05-06-2011 11:06 AM - edited 03-11-2019 01:30 PM
Hi all
I have an ASA 5505 and I have attached the configuration (with dummy public IPs) here.
I have a problem in regards to NATTING. The requirement is that port for smtp and https and port number 3389 should be statically natted from 192.168.1.2 to 1.1.1.3 and it has been done as follows
static (inside,outside) tcp 1.1.1.3 3389 192.168.1.2 3389 netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.3 smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp 1.1.1.3 https 192.168.1.2 https netmask 255.255.255.255
But when some one tries to send a mail from the internal network , some domains are rejecting their mails , because those domains are doing a reverse look up and find that the mail domain of the sender is pointed to 1.1.1.2 which is the outside interface of firewall. I believe the static natting is not at all functioning properly as it should 192.168.1.2 to 1.1.1.3 for smtp. Again, I have attached the whole configuration for your reference.
It would be great if someone helps me out with this.
05-06-2011 12:31 PM
that static NAT is translating inbound traffic TO the SMTP port 25. When your mail server sends outbound mail, it doesn't hit that static nat rule because it's coming from a non-SMTP ephemeral (>1024) port. What you need to also do is configure dynamic NAT for your mail server:
global (outside) 100 1.1.1.3
nat (inside) 100 192.168.1.2 255.255.255.255
the other option is to setup your domain's DNS SPF record to point to 1.1.1.2
Regards,
Roman
05-07-2011 07:32 PM
Thank you Roman
I will try the commands you gave. Do i need to do a "clear xlate" to get the new translation up and running?
Also out of curiousity , if i replace the three static statements with
static (inside,outside) 12.234.183.252 192.168.1.2 netmask 255.255.255.255
will it work with this change?
Thanks
Mukundh
05-07-2011 08:21 PM
Yes, you will need to do a "clear xlate". You can run it for a specific local IP of your mail server, "clear xlate local x.x.x.x"
Yes, good call, if you use that static nat line instead, you will also reach your goal.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide