cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


110
Views
0
Helpful
0
Replies
Highlighted
Beginner

Having routing issues with mail routing through firewall

I have an ASA 5506 and trying to troubleshoot an issue with mail since moving to Office 365 Exchange Online. I still have an on-premise server which sends mail from our application.  Since migrating to O365, mail from this server either gets rejected by or dumped to spam on the target server.  I have created the proper DNS records based on the O365 documentation and all appear to be correct.  While evaluating the Internet header of email from a target server which deposits into spam, I see the IP address in the sender appears to be my firewall IP which I don't have an MX or SFP record for.  I have the following configuration in place.  The public IP is 50.123.50.204.  I'm not well versed in CLI capture but I believe I have the correct parts of the configuration.  Any suggestions on how to resolve this issue? 

Internet Header

Received: from CY4PR11MB1415.namprd11.prod.outlook.com (10.173.17.17) by
 DM5PR11MB1418.namprd11.prod.outlook.com (10.168.104.20) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1101.14 via Mailbox Transport; Tue, 23 May 2017 15:13:55 +0000
Received: from CY4PR1101CA0006.namprd11.prod.outlook.com (10.172.74.144) by
 CY4PR11MB1415.namprd11.prod.outlook.com (10.173.17.17) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1101.14; Tue, 23 May 2017 15:13:49 +0000
Received: from BY2NAM03FT035.eop-NAM03.prod.protection.outlook.com
 (2a01:111:f400:7e4a::207) by CY4PR1101CA0006.outlook.office365.com
 (2603:10b6:910:15::16) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1124.9 via
 Frontend Transport; Tue, 23 May 2017 15:13:49 +0000
Authentication-Results: spf=fail (sender IP is 50.123.50.201)
 smtp.mailfrom=CDE.COM; cde.com; dkim=none
 (message not signed) header.d=none;cde.com; dmarc=none
 action=none header.from=CDE.COM;
Received-SPF: Fail (protection.outlook.com: domain of CDE.COM
 does not designate 50.246.78.201 as permitted sender)
 receiver=protection.outlook.com; client-ip=50.123.50.201;
 helo=MAR.CDE.COM;
Received: from MAR.CDE.COM (50.123.50.201) by
 BY2NAM03FT035.mail.protection.outlook.com (10.152.84.223) with Microsoft SMTP

Cisco ASA config

object network 50.123.50.204
 host 50.123.50.204
 description SMTP
object network SMTPServer
 host 172.16.1.32
 description SMTP Server for A+
object service SMTP
 service tcp source eq smtp

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object Private_MailServer
access-list outside_access_in extended permit tcp any object Midsrvr02_Private object-group DM_INLINE_TCP_1
access-list users standard permit 172.16.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit object-group DM_INLINE_SERVICE_2 any object Private_MailServer inactive
access-list OUTSIDE-IN extended permit tcp any host 172.16.1.42 eq 3389
access-list OUTSIDE-IN extended permit object SMTP any host 172.16.1.32
access-list inside_access_in extended permit tcp host 172.16.1.32 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 any any
access-list ICMP extended permit icmp any any

nat (inside,outside) source static Inside_private Inside_private destination static Inside_private Inside_private no-proxy-arp route-lookup
nat (inside,outside) source static Private_MailServer h_50.123.50.202 inactive
nat (inside,outside) source static any 50.123.50.204 destination static NETWORK_OBJ_172.16.1.160_27 NETWORK_OBJ_172.16.1.160_27 inactive
nat (inside,outside) source static SMTPServer 50.123.50.204 service SMTP SMTP
!             
object network Inside_private
 nat (any,outside) dynamic interface
object network Outside_to_Inside_RDP
 nat (inside,outside) static 50.123.50.203 service tcp 3389 3389
!             
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE-IN in interface outside
access-group inside_access_in in interface inside

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here