Hi Julio,

Thnx for helping me out

I'll try and explain a little better

I have multiple customers with each a seperate mail server on my corporate LAN

Customer A with email domain companya.com , Customer B with companyb.com, Customer ETC with companyetc.com

All these servers go outbound by using public ip 209.x.x.2

Now, here is my problem

When Customer A sends an email to Customer B, the mail server for Customer A does an MX lookup for companyb.com domain and tries to deliver the mail to the smtp gateway with public ip 209.x.x.1. However the package is dropped.

So the mail flow goes like this: customer A outbound smtp traffic through 209.x.x.2 to public ip 209.x.x.1 which is the smtp gateway server.

Forget about the "some access list"..There are no access-lists for outbound traffic yet. I first want to make sure that the mail traffic is allowed back in on my Eth0 wan interface.  I don't know where to start on this

If you need any info regarding my current running config let me know

Edwin

Hello Edwin,

What is the log the ASA shows when the problem happens??

So basically you have multiple servers on the inside, when they try to comunicate with each other they use the public IP addressso the traffic must go out the outside interface and come back? is that right?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio

Your understanding is correct. This is exactly what I want to achieve

Here's the logging from the ASA

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/67

%ASA-6-305011: Built dynamic TCP translation from inside:172.16.50.3/47054 to outside:209.x.x.2/36857

%ASA-7-609001: Built local-host outside:209.x.x.1 %ASA-7-609001: Built local-host inside:172.16.50.3

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/67

%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to outside:255.255.255.255/67

%ASA-7-609002: Teardown local-host outside:134.121.64.220 duration 0:02:01

%ASA-7-609002: Teardown local-host outside:198.60.22.240 duration 0:02:02

%ASA-7-609002: Teardown local-host inside:172.16.50.3 duration 1:05:10

%ASA-6-305012: Teardown dynamic TCP translation from inside:172.16.50.3/33841 to outside:209.x.x.2/24897 duration 0:00:30

%ASA-6-305012: Teardown dynamic TCP translation from inside:172.16.50.3/33840 to outside:209.x.x.2/11062 duration 0:00:30

%ASA-6-305012: Teardown dynamic TCP translation from inside:172.16.50.3/33839 to outside:209.x.x.2/6669 duration 0:00:30

%ASA-6-305012: Teardown dynamic TCP translation from inside:172.16.50.3/33838 to outside:209.x.x.2/41365 duration 0:00:30

From a postfix standpoint (172.16.50.3) it just times out

Dec 13 09:20:35 elpis postfix/error[7941]: 2890A3A1A19: to=, relay=none, delay=4690, delays=4690/0.03/0/0.03, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mailhost[209.x.x.1]:25: Connection timed out)

Regards

Edwin

Hello Edwin,

I do not see any logs related to SMTP traffic nor issues.

I know it's hard but you think you could try to explain us the issue again, maybe share a diagram of the network.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio

See attached pdf for network diagram.

Thanks for notifying me about the log. I will have to look into that. I monitored the logging for a while, but there's no logging of smtp traffic at all.

How can I rate the replies? Cannot find it

Never mind....figured it out

Edwin

Message was edited by: Edwin Kok

Okay I think I got it working

I came across some articles that talked about hairpinning

I added the following lines to my config

same-security-traffic permit intra-interface

global (inside) 1 interface

static (inside,inside) 209.x.x.1 172.16.40.1 netmask 255.255.255.255

I tested it and it looks good. The articles can be found at:

http://www.802consult.com/?p=206

http://www.ciscohacks.com/home/security/hairpinning-with-static-nat

Can somebody confirm this is the right way to set it up? After any possible replies I will close this discussion

Regards

Edwin

Hello Edwin,

Well, as long as you are dealing with traffic that gets to the ASA inside interface and then needs to turned back in then this is the way to go bud.

I do not see that from the DIagram you post but you said is working so I would say the diagram is not explaining what you are trying to accomplish.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com