Answer the question
In order to leave comments, you need to log in
A
A
alx2021-01-28 11:50:31
alx, 2021-01-28 11:50:31
How to properly configure NAT Mikrotik with external IP substitution for the mail server?
Good day, experts.
The company has its own internal Zimbra mailer with internal IP 10.100.100.100.
External IP Provo, through which all users go to the Internet ISP1 94.86.49.ХХХ In
addition, a pool of white addresses was purchased for publishing corp. services, one of which is for the mailer 187.29.30.MMM.
On the provider's routers, forwarding of incoming traffic from all add. white address pool (including 187.29.30.MMM) to the main IP 94.86.49.XXX.
Naturally, all DNS are registered and configured, SPF, PTR too.
Everything worked for 4 years until the new Mikrotik RB1100AHx4 was recently delivered. The old router was taken away, there is no access to its config.
So for now, for reasons I do not understand, it is not possible to achieve the correct operation of NAT so that all incoming from the outside on 187.29.30.MMM
Now the NAT config is as follows:
NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=\
!SERVICES_OUT
add action=netmap chain=dstnat comment=MAIL dst-address=187.29.30.MMM \
to-addresses=10.100.100.100
add action=netmap chain=srcnat out-interface=eth11-wan1-bee src-address=\
10.100.100.100 to-addresses=187.29.30.MMM
В листе SERVICES_OUT значится адрес почтовика 10.100.100.100.
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=\
!SERVICES_OUT
add action=netmap chain=dstnat comment=MAIL dst-address=187.29.30.MMM \
to-addresses=10.100.100.100
add action=netmap chain=srcnat out-interface=eth11-wan1-bee src-address=\
10.100.100.100 to-addresses=187.29.30.MMM
В листе SERVICES_OUT значится адрес почтовика 10.100.100.100.
Any online service ping online, etc. by name mail.company.ru the correct IP 187.29.30.MMM answers.
But now outgoing letters from the mailer began to receive rejections for incorrect SPF and letters began to fall into spam, which is natural:
<[email protected]>: host mx1.spaceweb.ru[77.222.41.43] said: 550 SPF check:
94.86.49.ХХХ is not allowed to send mail as company.ru (in reply to RCPT
TO command)
Sent myself a test message on gmail - got into spam with the content:
SPF: FAIL with IP address 94.86.49.ХХХ.
It turns out that now I have implemented this:
Incoming packets from the outside to mail.company.ru = 187.29.30.MMM are forwarded to ext. Mailer IP 10.100.100.100
Any online pinger will confirm this, and the SSL certificate issued to mail.company.ru does not swear either, because The A-record in the DNS is correct.
But the return does not work. Outgoing packets from the mailer 10.100.100.100 should go outside with IP 187.29.30.MMM instead of 94.86.49.XXX, through which users climb into the Internet
Dropped one of the working versions of the old router config
router.cfg
: Saved
:
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
!
ASA Version 9.1(7)
!
hostname net-gw
names
ip local pool CVPN_POOL 10.0.130.10-10.0.130.254 mask 255.255.255.0
!
interface Ethernet0/0
description inet-backup
nameif ISP2
security-level 0
ip address 217.5.46.YYY 255.255.255.0
!
interface Ethernet0/1
description inet
nameif ISP1
security-level 0
ip address 94.86.49.ХХХ 255.255.255.252
!
interface Ethernet0/2
description lan-work
nameif LAN
security-level 100
ip address 10.100.100.254 255.255.255.0
!
interface Port-channel2
no nameif
no security-level
no ip address
!
