11-29-2016 02:12 PM - edited 03-12-2019 01:36 AM
ASA software version 9.4(1)
Public IP address for mail server: 173.0.0.1
ASA external IP: 64.0.0.1
Internal mail server IP: 10.0.0.1 (object SpamTitan)
Relevant output of #show nat
Auto NAT Policies (Section 2)
7 (inside) to (outside) source static SpamTitan 173.0.0.1 service tcp smtp smtp net-to-net
10 (inside) to (outside) source dynamic server-network interface dns
Problem: Inbound smtp traffic from the Internet gets delivered to the mail server (10.0.0.1) just fine. Outbound smtp traffic however is being sent as the IP address of the ASA external interface (64.0.0.1) instead if the mapped IP address of 173.0.0.1. As a result some mail servers are rejecting mail from our server.
Solved! Go to Solution.
11-30-2016 01:50 AM
Outbound smtp traffic however is being sent as the IP address of the ASA external interface (64.0.0.1) instead if the mapped IP address of 173.0.0.1.
Works as configured. As you used ports in your NAT, this mapping is only uses with a local port of tcp/25. When sending mail, you use a remote port of tcp/25 and this rule doesn't match.
There are two ways to configure it:
1) If 173.0.0.1 can be used exclusivly for your internal mail-server, then change your nat to the following:
object network SpamTitan
nat (inside,outside) static 173.0.0.1
2) If you use this IP also for other internal systems, then you can just add a PAT for outgoing traffic:
object network SpamTitan-Out
host 10.0.0.1
object network SpamTitan-Pub
host 173.0.0.1
!
nat (inside,outside) after-auto 1 source dynamic SpamTitan-Out SpamTitan-Public
And your NAT-line 10 has to go to the end of the NAT rules.
11-29-2016 04:56 PM
Hi There,
Did you try to simulate the outbound SMTP traffic using packet tracer command? It will tell you which outside address your internal mail server is getting NATed to.
I am not sure if it's related, but I find this post so you may want to look at it.
https://supportforums.cisco.com/discussion/11722286/resolved-asa5520-nat-smtp-reverse-dns-wrong-after-inside-smtp-server-ip-change
11-30-2016 01:50 AM
Outbound smtp traffic however is being sent as the IP address of the ASA external interface (64.0.0.1) instead if the mapped IP address of 173.0.0.1.
Works as configured. As you used ports in your NAT, this mapping is only uses with a local port of tcp/25. When sending mail, you use a remote port of tcp/25 and this rule doesn't match.
There are two ways to configure it:
1) If 173.0.0.1 can be used exclusivly for your internal mail-server, then change your nat to the following:
object network SpamTitan
nat (inside,outside) static 173.0.0.1
2) If you use this IP also for other internal systems, then you can just add a PAT for outgoing traffic:
object network SpamTitan-Out
host 10.0.0.1
object network SpamTitan-Pub
host 173.0.0.1
!
nat (inside,outside) after-auto 1 source dynamic SpamTitan-Out SpamTitan-Public
And your NAT-line 10 has to go to the end of the NAT rules.
11-30-2016 07:59 AM
Karsten,
That was it. Had to use your solution #2 because we do use the public IP for another service.
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide