10-27-2009 08:07 PM - edited 03-11-2019 09:32 AM
A client of mine has been assigned six usable IP addresses. The outside interface on the ASA 5505 has an address of 70.43.230.18 (third octet changed for security reasons on all outside IP addresses). That address is used as a dynamic NAT for outgoing traffic from the internal 192.168.2.0/24 network. There is a static NAT for the email server - 70.43.230.20. Incoming email uses that IP address successfully, but outgoing email does not translate to that address. Below is the pertinent part of the ASA 5505 configuration. I ran a packet trace and found that there are two translations taking place. First the correct translation for outgoing email traffic from the Microsoft Exchange server takes place - 192.168.2.10 eq 25 to 70.43.230.20 eq 25. Then the packet traverses the first static NAT in the list - example 192.168.2.10 eq 4125 70.43.230.18 eq 4125 for a second translation. The second translation IP address is what the receiving email server sees. The problem we are having is receiving servers cannot do a successful reverse lookup of mail. Mycompany.com, so they reject the mail.
If anyone has any ideas, I sure would be grateful.
ASA Version 7.2(2)
names
name 70.43.230.22 RDP description Remote Desktop Connection
name 70.43.230.20 Mail description NAT to internal email
interface Vlan1
nameif inside
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
ip address 70.43.230.18 255.255.255.248
access-list outside_in extended permit tcp any host Mail eq smtp
access-list outside_in extended permit tcp any interface outside eq www inactive
access-list outside_in extended permit tcp any interface outside eq ssh
access-list outside_in extended permit tcp any host Mail eq https
access-list outside_in extended permit tcp any host RDP eq 3389
access-list outside_in extended permit tcp any interface outside eq 4125
access-list outside_in extended permit tcp any interface outside eq 444
access-list inside_out extended permit tcp host 192.168.2.10 any eq smtp
access-list inside_out extended deny tcp any any eq smtp log
access-list inside_out extended permit ip any any
access-list inside_out extended permit tcp any any
access-list inside_out extended permit udp any any
access-list inside_out extended permit gre any any
access-list inside_out extended permit icmp any any
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 4125 192.168.2.10 4125 netmask 255.255.255.255
static (inside,outside) tcp RDP 3389 192.168.2.10 3389 netmask 255.255.255.255
static (inside,outside) tcp Mail smtp 192.168.2.10 smtp netmask 255.255.255.255
access-group inside_out in interface inside
access-group outside_in in interface outside
10-27-2009 08:41 PM
Pls. add the following:
nat (inside) 2 192.168.2.10 255.255.255.255
global (outisde) 2 70.43.230.20
issue
clear local 192.168.2.10
You e-mail server will start sending e-mails out looking like 70.43.230.20
10-29-2009 01:36 PM
Thanks for the help. Yes, that worked. I had actually done that before, but the outgoing NAT was still translating to the wrong address. What I didn't do was clear local.
Thanks again. I appreciate it!
10-30-2009 07:04 AM
Glad to hear. You need to clear the translation in the table for it to take the newly changed one. Otherwise you would have to wait for the xlate to timeout (3 hours default) after a 1 hour conn timeout for it to start taking the new translation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide