Firewall, NAT and DNS, reverse DNS entries do not match Error

If you host your own email behind a NAT device or firewall, you’ve probably seen this issue come up at least once in your enterprise. Recently, I’ve received some complaints about exchange 2007 bouncing email messages with error messages like this:

mxi5p.craigslist.org #554 5.7.1 <unknown[12.12.12.2]>: Client host rejected: rDNS/DNS_validation_failed._Please_setup_matching_DNS_and_rDNS_records:
_http://www.craigslist.org/about/help/rdns_failure xabd-4 ##

or its other variations which point to a DNS or rDNS problem:

smtp #550 Your reverse and forwared DNS entries do not match (#5.7.1) ##

Clearly, that is a DNS/rDNS issue and you should make sure your Forward and Reverse DNS enteries for email domain are pointing to the correct IP address.

If you’ve check your DNS and made sure the DNS/rDNS enteries are correct and emails have been working fine and you encounter this error message then something has changed on your NAT/firewall device which led to email server spitting out error messages. We recently cleaned up our NAT settings and firewall, as a result, one of the key one-to-one NAT entries was deleted. If both forward and reverse DNS (rDNS) hostname and IP address do not match, you will most likely get <unknown [ip address]>: in the error message as well as the DNS/rDNS validation failing.

How to add one to one NAT on cisco IOS router, PIX or ASA firewall device?

Logon to the router and in global configuration mode, enter this command:

ip nat inside source static <InsideIPAdress> <OutsideIPAddress> extendable

Example command:

ip nat inside source static 192.168.1.100 12.12.12.4 extendable

If you are using cisco ASA 5500 or PIX device for NAT, you can use this command to perform one-to-one translations:

static (Inside,Outside) 12.12.12.4 192.168.1.100 netmask 255.255.255.255

You may have to clear existing NAT translations/entries on the device, to do that, enter this command on cisco router:

clear ip nat translation *

For Cisco ASA5500 or PIX firewall device, use this command:

clear xlate

I hope this solution was helpful to you. Please make sure you backup your router/firewall configuration before making any configuration changes on live production network equipment. As always, thanks for reading and if you have any questions or suggestions please feel free to post them in our forums!

Enjoy!