As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options

Juniper Firewall & NAT issue

Locust76Locust76 Registered User regular
edited May 2011 in Help / Advice Forum
Hello Juniper/fellow Network nerds,

I manage a Juniper firewall for a customer of ours. Their network is pretty big and they have many servers in their DMZ that are associated with Virtual IPs. For example, two VIPs have ports that are forwarded to their mail server, web server, VPN server, etc... Their public IP range is made up entirely of VIPs (save for the Firewall's external interface)

The problem is this: Along with the firewall, we also manage their domain. That means, we have a DNS entry for their two mail servers as mail.company.com and the firewall is fw-company.isp.com. The problem is that their mailservers register themselves with other mail servers with mail.company.com, but the traffic is actually being NATted through the firewall's gateway IP. So, when they connect with another mail server and say "hey, I'm mail.company.com, let's talk," the other mail server says "no, you're fw-company.isp.com, fuck you *click*"

I found out that Dynamic IP is where it's at, but I can't assign a DIP that's already a VIP, and I can't very well unassign the two VIPs because they manage a butt-ton of other services to other servers.

TL;DR: Is there any way I can make it seem as though a server's traffic from behind a NATting firewall is being NATted through a Virtual IP instead of the static IP assigned to the firewall's untrust egress interface?

Locust76 on

Posts

  • Options
    SheepSheep Registered User, __BANNED USERS regular
    edited May 2011
    Dunno how it is with Juniper but chances are the problem you're having is during te handshake, your mail server is identifying itself as mail.company.com, but other mail servers are doing NS lookups on the NAT'd IP and seeing that it's actually an IP associated with the firewall. There should be some settings in DNS that will help resolve that IP address with your mail server.

    Sheep on
  • Options
    NeitherHereNorThereNeitherHereNorThere Registered User regular
    edited May 2011
    The best practice with mail server is to have their DNS reverse zone PTR record to be tied to the domain's A record. It is probably the reason some mail servers are rejecting you.

    The server resolves mail.company.com to NAT'd IP (let's say 1.2.3.4), but when it resolves the PTR of your NAT'd IP (1.2.3.4) they get somename.company.com. It doesn't match.

    Now, I don't know Juniper specifically, but if you have multiple public IP addresses it shouldn't be a problem, granted you have DNS authority over the reverse zone. Assign a specific public IP address to the mail server to be used for NAT'ing. Then simply add or correct the PTR record to the reverse zone (3.2.1.in-addr.arpa if using Bind) of that IP.

    If you only have 1 public IP, there isn't much you can do about it honestly. You can still change the PTR record of that single public IP address, but then it is global and maybe not desirable for the company.

    NeitherHereNorThere on
Sign In or Register to comment.