Re: Replaced ASA & E-mail

HMidkiff · ‎08-09-2010

Hello:

This may not be the right forum for this, but over the weekend I tried to replace my PIX515e with a new ASA5520. I got it online and then right away in testing when sending outbound e-mails I got the below NDR. I use Exchange. It goes Back End to Front End and then forwarded to a delivery service (ProofPoint). I assumed if I would have had delivery problems messages would just have queued up rather than users getting an NDR. After unsuccessfully trying to resolve the issue I had to revert back to the PIX515e. When I did that I was not getting NDR's anymore, but NAT's and e-mail were not working. I ended up flushing the ARP cache on my upstream router and then everything returned to normal.

Could a bad ARP entries on my upstream router caused NDR's like what I saw?

******************* NDR *******************

Your message did not reach some or all of the intended recipients.

Subject: How are you

Sent: 8/8/2010 3:54 PM

The following recipient(s) cannot be reached:

xyz@gmail.com on 8/8/2010 3:54 PM

You do not have permission to send to this recipient. For assistance, contact your system administrator.

<SERVER.DOMAIN.COM #5.7.1 smtp;550 5.7.1 Unable to relay for xyz@gmail.com>

Harrison Midkiff

Kureli Sankar · ‎08-09-2010

HMidkiff,

I am not sure which source IP sent this NDR and to which destination IP. I am thinking that your e-mail server tried to deliver messages not looking like the MX record so, the receiving MTA didn't accept it. This could have had something to do with translation.

Any time you replace a unit (move the cables between units) and keep the IP addresses you should clear the upstream router's cache. If you shut the old PIX then, plug the cables on the ASA and then power it on, it should have proxy arp-ed and the router would have updated its arp cache.

-KS