topic Mail server NAT translation with smtp redirect in Network Security

Mail server NAT translation with smtp redirect

mhobart — Mon, 11 Mar 2019 23:33:04 GMT

HI,

We are setting up a GWAVA smtp filter (IP address: 10.10.10.1) appliance that needs incoming smtp traffic redirected to it. I still need the mail server (IP address 10.10.10.2) to have a 1 to 1 nat translation to an outside IP address (IP address 2.2.2.2).

The way I have it setup now, smtp traffic is being redirected to our GWAVA filter , and outside users can still connect their email clients to the internal mail server. However, outbound mail being generating by our email server is being sent out a different external IP (2.2.2.1) causing some emails to get returned because they don't match the mx records.

It seems simple enough, but when I create a static NAT rule mapping 10.10.10.2 to the outside IP 2.2.2.2, it seems to overule the smtp redirect rule.

Could someone give me a set of simple commands to add these rules?

Mail server NAT translation with smtp redirect

Ramraj Sivagnanam Sivajanam — Fri, 20 Jul 2012 18:28:15 GMT

Hi Bro

Your setup isn't unique. There are many clients out there that has this similar setup running. Hence, this should be easy to resolve. Are you able to paste your latest show running-config here, so that I can advice you accordingly what needs to be added/remove etc.?

Mail server NAT translation with smtp redirect

nkarthikeyan — Sun, 22 Jul 2012 07:36:27 GMT

Hi Matt,

I din't really understand your scenario. Please correct me if am wrong.

Your incoming smtp requests alone needs to be pointed to the GWAVA smtp filter Appliance (10.10.10.1 which is translated from 2.2.2.1). But your outbound smtp request has to be pointed to your smtp server (10.10.10.2 which is translated to 2.2.2.2). But now your SMTP request which is going out also getting translated to 2.2.2.1 and getting bounced right?????

Please let me know i will suggest you some ideas????

Mail server NAT translation with smtp redirect

mhobart — Sun, 22 Jul 2012 15:32:27 GMT

Sorry for the delay, I got the smtp redirect working along with the outgoing mail being mapped correctly. However, I have a new issue now, I posted parts of my sh run output below.

I believe the issue I need to figure out is called "Hairpinning" but I"m not sure. I'm running ASA 8.3 by the way.

The issue is, the GWAVA filter sends out digests where users can click on a link to release any quarantined mail. The link can be edited, but right now it uses the internal ip address of the GWAVA filter (10.10.10.1) so interally the link works perfectly. However, on the public side the link doesn't work obviously because it it can't see 10.10.10.1. So I wanted to put in the public IP of the mail server 2.2.2.2 and just have the ASA redirect the port 49285 to the internal GWAVA appliance (10.10.10.1) Now this works perfectly on the outside and the redirect for port 49285 is working, but it doesn't work on the inside because users can't see the external IP of the GWSRV mail server 2.2.2.2.

Everything I've read seems to point to hairpinning, but I can't seem to get the right configuration. I just need internal requests for 2.2.2.2 on port 49285 to be directed to the GWAVA internal IP 10.10.10.1 so the "Release" link in those emails will works both on the public and private side of the firewall.

I also have a cisco 3560 l3 swith in place on the network that all hosts use as their default gateway. The default gateway of that switch is the ASA device. So I'm not sure if that's interfering either. We have an internal dns server 10.10.10.4 that resolves the mail server domain name to its internal ip 10.10.10.2

Any help would be greatly appreciated!!

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.10.3 255.0.0.0
!
interface GigabitEthernet0/3
speed 100
duplex full
nameif outside
security-level 100
ip address 2.2.2.1 255.255.255.224

dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.10.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object service GWClient
service tcp destination eq 1677
object network GWAVA
host 10.10.10.1
object network GWSRV
host 10.10.10.2
object service GWWEB
service tcp destination eq www
object service QMS
service tcp destination eq 49285
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network obj_any
service-object object GWClient
service-object object GWWEB
service-object object QMS
service-object object SMTP

access-list outside_in extended permit object-group DM_INLINE_SERVICE_2 any host
10.10.10.1
access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any host
10.10.10.2
access-list outside_in extended deny ip any any

access-list inside_access_in extended permit ip object 10.0.0.0 any
access-list inside_access_in extended deny ip any any

nat (outside,inside) source static any any destination static A_2.2.2.2 GWAVA service SMTP SMTP unidirectional
nat (outside,inside) source static any any destination static A_2.2.2.2 GWAVA service QMS QMS unidirectional
nat (outside,any) source static any any destination static A_2.2.2.2 GWSRV service GWClient GWClient unidirectional
nat (outside,any) source static any any destination static A_2.2.2.2 GWSRV service GWWEB GWWEB unidirectional
nat (inside,outside) source static GWSRV A_2.2.2.2 unidirectional
!
object network 10.0.0.0
nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.3 1

Mail server NAT translation with smtp redirect

nkarthikeyan — Sun, 22 Jul 2012 16:40:38 GMT

Hi Matt,

I understand your concern. So you need to do NAT from outside to inside using general NAT. And NAT hairpinning concept to use when it is in local from the LAN. It should take the local address instead of public. So that it will go through.

Yes.If the you should have the follwing command enabled for this reverse turn for local requests.

same-security-traffic permit intra-interface. This will make the traffic to in and out on the same interface.

static (inside,outside) 2.2.2.2 10.10.10.1

static (inside,inside) 2.2.2.2 10.10.10.1

Make some alterations as per your 8.3 version commands. Still i have not used to that one. . But this is the concept. When the request comes for LAN network of the inside network it translates to 10.10.10.1 and goes locally using intra interface. When it comes from outside it will go through the static nat from public to private.

Please do rate if the given information helps.

Karthik

Mail server NAT translation with smtp redirect

Ramraj Sivagnanam Sivajanam — Sun, 22 Jul 2012 16:53:34 GMT

Hi Bro

In order to allow your INSIDE users to see the external IP of the GWSRV mail server, you'll need to configure DNS Doctoring, to resolve this issue.

object network obj-10.10.10.1

host 10.10.10.1

nat (inside,outside) static 2.2.2.2 dns

For further details, you could refer to https://supportforums.cisco.com/thread/2035927

P/S: If you think this comment is useful, please do rate them nicely 🙂