topic No problems receving mails, in Network Security

ASA 5525: Mailserver behind firewall Problem (rDNS)

kvt000001 — Tue, 12 Mar 2019 08:51:17 GMT

Hi All

We are using ASA Version 9.4(3) and having an Outbound SMTP problem with our mailserver.

When we send mails the firewall IP is used as sender, not the mailserver IP, and that bounce mails to other mailservers.
What we want is the mailserver IP to be shown when sending mail, not the firewall IP.

Can someone tell us what we are missing and guide us in the right direction?

Similar problem but with "older" ASA version
https://supportforums.cisco.com/discussion/11905686/asa-5505-outbound-smtp-route-problem-rdns

The current configuration

External IP Firewall: xx.xxx.xx.34
External IP Mailserver: xx.xxx.xx.35

Interfaces:

interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.0.1 255.255.240.0

interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 172.16.30.1 255.255.255.0
dhcprelay server 192.168.0.254

interface GigabitEthernet0/6

nameif OUTSIDE
security-level 0
ip address xx.xxx.xx.34 255.255.255.224

Mailserver
object network host 172.16.30.11
object network host xx.xxx.xx.35

NAT-Rules
object network 172.16.30.11
nat (DMZ,OUTSIDE) static xx.xxx.xx.35

Access-List
access-list DMZ_in extended permit tcp object 172.16.30.11 any eq smtp

Thanks for suggestions

Have you perhaps got a

Philip D'Ath — Mon, 30 Jan 2017 23:06:16 GMT

Have you perhaps got a dynamic NAT rule for outbound access before this NAT rule?

We have those dynamic NAT

kvt000001 — Tue, 31 Jan 2017 13:46:51 GMT

We have those dynamic NAT rule before the static ones

nat (DMZ,OUTSIDE) source dynamic 172.16.30.11 interface service 25 25
nat INSIDE,OUTSIDE) source dynamic any interface
nat (DMZ,OUTSIDE) source dynamic any interface

You need to create a full 1

Collin Clark — Tue, 31 Jan 2017 16:01:09 GMT

You need to create a full 1-to-1 NAT to the email server.

nat (DMZ,OUTSIDE) source static 172.16.30.11 interface

I have now following NAT

kvt000001 — Fri, 03 Feb 2017 21:13:08 GMT

I have now following NAT-Rules

nat (DMZ,OUTSIDE) source dynamic 172.16.30.11 interface service 25 25
nat INSIDE,OUTSIDE) source dynamic any interface
nat (DMZ,OUTSIDE) source dynamic any interface
nat (DMZ,OUTSIDE) source static 172.16.30.11 interface

NAT-Rules
object network 172.16.30.11
nat (DMZ,OUTSIDE) static xx.xxx.xx.35

Is this sufficient configuration for the firewall so I can start debugging elsewhere because some is still not right.

and are some of the rules overkill/dublets and can be removed?

You shouldn't need these.

Philip D'Ath — Fri, 03 Feb 2017 21:44:57 GMT

You shouldn't need these. The object NAT should be enough on its own.

nat (DMZ,OUTSIDE) source dynamic 172.16.30.11 interface service 25 25
nat (DMZ,OUTSIDE) source static 172.16.30.11 interface

You will also need to access-list rule to allow traffic to the object 172.16.30.11 from the outside interface (assuming you want to receive email).

No problems receving mails,

kvt000001 — Wed, 08 Feb 2017 21:04:47 GMT

No problems receving mails, only sending mails (they are rejected by other servers)

Did some test with MX-Tools and the header shows the problem.

Subject: test
Received: from fw.domain.dk (HELO fc.domain.dk) ([xx.xx.xx.34]) by mx1.tools.mxtoolbox.com with ESMTP; 06 Feb 2017 09:13:30 -0600
Message-id: <fc.00870c7d011bf26700870c7d011bf267.11bf268@domain.dk>
X-FC-Thread-ID: 00870c7d-011bf267
Date: Mon, 06 Feb 2017 16:13:43 +0100
X-Mailer: FirstClass 12.1 (build 12.109)
X-FC-SERVER-TZ: 30147588
To: ping@tools.mxtoolbox.com
From: "xxx" <kvt@domain.dk>

The HELO is tjecking fc.domain.dk (IP xx.xx.xx.35) and compair it with the fw.domain.dk IP (xx.xx.xx.34) and because the differ in the IP's, mails get rejected.