cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2721
Views
0
Helpful
8
Replies

Exchange Outgoing NAT

kbrown001
Level 1
Level 1

So we got a new internet line here at work to replace our old T1.  Along with the new line we were given new IP addresses.

We were given a new WAN IP of xxx.xxx.30.178 /30 which I assigned to the outside interface of the firewall which is a Cisco ASA 5510

We were also given a block of usable public IPs which are xxx.xxx.164.0 - xxx.xxx.164.31 /27

So we made the switchover and everything went fine.  But then people in the company started getting all kinds of email bounce backs from people they were trying to send emails to.  Apparently this is because our new WAN IP doesn't have a legitimate reverse ARP assigned to it.

Ok no big deal, I call up bellsouth and ask them to do it and they say that our new WAN IP is a Serial IP and that it cannot ever have a reverse arp assigned to it.

The guy at bellsouth told me that we need to configure the firewall in such a way so that the outgoing email looks like it is coming from one of our new Public IPs and not the WAN IP.

So i'm thinking this is going to require some kind of NAT rule, i'm just unsure of how to configure it.

The Internal interface on the ASA is 150.50.1.29 and the Exchange Server is 150.50.1.37.

Any Ideas?

1 Accepted Solution

Accepted Solutions

So the big question over here would be, are you trying to NAT the server to one of your New public IP's? If that is so, what you need to do is the following,

In case the server is on the inside and the inside interface is called "inside" and the outside is called "outside"

static (inside,outside) 

You can hit enter and it will take it, also, you will need to allow port 25 to that on the outside interface in order to receive mail.

If you have any doubts please let me know.

Mike.

Mike

View solution in original post

8 Replies 8

Maykol Rojas
Cisco Employee
Cisco Employee

Hello,

Mike here, I hope you are doing great, can you paste the Nat translation that you have for your E-mail server? I understand that the IP address of the exchange is 150.50.1.37, but it needs to be translated to something so people on the internet can talk to him right?

Do you have the NAT already in place?

Let me know.

Mike

Mike

no i do not have anything in place already.

i just need the email to look like it is coming from a different address than our regluar WAN IP because our regular WAN IP is a serial IP so we can't ever get it un blacklisted.

So the big question over here would be, are you trying to NAT the server to one of your New public IP's? If that is so, what you need to do is the following,

In case the server is on the inside and the inside interface is called "inside" and the outside is called "outside"

static (inside,outside) 

You can hit enter and it will take it, also, you will need to allow port 25 to that on the outside interface in order to receive mail.

If you have any doubts please let me know.

Mike.

Mike

thats exactly what i needed, i'll give it a try and let you know how it works out.

thanks again for your help!

Our MX records point to Postini because we use them for spam filtering.

I tried doing the 1-1 Nat rule like you specified, then went into bellsouth DNS dashboard and updated forward pointers to point to correct new public IP.

sent test email to myself at gmail and still is sourcing from xxx.xxx.30.178 and not xxx.xxx.164.31 like i need it to.

It may take a while in order to refresh the MX records on the external DNS servers... If you like you can try changing your DNS server to 4.2.2.2 and check what happens if you do an nslookup to your MX record.

Let me know what happens.

Mike.

Mike

i ended up finding the solution that worked for me elsewhere although what you said was half it, i needed a security rule in place as well.

What you would want to do is set up a 1-to-1 NAT between your secondary public IP address and the inside address of your mail server.  For example, if your secondary public IP address is 1.1.1.2 and your inside mail server is 10.1.1.2, the statement would be something like this:

static (inside,outside) 1.1.1.2 10.1.1.2 netmask 255.255.255.255

This will set up the 1-to-1 translation between your secondary public IP and your mail server. 

Now, once you've got this new NAT set up, you'll need to modify your outside access rules to allow for the new address.  So, something like this:

access-list outside_access_in extended permit tcp any host 1.1.1.2 eq smtp

Since we use Postini I also had to add

access-list outside_access_in extended permit tcp any host 1.1.1.2 eq pop3

This statement says allow any outside host to reach your mail server using tcp/25 (smtp) and tcp/pop3.  Note that we're now allowing smtp/pop3 traffic to your secondary public IP address.

Hello,

I am glad that it worked, Thats what I meant when I said:

"You can hit enter and it will take it, also, you will need to allow port 25 to that on the outside interface in order to receive mail."

Sorry I was not clear enough, I am glad that it worked.

Cheers.

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: