary IP# of the ISA if it is using the ISA to get to the Internet. Thsi probably happens a second time when it leaves the PIX,...it is not "wrong",...it is the way it works.

Outbound mail does not have to match the IP resolved from the MX Record,  MX Records are for incomming mail, not outgoing.  DNS SPF Records are for the IP#s used for outbound Mail.



Chadwick24 -> RE: ISA as a gateway behind a gateway? (30.Jun.2008 11:09:06 AM)

If that’s the case then I will have to change out DNS settings with the ISP for the websites and email servers from the 5 we have to just one. the fact that our email's domain address and the websites addresses are different is causing failed delivery of email. AOL and other providers are blacklisting our email and bouncing it back as spam due to the sending IP not matching the external DNS IP of the mail server. Their spam servers think are email is being spoofed. This used to work fine with just the pix as we could create almost endless amount of NAT's between the many external IPs the company uses and all the Internal IPs for the 5 separate websites and email servers.



pwindell -> RE: ISA as a gateway behind a gateway? (30.Jun.2008 11:49:34 AM)

1. It is a dumb way to "test" for SPAM on the part of the people who are blocking your mail because if this. It does nothing to prove that the message are SPAM then it proves I am from the planet Mars.  But I realize that doesn't stop them from doing it anyway.

2. The right way to fix this is to have your ISP configure your SPF record.  This should contain all possible IP#s from you that could become involved.  An SPF record is basically a "list" of approved IP#s that are allowed to send mail for your mail domain.

However it is still best practice to make sure you Mail is published from the Primary IP# of the Device that Publishes it (no matter if ISA or something else)



Chadwick24 -> RE: ISA as a gateway behind a gateway? (1.Jul.2008 9:32:06 AM)

Well you were absolutely right. Not that I doubted you. But for anyone else who stumbles upon this post I have this article that give a little more detail.

http://blogs.isaserver.org/shinder/2006/09/05/a-solution-to-the-static-nat-and-the-smtp-reverse-lookup-problem/

Thanks again Phillip.




pwindell -> RE: ISA as a gateway behind a gateway? (1.Jul.2008 9:40:36 AM)

No problem.
Good luck with it.

Personally, I would go with the SPF method. That is going to be the way of the future. With today's complex networks it is not always going to be possible to publish the mail servers in a way that always shows the correct IP# to keep SPAM Filters happy.

This is a very common issue that is asked about.  It should be in an FAQ if it isn't already



Page: [1]