11-09-2010 05:12 AM - edited 03-11-2019 12:06 PM
So we got a new internet line here at work to replace our old T1. Along with the new line we were given new IP addresses.
We were given a new WAN IP of xxx.xxx.30.178 /30 which I assigned to the outside interface of the firewall which is a Cisco ASA 5510
We were also given a block of usable public IPs which are xxx.xxx.164.0 - xxx.xxx.164.31 /27
So we made the switchover and everything went fine. But then people in the company started getting all kinds of email bounce backs from people they were trying to send emails to. Apparently this is because our new WAN IP doesn't have a legitimate reverse ARP assigned to it.
Ok no big deal, I call up bellsouth and ask them to do it and they say that our new WAN IP is a Serial IP and that it cannot ever have a reverse arp assigned to it.
The guy at bellsouth told me that we need to configure the firewall in such a way so that the outgoing email looks like it is coming from one of our new Public IPs and not the WAN IP.
So i'm thinking this is going to require some kind of NAT rule, i'm just unsure of how to configure it.
The Internal interface on the ASA is 150.50.1.29 and the Exchange Server is 150.50.1.37.
Any Ideas?
Solved! Go to Solution.
11-09-2010 05:55 AM
So the big question over here would be, are you trying to NAT the server to one of your New public IP's? If that is so, what you need to do is the following,
In case the server is on the inside and the inside interface is called "inside" and the outside is called "outside"
static (inside,outside)
You can hit enter and it will take it, also, you will need to allow port 25 to that
If you have any doubts please let me know.
Mike.
11-09-2010 05:36 AM
Hello,
Mike here, I hope you are doing great, can you paste the Nat translation that you have for your E-mail server? I understand that the IP address of the exchange is 150.50.1.37, but it needs to be translated to something so people on the internet can talk to him right?
Do you have the NAT already in place?
Let me know.
Mike
11-09-2010 05:46 AM
no i do not have anything in place already.
i just need the email to look like it is coming from a different address than our regluar WAN IP because our regular WAN IP is a serial IP so we can't ever get it un blacklisted.
11-09-2010 05:55 AM
So the big question over here would be, are you trying to NAT the server to one of your New public IP's? If that is so, what you need to do is the following,
In case the server is on the inside and the inside interface is called "inside" and the outside is called "outside"
static (inside,outside)
You can hit enter and it will take it, also, you will need to allow port 25 to that
If you have any doubts please let me know.
Mike.
11-09-2010 06:01 AM
thats exactly what i needed, i'll give it a try and let you know how it works out.
thanks again for your help!
11-09-2010 10:10 AM
Our MX records point to Postini because we use them for spam filtering.
I tried doing the 1-1 Nat rule like you specified, then went into bellsouth DNS dashboard and updated forward pointers to point to correct new public IP.
sent test email to myself at gmail and still is sourcing from xxx.xxx.30.178 and not xxx.xxx.164.31 like i need it to.
11-09-2010 10:13 AM
It may take a while in order to refresh the MX records on the external DNS servers... If you like you can try changing your DNS server to 4.2.2.2 and check what happens if you do an nslookup to your MX record.
Let me know what happens.
Mike.
11-09-2010 12:43 PM
i ended up finding the solution that worked for me elsewhere although what you said was half it, i needed a security rule in place as well.
What you would want to do is set up a 1-to-1 NAT between your secondary public IP address and the inside address of your mail server. For example, if your secondary public IP address is 1.1.1.2 and your inside mail server is 10.1.1.2, the statement would be something like this:
static (inside,outside) 1.1.1.2 10.1.1.2 netmask 255.255.255.255
This will set up the 1-to-1 translation between your secondary public IP and your mail server.
Now, once you've got this new NAT set up, you'll need to modify your outside access rules to allow for the new address. So, something like this:
access-list outside_access_in extended permit tcp any host 1.1.1.2 eq smtp
Since we use Postini I also had to add
access-list outside_access_in extended permit tcp any host 1.1.1.2 eq pop3
This statement says allow any outside host to reach your mail server using tcp/25 (smtp) and tcp/pop3. Note that we're now allowing smtp/pop3 traffic to your secondary public IP address.
11-09-2010 02:26 PM
Hello,
I am glad that it worked, Thats what I meant when I said:
"You can hit enter and it will take it, also, you will need to allow port 25 to that
Sorry I was not clear enough, I am glad that it worked.
Cheers.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide