Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1919
Views
0
Helpful
3
Replies

ASA 5516-X outbound smtp NAT problem

Go to solution
Blackjack366
Level 1
Level 1

‎11-29-2016 02:12 PM - edited ‎03-12-2019 01:36 AM

ASA software version 9.4(1)

Public IP address for mail server: 173.0.0.1

ASA external IP: 64.0.0.1

Internal mail server IP: 10.0.0.1 (object SpamTitan)

Relevant output of #show nat

Auto NAT Policies (Section 2)

7 (inside) to (outside) source static SpamTitan 173.0.0.1 service tcp smtp smtp net-to-net

10 (inside) to (outside) source dynamic server-network interface dns

Problem: Inbound smtp traffic from the Internet gets delivered to the mail server (10.0.0.1) just fine. Outbound smtp traffic however is being sent as the IP address of the ASA external interface (64.0.0.1) instead if the mapped IP address of 173.0.0.1. As a result some mail servers are rejecting mail from our server.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-30-2016 01:50 AM

Outbound smtp traffic however is being sent as the IP address of the ASA external interface (64.0.0.1) instead if the mapped IP address of 173.0.0.1.

Works as configured. As you used ports in your NAT, this mapping is only uses with a local port of tcp/25. When sending mail, you use a remote port of tcp/25 and this rule doesn't match.

There are two ways to configure it:

1) If 173.0.0.1 can be used exclusivly for your internal mail-server, then change your nat to the following:

object network SpamTitan
 nat (inside,outside) static 173.0.0.1

2) If you use this IP also for other internal systems, then you can just add a PAT for outgoing traffic:

object network SpamTitan-Out
 host 10.0.0.1
object network SpamTitan-Pub
 host 173.0.0.1
!
nat (inside,outside) after-auto 1 source dynamic SpamTitan-Out SpamTitan-Public

And your NAT-line 10 has to go to the end of the NAT rules.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
cofee
Level 5
Level 5

‎11-29-2016 04:56 PM

Hi There,

Did you try to simulate the outbound SMTP traffic using packet tracer command?  It will tell you which outside address your internal mail server is getting NATed to.

I am not sure if it's related, but I find this post so you may want to look at it.

https://supportforums.cisco.com/discussion/11722286/resolved-asa5520-nat-smtp-reverse-dns-wrong-after-inside-smtp-server-ip-change

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎11-30-2016 01:50 AM

Outbound smtp traffic however is being sent as the IP address of the ASA external interface (64.0.0.1) instead if the mapped IP address of 173.0.0.1.

Works as configured. As you used ports in your NAT, this mapping is only uses with a local port of tcp/25. When sending mail, you use a remote port of tcp/25 and this rule doesn't match.

There are two ways to configure it:

1) If 173.0.0.1 can be used exclusivly for your internal mail-server, then change your nat to the following:

object network SpamTitan
 nat (inside,outside) static 173.0.0.1

2) If you use this IP also for other internal systems, then you can just add a PAT for outgoing traffic:

object network SpamTitan-Out
 host 10.0.0.1
object network SpamTitan-Pub
 host 173.0.0.1
!
nat (inside,outside) after-auto 1 source dynamic SpamTitan-Out SpamTitan-Public

And your NAT-line 10 has to go to the end of the NAT rules.

0 Helpful

Go to solution
Blackjack366
Level 1
Level 1

‎11-30-2016 07:59 AM

Karsten,

That was it. Had to use your solution #2 because we do use the public IP for another service.

Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card