The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Juniper Firewall & NAT issue
Locust76
Registered User regular
Registered User regular
Hello Juniper/fellow Network nerds,
I manage a Juniper firewall for a customer of ours. Their network is pretty big and they have many servers in their DMZ that are associated with Virtual IPs. For example, two VIPs have ports that are forwarded to their mail server, web server, VPN server, etc... Their public IP range is made up entirely of VIPs (save for the Firewall's external interface)
The problem is this: Along with the firewall, we also manage their domain. That means, we have a DNS entry for their two mail servers as mail.company.com and the firewall is fw-company.isp.com. The problem is that their mailservers register themselves with other mail servers with mail.company.com, but the traffic is actually being NATted through the firewall's gateway IP. So, when they connect with another mail server and say "hey, I'm mail.company.com, let's talk," the other mail server says "no, you're fw-company.isp.com, fuck you *click*"
I found out that Dynamic IP is where it's at, but I can't assign a DIP that's already a VIP, and I can't very well unassign the two VIPs because they manage a butt-ton of other services to other servers.
TL;DR: Is there any way I can make it seem as though a server's traffic from behind a NATting firewall is being NATted through a Virtual IP instead of the static IP assigned to the firewall's untrust egress interface?
I manage a Juniper firewall for a customer of ours. Their network is pretty big and they have many servers in their DMZ that are associated with Virtual IPs. For example, two VIPs have ports that are forwarded to their mail server, web server, VPN server, etc... Their public IP range is made up entirely of VIPs (save for the Firewall's external interface)
The problem is this: Along with the firewall, we also manage their domain. That means, we have a DNS entry for their two mail servers as mail.company.com and the firewall is fw-company.isp.com. The problem is that their mailservers register themselves with other mail servers with mail.company.com, but the traffic is actually being NATted through the firewall's gateway IP. So, when they connect with another mail server and say "hey, I'm mail.company.com, let's talk," the other mail server says "no, you're fw-company.isp.com, fuck you *click*"
I found out that Dynamic IP is where it's at, but I can't assign a DIP that's already a VIP, and I can't very well unassign the two VIPs because they manage a butt-ton of other services to other servers.
TL;DR: Is there any way I can make it seem as though a server's traffic from behind a NATting firewall is being NATted through a Virtual IP instead of the static IP assigned to the firewall's untrust egress interface?
Locust76 on
0
Posts
The server resolves mail.company.com to NAT'd IP (let's say 1.2.3.4), but when it resolves the PTR of your NAT'd IP (1.2.3.4) they get somename.company.com. It doesn't match.
Now, I don't know Juniper specifically, but if you have multiple public IP addresses it shouldn't be a problem, granted you have DNS authority over the reverse zone. Assign a specific public IP address to the mail server to be used for NAT'ing. Then simply add or correct the PTR record to the reverse zone (3.2.1.in-addr.arpa if using Bind) of that IP.
If you only have 1 public IP, there isn't much you can do about it honestly. You can still change the PTR record of that single public IP address, but then it is global and maybe not desirable for the company.