ā12-11-2013 06:58 PM - edited ā03-11-2019 08:16 PM
Hi there
I have multiple Mail servers behind an ASA 5505 (v rel 8.2.5). All inbound smtp 25 traffic is natted to a mail gateway server placed in the LAN, for example
172.16.40.1 netmask 255.255.0.0. This server is receiving mail for several domains and forwards them to multiple dedicated customer mail servers. A static NAT rule has been created to make this gateway server visible to the outside world, for example
static (inside,outside) 209.x.x.1 172.16.40.1 netmask 255.255.255.255
with the proper access-list
So far so good. All outbound smtp mail traffic, generated by the customer mail servers, goes out over public ip address 209.x.x.2. with nat (inside) and global (outside) However, for some outgoing mail traffic it is necessary that the mail flows right back into the the mail gateway server with public ip 209.x.x.1.
Is this possible? Do I need some extra access-list and or permit same security traffic maybe?
Any help is greatly appreciated
Edwin
ā12-11-2013 09:14 PM
Hello Edwin,
What do you mean by some???
You could use policy-based NAT but first lets here a detail explanation of the request
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
ā12-12-2013 06:55 AM
Hi Julio,
Thnx for helping me out
I'll try and explain a little better
I have multiple customers with each a seperate mail server on my corporate LAN
Customer A with email domain companya.com , Customer B with companyb.com, Customer ETC with companyetc.com
All these servers go outbound by using public ip 209.x.x.2
Now, here is my problem
When Customer A sends an email to Customer B, the mail server for Customer A does an MX lookup for companyb.com domain and tries to deliver the mail to the smtp gateway with public ip 209.x.x.1. However the package is dropped.
So the mail flow goes like this: customer A outbound smtp traffic through 209.x.x.2 to public ip 209.x.x.1 which is the smtp gateway server.
Forget about the "some access list"..There are no access-lists for outbound traffic yet. I first want to make sure that the mail traffic is allowed back in on my Eth0 wan interface. I don't know where to start on this
If you need any info regarding my current running config let me know
Edwin
ā12-12-2013 04:39 PM
Hello Edwin,
What is the log the ASA shows when the problem happens??
So basically you have multiple servers on the inside, when they try to comunicate with each other they use the public IP addressso the traffic must go out the outside interface and come back? is that right?
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
ā12-13-2013 05:25 AM
Julio
Your understanding is correct. This is exactly what I want to achieve
Here's the logging from the ASA
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/67
%ASA-6-305011: Built dynamic TCP translation from inside:172.16.50.3/47054 to outside:209.x.x.2/36857
%ASA-7-609001: Built local-host outside:209.x.x.1 %ASA-7-609001: Built local-host inside:172.16.50.3
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/67
%ASA-7-609002: Teardown local-host outside:134.121.64.220 duration 0:02:01
%ASA-7-609002: Teardown local-host outside:198.60.22.240 duration 0:02:02
%ASA-7-609002: Teardown local-host inside:172.16.50.3 duration 1:05:10
%ASA-6-305012: Teardown dynamic TCP translation from inside:172.16.50.3/33841 to outside:209.x.x.2/24897 duration 0:00:30
%ASA-6-305012: Teardown dynamic TCP translation from inside:172.16.50.3/33840 to outside:209.x.x.2/11062 duration 0:00:30
%ASA-6-305012: Teardown dynamic TCP translation from inside:172.16.50.3/33839 to outside:209.x.x.2/6669 duration 0:00:30
%ASA-6-305012: Teardown dynamic TCP translation from inside:172.16.50.3/33838 to outside:209.x.x.2/41365 duration 0:00:30
From a postfix standpoint (172.16.50.3) it just times out
Dec 13 09:20:35 elpis postfix/error[7941]: 2890A3A1A19: to=, relay=none, delay=4690, delays=4690/0.03/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mailhost[209.x.x.1]:25: Connection timed out)
Regards
Edwin
ā12-13-2013 05:38 AM
Hello Edwin,
I do not see any logs related to SMTP traffic nor issues.
I know it's hard but you think you could try to explain us the issue again, maybe share a diagram of the network.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
ā12-13-2013 06:53 AM
Julio
See attached pdf for network diagram.
Thanks for notifying me about the log. I will have to look into that. I monitored the logging for a while, but there's no logging of smtp traffic at all.
How can I rate the replies? Cannot find it
Never mind....figured it out
Edwin
Message was edited by: Edwin Kok
ā12-13-2013 12:56 PM
Okay I think I got it working
I came across some articles that talked about hairpinning
I added the following lines to my config
same-security-traffic permit intra-interface
global (inside) 1 interface
static (inside,inside) 209.x.x.1 172.16.40.1 netmask 255.255.255.255
I tested it and it looks good. The articles can be found at:
http://www.802consult.com/?p=206
http://www.ciscohacks.com/home/security/hairpinning-with-static-nat
Can somebody confirm this is the right way to set it up? After any possible replies I will close this discussion
Regards
Edwin
ā12-14-2013 04:28 AM
Hello Edwin,
Well, as long as you are dealing with traffic that gets to the ASA inside interface and then needs to turned back in then this is the way to go bud.
I do not see that from the DIagram you post but you said is working so I would say the diagram is not explaining what you are trying to accomplish.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide