|
Posted by News Reader on April 30, 2008, 3:46 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> wrote:
>
>> Bob Simon wrote:
>>> I have an access list applied inbound on the outside interface of a
>>> 2600 connected to the edge router. I found that I needed smtp ACEs
>>> for both the source port and for the destination port to our exchange
>>> server.
>>> 50 permit tcp any eq smtp host 192.168.0.20 (99012 matches)
>>> 60 permit tcp any host 192.168.0.20 eq smtp log (880 matches)
>>>
>>> Why is this? I thought inbound traffic to the server would be on
>>> random destination ports allocated by PAT on the edge router; no?
>> You have static NAT setup for the SMTP server don't you?
>>
>> e.g.: ip nat inside source static tcp 192.168.0.20 25 interface
>> <external-interface> 25
>
> Yes, but NAT is handled by the edge router, which is managed by the
> ISP, so I can't see exactly what is going on in that box.
The information you provided lead me to believe that you were
successfully connecting to your internal SMTP server from outside
clients and servers. Correct me if I am wrong.
Has the ISP provided you with a pool of IP addresses, and are they
performing static one-to-one translation with your internal hosts? If
so, you would want to take steps to minimize the ports available on the
SMTP server from outside hosts. A one-to-one mapping would expose all
ports on the SMTP server.
With an edge router managed by the ISP, I would assume that Port Address
Translation (PAT) is not being used. PAT (NAT overload) translates all
(or a subset of) internal addresses to a single external IP address. In
such a scenario, you would need to establish a port specific translation
such as the one above, which would forward inbound connections to TCP
port 25, to the internal SMTP server.
PAT can be used along side static and dynamic NAT pools as well, but it
is doubtful that this scenario would exist without your
knowledge/involvement).
>
>> That port is being committed for that purpose.
>>
>> Any inbound connection setup would be directed at port 25.
>>
>> Outbound SMTP connections from your server to an Internet-residing
>> server would be from source port 25 with returning traffic coming to
>> destination port 25.
>>
>>
>> With regard to random PAT ports, consider the following:
>>
>> An internal client initiates a connection with source port 1200 to a
>> server on the web. The packet is forwarded by the NAT router with source
>> port 1200.
>>
>> A second client initiates a connection with source port 1200
>> (coincidence) to any resource on the web. The NAT router will forward
>> the packet with a "random unused source port" NOT involved in a
>> pre-existing translation.
>>
>> A random port is used when the desired source port is already being
>> translated.
>>
>> The random source ports (destination ports on the return path) aid PAT
>> in associating returning packets with the correct internal host.
>>
> Thank you. This was helpful, but I still have a bit of confusion
> about source and destination well-known ports that I mentioned in the
> previous reply. Can you help me clear this up?
Please see my reply to the other post.
Best Regards,
News Reader
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map