0

To start, I'd just like to admit my lack of knowledge in setting up/maintaining critical hardware like firewalls and exchange servers. I am the Technology Coordinator for a small charter school and came into this position about 6 months ago, where, at the time there had not been any sort of technical support for the past 4 to 5 years. Needless to say, I've been reverse engineering the layout of our network and its numerous issues for quite some time. My knowledge base is really oriented toward basic hardware/software troubleshooting with a significant deficit in my knowledge of network infrastructure, but I'm really the only one who is even remotely capable of correcting out network issues.

Yesterday, myself and the network engineer for our new fiber-optic ISP provider replaced an aging PIX515 firewall with a new ASA5510 firewall and plugged in the newly laid fiber-optic connection. The network engineer mirrored the config in the ASA5510 for port and ip forwarding exactly as it had been set up in the PIX515.

Following the replacement, internet worked perfectly with the expected monumental increase in bandwidth (upgraded from 2 x 1.5mb T-1 connections to a 20mb fiber-optic connection)

We noticed the next day that we were unable to receive any inbound emails to our exchange server that were originating from external domains. After doing some frantic google research, I think I can safely say that our primary issue here is the need to change the public ip address of our DNS record to accurately reflect the change in ip address that came along with our changing of ISPs.

My question is really kind of multifaceted as I think I know what the problem is, but I haven't got a clue as to which first step to take in attempting to resolve it.

I would be infinitely appreciative of anyone who could give me some professional insight into how I should proceed. I want to reiterate the fact that I am likely to be missing some pertinent information (like the public ip address of our mail server) because I don't know the specific history and configuration of our network, nor do I know how to go about finding that information.

wfaulk
  • 6,878
  • 7
  • 46
  • 75
Brady
  • 1

2 Answers2

6

Seems like you've already found your answer:

After doing some frantic google research, I think I can safely say that our primary issue here is the need to change the public ip address of our DNS record to accurately reflect the change in ip address that came along with our changing of ISPs.

In other words, this has nothing to do with the ASA or the Exchange server(s). You switched ISP and got a different public IP.

You need to update the DNS entry/entries for your domain. It's impossible to tell you where to go, as you'll need to check your domain (use a whois tool) and contact the people/company responsible for hosting your domain. Then, replace any A-record that points towards your old IP and insert the new one.

pauska
  • 19,620
  • 5
  • 57
  • 75
0

As pauska said, you should check your existing domain registry info. That's where you'd need to go to update it anyway. However, you could also find the info other ways. Using cmd.exe on a Windows box, run:

  1. nslookup
  2. set type=mx
  3. example.domainname.com DNSserverIP

This will give you the DNS A record of your public mail server. Then do an nslookup against this server name - that's your public mail server IP. Note, you may get different results running this internally (against your own dns), vs. externally (against public dns). The DNSserverIP above will let you target a public dns server (such as what your ISP provides - ask whomover maintains your dns, they can give you the right value.) If you don't use it, you'll get your internal dns. If all this is too confusing, just run the 3 commands above from home, without the DNSserverIP value. You'll get a public dns value.

Or you can look through your old PIX configs. There is probably an entry in the outside ACL, and a NONAT statement for it. If you need help with that, let me know.

Even once you get your DNS pointer fixed, you'll still need to get your firewall rules updated. Let me know when you get there. Your old PIX configs would have had entries for the old IPs not the new ones. You'll need ACL and NAT changes, likely.

sjw
  • 374
  • 1
  • 4
  • 9