Solved: Re: ASA 5505 port forward smtp

jima · ‎02-08-2011

I have an SBS 2008 server with exchange server and I am trying to route my mail to my internal server. My config and domain info is attached. Thanks for your assistance,

ISP has given me xx.xx.xx.120 as public IP Block, xx.xx.xx.121 as Gateway and xx.xx.xx.122 as First Usable IP.

Jim

Jennifer Halim · ‎02-08-2011

Your static PAT statement for mail is correct, assuming that you will be using IP Address of xx.xx.xx.122 for your mail traffic.

However, access-list 100 applied to the outside interface is incorrect.

You will have to remove the following:

access-list 100 extended permit tcp xx.xx.xx.120 255.255.255.248 host 192.168.1.20 eq smtp

Then add the following:

access-list 100 extended permit tcp any interface outside eq smtp

Further to that, I assume that you haven't changed your MX record to reflect the new public IP Address of xx.xx.xx.122?

Hope that helps.

View solution in original post

Jennifer Halim · ‎02-08-2011

Your static PAT statement for mail is correct, assuming that you will be using IP Address of xx.xx.xx.122 for your mail traffic.

However, access-list 100 applied to the outside interface is incorrect.

You will have to remove the following:

access-list 100 extended permit tcp xx.xx.xx.120 255.255.255.248 host 192.168.1.20 eq smtp

Then add the following:

access-list 100 extended permit tcp any interface outside eq smtp

Further to that, I assume that you haven't changed your MX record to reflect the new public IP Address of xx.xx.xx.122?

Hope that helps.

jima · ‎02-08-2011

I have added a new MX (replacing my original external SMTP) for remote.mydomain.com. I will make the access list changes you recommend.

Thanks and I will let you know how it goes.

Jim

jima · ‎02-08-2011

removed the offending access-list and added the new. My MX has been changed and I don't see any change as of yet. Would it take some time to propagate thru the net?

Thanks,

Jennifer Halim · ‎02-08-2011

MX record I know that might take a while to propagate.

To quickly test from the Internet, see if you can telnet to the public ip address xx.xx.xx.122 on port 25.

Then check the hitcount on the access-list: show access-list 100

If you are seeing hitcount increase after your test for tcp/25 to the public ip, that means as far as connectivity is concern towards the internal SMTP server, it works just fine.

jima · ‎02-09-2011

tested using telnet xx.xx.xx.122 25 and recieved "connect failed" several times. I will check to hit count and verify the command structure but do you have any other ideas?

I have 2 MX records with 10 bring the old and 0 being the one that I want to work.

do I need to "clear" or "flush" anything?

Thanks for your help.

Jennifer Halim · ‎02-09-2011

Can you share the latest configuration from the ASA again with the changes, and also output of "show access-list".

Thanks.

jima · ‎02-09-2011

The changes that you recommended along with a minor correction resolved the issue. Thanks for your help.