ASA 5525: Mailserver behind firewall Problem (rDNS)

kvt000001 · ‎01-30-2017

Hi All

We are using ASA Version 9.4(3) and having an Outbound SMTP problem with our mailserver.

When we send mails the firewall IP is used as sender, not the mailserver IP, and that bounce mails to other mailservers.
What we want is the mailserver IP to be shown when sending mail, not the firewall IP.

Can someone tell us what we are missing and guide us in the right direction?

Similar problem but with "older" ASA version
https://supportforums.cisco.com/discussion/11905686/asa-5505-outbound-smtp-route-problem-rdns

The current configuration

External IP Firewall: xx.xxx.xx.34
External IP Mailserver: xx.xxx.xx.35

Interfaces:

interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 192.168.0.1 255.255.240.0

interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 172.16.30.1 255.255.255.0
dhcprelay server 192.168.0.254

interface GigabitEthernet0/6

nameif OUTSIDE
security-level 0
ip address xx.xxx.xx.34 255.255.255.224

Mailserver
object network host 172.16.30.11
object network host xx.xxx.xx.35

NAT-Rules
object network 172.16.30.11
nat (DMZ,OUTSIDE) static xx.xxx.xx.35

Access-List
access-list DMZ_in extended permit tcp object 172.16.30.11 any eq smtp

Thanks for suggestions

Philip D'Ath · ‎01-30-2017

Have you perhaps got a dynamic NAT rule for outbound access before this NAT rule?

kvt000001 · ‎01-31-2017

We have those dynamic NAT rule before the static ones

nat (DMZ,OUTSIDE) source dynamic 172.16.30.11 interface service 25 25
nat INSIDE,OUTSIDE) source dynamic any interface
nat (DMZ,OUTSIDE) source dynamic any interface

Collin Clark · ‎01-31-2017

You need to create a full 1-to-1 NAT to the email server.

nat (DMZ,OUTSIDE) source static 172.16.30.11 interface

kvt000001 · ‎02-03-2017

I have now following NAT-Rules

nat (DMZ,OUTSIDE) source dynamic 172.16.30.11 interface service 25 25
nat INSIDE,OUTSIDE) source dynamic any interface
nat (DMZ,OUTSIDE) source dynamic any interface
nat (DMZ,OUTSIDE) source static 172.16.30.11 interface

NAT-Rules
object network 172.16.30.11
nat (DMZ,OUTSIDE) static xx.xxx.xx.35

Is this sufficient configuration for the firewall so I can start debugging elsewhere because some is still not right.

and are some of the rules overkill/dublets and can be removed?

Philip D'Ath · ‎02-03-2017

You shouldn't need these. The object NAT should be enough on its own.

nat (DMZ,OUTSIDE) source dynamic 172.16.30.11 interface service 25 25
nat (DMZ,OUTSIDE) source static 172.16.30.11 interface

You will also need to access-list rule to allow traffic to the object 172.16.30.11 from the outside interface (assuming you want to receive email).

kvt000001 · ‎02-08-2017

No problems receving mails, only sending mails (they are rejected by other servers)

Did some test with MX-Tools and the header shows the problem.

Subject: test
Received: from fw.domain.dk (HELO fc.domain.dk) ([xx.xx.xx.34]) by mx1.tools.mxtoolbox.com with ESMTP; 06 Feb 2017 09:13:30 -0600
Message-id: <fc.00870c7d011bf26700870c7d011bf267.11bf268@domain.dk>
X-FC-Thread-ID: 00870c7d-011bf267
Date: Mon, 06 Feb 2017 16:13:43 +0100
X-Mailer: FirstClass 12.1 (build 12.109)
X-FC-SERVER-TZ: 30147588
To: ping@tools.mxtoolbox.com
From: "xxx" <kvt@domain.dk>

The HELO is tjecking fc.domain.dk (IP xx.xx.xx.35) and compair it with the fw.domain.dk IP (xx.xx.xx.34) and because the differ in the IP's, mails get rejected.