Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


Having routing issues with mail routing through firewall

I have an ASA 5506 and trying to troubleshoot an issue with mail since moving to Office 365 Exchange Online. I still have an on-premise server which sends mail from our application.  Since migrating to O365, mail from this server either gets rejected by or dumped to spam on the target server.  I have created the proper DNS records based on the O365 documentation and all appear to be correct.  While evaluating the Internet header of email from a target server which deposits into spam, I see the IP address in the sender appears to be my firewall IP which I don't have an MX or SFP record for.  I have the following configuration in place.  The public IP is  I'm not well versed in CLI capture but I believe I have the correct parts of the configuration.  Any suggestions on how to resolve this issue? 

Internet Header

Received: from ( by ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1101.14 via Mailbox Transport; Tue, 23 May 2017 15:13:55 +0000
Received: from ( by ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1101.14; Tue, 23 May 2017 15:13:49 +0000
Received: from
 (2a01:111:f400:7e4a::207) by
 (2603:10b6:910:15::16) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1124.9 via
 Frontend Transport; Tue, 23 May 2017 15:13:49 +0000
Authentication-Results: spf=fail (sender IP is
 smtp.mailfrom=CDE.COM;; dkim=none
 (message not signed) header.d=none;; dmarc=none
 action=none header.from=CDE.COM;
Received-SPF: Fail ( domain of CDE.COM
 does not designate as permitted sender); client-ip=;
Received: from MAR.CDE.COM ( by ( with Microsoft SMTP

Cisco ASA config

object network
 description SMTP
object network SMTPServer
 description SMTP Server for A+
object service SMTP
 service tcp source eq smtp

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any object Private_MailServer
access-list outside_access_in extended permit tcp any object Midsrvr02_Private object-group DM_INLINE_TCP_1
access-list users standard permit
access-list OUTSIDE-IN extended permit object-group DM_INLINE_SERVICE_2 any object Private_MailServer inactive
access-list OUTSIDE-IN extended permit tcp any host eq 3389
access-list OUTSIDE-IN extended permit object SMTP any host
access-list inside_access_in extended permit tcp host any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 any any
access-list ICMP extended permit icmp any any

nat (inside,outside) source static Inside_private Inside_private destination static Inside_private Inside_private no-proxy-arp route-lookup
nat (inside,outside) source static Private_MailServer h_50.123.50.202 inactive
nat (inside,outside) source static any destination static NETWORK_OBJ_172.16.1.160_27 NETWORK_OBJ_172.16.1.160_27 inactive
nat (inside,outside) source static SMTPServer service SMTP SMTP
object network Inside_private
 nat (any,outside) dynamic interface
object network Outside_to_Inside_RDP
 nat (inside,outside) static service tcp 3389 3389
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE-IN in interface outside
access-group inside_access_in in interface inside

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here