Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
0
Helpful
6
Replies

ASA 5510 NAT issue?

jerrybolack
Level 1
Level 1

‎11-14-2012 05:39 AM - edited ‎03-11-2019 05:23 PM

                   We have just added an ASA5510, and now are having some email rejected by customers.  Here is what I have found, and I am looking for recommendations on how to fix.  The vendor that installed doesnt appear to want to help - forgive my ignorance if I say something stupid here, I'm learning this as I go.

outside interface configured as .29 (we have 3 ouside IP's)

MX record points to .28

NAT rule set up to run smtp through .28

Incoming mail works fine, however outgoing mail is going out of .28 not .29.  Some customers to reverse lookups and what not for spam filtering, that is catching our mail coming out of .29 and saying it cannot find our IP (IP doesnt match).  I changed the address on the outside interface to .29, evidently that was a bad idea - nothing worked after that so I had to put it back.

Exact error as seen on our barracuda: 554.5.7.1 Client host has reject: cannot find your hostname xxx.xxx.xxx.28

Any help greatly appreciated!

Labels:
0 Helpful
6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

‎11-14-2012 05:49 AM

Sorry, a little confused with the IP stated on your post.

If you setup NAT rule for .28, then inbound and outbound mail will be using .28.

But are you saying that outbound mail uses .29 instead?

0 Helpful

jerrybolack
Level 1
Level 1
In response to Jennifer Halim

‎11-14-2012 05:51 AM

Yes that is correct.  The NAT rule shows .28 (the correct address).  However servers receiving our mail show it is actually coming out of .29 (the address tied to the outside interface)

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jerrybolack

‎11-14-2012 05:52 AM

did you "clear xlate" after you configure the static PAT rule?

if you haven't, try to "clear xlate" and it should be using the new static PAT rule that you configure.

0 Helpful

jerrybolack
Level 1
Level 1
In response to Jennifer Halim

‎11-14-2012 06:08 AM

I just did, no luck.  Still the same rejection message.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jerrybolack

‎11-14-2012 06:07 PM

Can you pls try to run packet tracer on the ASA for the outbound SMTP and see whether it is correctly or incorrectly PATing it to .28, and pls kindly share the output of the packet tracer as well.

0 Helpful

jerrybolack
Level 1
Level 1
In response to Jennifer Halim

‎11-15-2012 05:56 AM

Everything passes in packet tracer.

Results under NAT:

Type-NAT | Action - ALLOW | Show rule in NAT Rule table

Config

nat (inside,outside) source static Email obj_xxx.xxx.xxx.29 service smtpobj smtpobj

Info

Static translate 192.xxx.xxx.xxx to xxx.xxx.xxx.29

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card