dns domain-lookup ISP2
dns server-group DefaultDNS
name-server 94.86.49.104
name-server 94.86.48.104
name-server 8.8.8.8
name-server 8.8.4.4
domain-name company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CVPN
subnet 10.0.130.0 255.255.255.0
object network OBJ-10.100.100.0-BACKUP
subnet 10.100.100.0 255.255.255.0
object network OBJ-10.100.100.0-ISP2
subnet 10.100.100.0 255.255.255.0
object network OBJ-192.168.11.0
subnet 192.168.11.0 255.255.255.0
object service http
service tcp source eq www destination eq www
object service https
service tcp source eq https destination eq https
object network MAIL
host 10.100.100.100
description MailServer
object network net-gw
host 10.100.100.254
object-group service ldap udp
port-object eq 389
object-group service ldap-gc tcp
description global catalog
port-object range 3268 3269
object-group service CorpMail tcp
description All ports for Mail Server
group-object ldap-gc
port-object eq 465
port-object eq 8008
port-object eq 993
port-object eq 995
port-object eq www
port-object eq https
port-object eq imap4
port-object eq ldap
port-object eq ldaps
port-object eq smtp
object-group network DM_INLINE_NETWORK_2
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_3
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_6
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_9
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_11
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_14
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_10
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_15
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_16
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_17
network-object object CVPN
network-object object LAN-SRV
access-list VPN_SPLIT standard permit 10.100.100.0 255.255.255.0
access-list VPN_SPLIT remark CVPN
access-list VPN_SPLIT standard permit 10.0.130.0 255.255.255.0
access-list INSIDE_IN extended permit ip any4 any4
access-list BACKUP_IN extended permit ip any4 any4
access-list OUTSIDE_IN extended permit ip any4 any4
access-list CVPN_FILTER extended permit ip object CVPN any4
mtu ISP2 1500
mtu ISP1 1500
mtu LAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any ISP2
icmp permit any ISP1
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static CVPN CVPN destination static LAN-SRV LAN-SRV no-proxy-arp
!
object network OBJ-10.100.100.0-BACKUP
nat (LAN,ISP1) dynamic interface
object network OBJ-10.100.100.0-ISP2
nat (LAN,ISP2) dynamic interface
object network MAIL
nat (LAN,ISP1) static 187.29.30.MMM
access-group OUTSIDE_IN in interface ISP2
access-group BACKUP_IN in interface ISP1
access-group INSIDE_IN in interface LAN
route ISP1 0.0.0.0 0.0.0.0 94.86.49.1 1 track 1
route ISP2 0.0.0.0 0.0.0.0 217.5.46.1 5
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (LAN) host 10.100.100.4
key 3456789
user-identity default-domain LOCAL
nac-policy cvpn nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
http server enable
http 10.100.100.154 255.255.255.255 LAN
http 10.100.100.249 255.255.255.255 LAN
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1
timeout 7000
threshold 10000
frequency 15
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 10.100.100.154 255.255.255.255 LAN
ssh timeout 60
ssh version 1
ssh key-exchange group dh-group1-sha1
console timeout 60
management-access LAN
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy cvpn internal
group-policy cvpn attributes
dns-server value 10.100.100.4
vpn-simultaneous-logins 1
vpn-filter value CVPN_FILTER
group-lock value cvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT
default-domain value company.local
address-pools value CVPN_POOL
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class class-default
set connection decrement-ttl
!
service-policy global_policy global
smtp-server 10.100.100.100
prompt hostname context
no call-home reporting anonymous
: end
: Saved
:
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
!
ASA Version 9.1(7)
!
hostname net-gw
names
ip local pool CVPN_POOL 10.0.130.10-10.0.130.254 mask 255.255.255.0
!
interface Ethernet0/0
description inet-backup
nameif ISP2
security-level 0
ip address 217.5.46.YYY 255.255.255.0
!
interface Ethernet0/1
description inet
nameif ISP1
security-level 0
ip address 94.86.49.ХХХ 255.255.255.252
!
interface Ethernet0/2
description lan-work
nameif LAN
security-level 100
ip address 10.100.100.254 255.255.255.0
!
interface Port-channel2
no nameif
no security-level
no ip address
!
dns domain-lookup ISP2
dns server-group DefaultDNS
name-server 94.86.49.104
name-server 94.86.48.104
name-server 8.8.8.8
name-server 8.8.4.4
domain-name company.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network CVPN
subnet 10.0.130.0 255.255.255.0
object network OBJ-10.100.100.0-BACKUP
subnet 10.100.100.0 255.255.255.0
object network OBJ-10.100.100.0-ISP2
subnet 10.100.100.0 255.255.255.0
object network OBJ-192.168.11.0
subnet 192.168.11.0 255.255.255.0
object service http
service tcp source eq www destination eq www
object service https
service tcp source eq https destination eq https
object network MAIL
host 10.100.100.100
description MailServer
object network net-gw
host 10.100.100.254
object-group service ldap udp
port-object eq 389
object-group service ldap-gc tcp
description global catalog
port-object range 3268 3269
object-group service CorpMail tcp
description All ports for Mail Server
group-object ldap-gc
port-object eq 465
port-object eq 8008
port-object eq 993
port-object eq 995
port-object eq www
port-object eq https
port-object eq imap4
port-object eq ldap
port-object eq ldaps
port-object eq smtp
object-group network DM_INLINE_NETWORK_2
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_3
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_6
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_9
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_11
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_14
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_10
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_15
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_16
network-object object CVPN
network-object object LAN-SRV
object-group network DM_INLINE_NETWORK_17
network-object object CVPN
network-object object LAN-SRV
access-list VPN_SPLIT standard permit 10.100.100.0 255.255.255.0
access-list VPN_SPLIT remark CVPN
access-list VPN_SPLIT standard permit 10.0.130.0 255.255.255.0
access-list INSIDE_IN extended permit ip any4 any4
access-list BACKUP_IN extended permit ip any4 any4
access-list OUTSIDE_IN extended permit ip any4 any4
access-list CVPN_FILTER extended permit ip object CVPN any4
mtu ISP2 1500
mtu ISP1 1500
mtu LAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any ISP2
icmp permit any ISP1
arp timeout 14400
no arp permit-nonconnected
nat (any,any) source static CVPN CVPN destination static LAN-SRV LAN-SRV no-proxy-arp
!
object network OBJ-10.100.100.0-BACKUP
nat (LAN,ISP1) dynamic interface
object network OBJ-10.100.100.0-ISP2
nat (LAN,ISP2) dynamic interface
object network MAIL
nat (LAN,ISP1) static 187.29.30.MMM
access-group OUTSIDE_IN in interface ISP2
access-group BACKUP_IN in interface ISP1
access-group INSIDE_IN in interface LAN
route ISP1 0.0.0.0 0.0.0.0 94.86.49.1 1 track 1
route ISP2 0.0.0.0 0.0.0.0 217.5.46.1 5
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (LAN) host 10.100.100.4
key 3456789
user-identity default-domain LOCAL
nac-policy cvpn nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
http server enable
http 10.100.100.154 255.255.255.255 LAN
http 10.100.100.249 255.255.255.255 LAN
sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1
timeout 7000
threshold 10000
frequency 15
sla monitor schedule 1 life forever start-time now
!
track 1 rtr 1 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh 10.100.100.154 255.255.255.255 LAN
ssh timeout 60
ssh version 1
ssh key-exchange group dh-group1-sha1
console timeout 60
management-access LAN
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy cvpn internal
group-policy cvpn attributes
dns-server value 10.100.100.4
vpn-simultaneous-logins 1
vpn-filter value CVPN_FILTER
group-lock value cvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SPLIT
default-domain value company.local
address-pools value CVPN_POOL
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class class-default
set connection decrement-ttl
!
service-policy global_policy global
smtp-server 10.100.100.100
prompt hostname context
no call-home reporting anonymous
: end
Similar questions
A
Acroni2016-05-17 14:15:50
Mail ru put our entire mail domain in the spam list, what should I do?
3Reply
I
R
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question