[isalist] Re: SMTP - internal to localhost issue..
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 3 Dec 2009 10:59:50 -0600
:)
I agree with Tim -- if it was already there and doesn't break anything,
nothing wrong with having it there.
I often have NAT devices in front of the ISA firewall, and sometime
other devices in front of the ISA/TMG firewall add functionality without
breaking ISA/TMG functionality.
As long as the motivation isn't "But Hardware Firewall's are more
secure" mindset, it's all good.
____________________________________________
TOM SHINDER | Sr. Consultant/Technical Writer
206.443.1117 | SHINDER@xxxxxxxxxxxxxxx
5701 Sixth Avenue South | Seattle, WA 98108
PROWESS | WWW.PROWESSCORP.COM <http://www.prowesscorp.com/>
____________________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, December 03, 2009 10:43 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SMTP - internal to localhost issue..
He says the same thing about my Netgear FVX538 in from on my ISA ;) If
you like it, leave it there, as long as having them in-line doesn't make
you do things the "wrong" way from a security standpoint. I like my
Netgear where it is, and it allows me some interesting configuration
options.
I'll get to your other email once I have some coffee ;)
t
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Paul T. Laudenslager
Sent: Wednesday, December 02, 2009 9:17 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SMTP - internal to localhost issue..
Well, to be honest, I didn't really have to put one there.
However, I'm studying for my next Cisco exam and wanted one up there
with some production traffic to play with...
I guess it's stupid since I'm not really using it and with your
reaction, I'll probably now take it out. Are there any disadvantages
that I should have considered?
See, your list has influenced me more than you realize... J
-paul
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Thursday, December 03, 2009 12:09 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SMTP - internal to localhost issue..
What's sad is that a pathetic Syphco box in front of the real firewall?
What's up with that?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Paul T. Laudenslager
Sent: Wednesday, December 02, 2009 10:04 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SMTP - internal to localhost issue..
Hi Thor!
You are too damb funny!
Brief History: I just moved most of my equipment into a rack in AOL's
old datacenter up in Northern, VA. I've been spoiled by having all of
my equipment in my house with multiple T's. Of course, I really won't
mind saving $500/m on my electric bill! <big cheesy grin>
I built a new ISA box that I put behind a Cisco firewall. All of the
internal servers use a private IP address range (172.16.x.x) that point
to the IP on the internal ISA nic (172.16.88.1). All of the public IP's
(two class C's) are assigned to the outside ISA nic.
From the outside, I can telnet to the public IP's smtp port just fine
(publishing works great). I can telnet to port 25 from one private IP
to another just fine. I can also telnet from a private IP to an outside
smtp port on the Internet just fine. I just can't telnet to one of my
"public" ips on the firewall and have it go back internally to the
private network.
This part is embarrassing... I know how to go to Monitoring/Logging and
create the queries I'm looking for... -= Please don't laugh here =-
...but I've never been into the firewall logs. In fact, I'm not even
sure where they are located. I've always do my troubleshooting from the
logging page.
Here's what the logging page is showing me... (I'm telnetting from the
172.16.88.35 box to the 74.220.152.40 public ip). The 74.220.88.40 is
the public ip for the published 172.16.88.40 server.
I can telnet to ANYWHERE from the .35 box EXCEPT to my published, public
IPs.
Something I learned here on the list was to create an "Open All" rule
(for troubleshooting purposes) which allows all ports on all networks.
Even with this rule enabled, I still receive a Denied connection.
<head hanging down to you great almightys> Where do I go to view the
logs?
Your friend,
Paul
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, December 02, 2009 7:47 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SMTP - internal to localhost issue..
Don't listen to Steve. He's on crack. I'm assuming you're servers are
SNAT clients (int ISA nic is their default gateway) since you are
publishing... you should be able to telnet to 25 on your server's
external published address just fine as long as your rules allow that.
I just telnet'ed from my Exchange box itself to its externally published
address and it worked just fine. What do your ISA logs say?
t
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Paul T. Laudenslager
Sent: Wednesday, December 02, 2009 4:33 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SMTP - internal to localhost issue..
Okay... Hmm...
Let's say I have a bunch of customers on ServerA and a different bunch
on ServerB.
If customers on ServerA send customers on ServerB an email, the ServerA
server resolves the IP address to the "external" or "public" IP, not the
internal/local IP.
I don't want to have to have maintain an entire DNS to resolve hundreds
of domain names internally. I thought I had this configuration working
several times before... maybe I'm wrong.
One way that does work is to implement a mail relay server outside the
firewall. However, that means all internal smtp traffic from one mail
server to another has to go outside the firewall.
There just seems something wrong with that.
Me wanna worky! :)
-paul
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat [Steve@xxxxxxxxxx]
Sent: Wednesday, December 02, 2009 7:14 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SMTP - internal to localhost issue..
Don't try to do that through ISA...no worky....
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Paul T. Laudenslager
Sent: Wednesday, December 02, 2009 8:11 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] SMTP - internal to localhost issue..
Okay, I'm missing something simple here but have yet to figure it out.
1. I published (2) internal SMTP boxes to outside "live" IP addresses.
I can access these internal servers on port 25 just fine on thier
'public' ips.
2. I can telnet to the SMTP port of each other's private IP address.
(ie. 172.16.x.x to 172.16.x.x)
Problem
======
When I try and telnet from one SMTP server to the published "public" IP
of the other SMTP server, the connection is denied.
I've created a rule to allow internal network to localhost network for
port 25 but it is still failing.
Any suggestions on what to look for next?
Thanks in advance for your kind suggestions! :)
-paul
________________________________
This email is confidential and should only be read by the intended
recipient.
________________________________
This email is confidential and should only be read by the intended
recipient.
________________________________
This email is confidential and should only be read by the intended
recipient.
________________________________
This email is confidential and should only be read by the intended
recipient.
Other related posts:
