asa5520 nat smtp "reverse dns wrong" after inside smtp server ip

paul.harvey · ‎01-10-2013

Hi all;

After reading through many forum articles about nat and reverse dns on the asa product, and testing different configurations we are still faced with the problem that our ASA sends outbound mail on the global NAT ip address rather than its Static NAT address.

This problem has only occured recently after we changed the smtp server inside and applied a new inside ip address to the to the nat confiugration of the asa. Previously the original applied and unchanged configuration worked correctly and sent outbound mail via the correct IP address.

The ASA has the following configuration,

ASA 8.2 (1)

ASDM 6.2 (1)

remote VPN via VPN Clients

1 static ipsec site to site vpn

webvpn to outside interface

outside interface ip

static NAT ip for www service

static NAT ip for smtp and https

global NAT ip

below is the original config that worked.

access-list OUTSIDE_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list vanchem_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list OUTSIDE_access_in extended permit tcp any host xxx.xxx.xxx.254 eq smtp
access-list OUTSIDE_access_in extended permit tcp any host xxx.xxx.xxx.254 eq https
access-list OUTSIDE_access_in extended permit tcp any host xxx.xxx.xxx.253 eq www
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1

nat-control
global (OUTSIDE) 101 xxx.xxx.xxx.251 netmask 255.255.255.255
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 101 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) xxx.xxx.xxx.254 192.168.1.5 netmask 255.255.255.255
static (INSIDE,OUTSIDE) xxx.xxx.xxx.253 192.168.1.11 netmask 255.255.255.255

access-group OUTSIDE_access_in in interface OUTSIDE

The only change to the configuration was as follows;

static (INSIDE,OUTSIDE) xxx.xxx.xxx.254 192.168.1.6 netmask 255.255.255.255

Then after this SMTP out was sent via the global xxx.251 address not xxx.254

Have reapplied, and rebooted, all the NAT and ACCESS-list configuration from scratch in order, no change, have applied the config below and no change,

access-list OUTSIDE_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list vanchem_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list OUTSIDE_access_in extended permit tcp any host xxx.xxx.xxx.254 eq smtp
access-list OUTSIDE_access_in extended permit tcp any host xxx.xxx.xxx.254 eq https
access-list OUTSIDE_access_in extended permit tcp any host xxx.xxx.xxx.252 eq www
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1

nat-control

global (OUTSIDE) 1 xxx.xxx.xxx.254 netmask 255.255.255.255
global (OUTSIDE) 2 xxx.xxx.xxx.251 netmask 255.255.255.255
nat (INSIDE) 0 access-list INSIDE_nat0_outbound
nat (INSIDE) 1 192.168.1.6 255.255.255.255
nat (INSIDE) 2 192.168.1.0 255.255.255.0
static (INSIDE,OUTSIDE) xxx.xxx.xxx.254 192.168.1.6 netmask 255.255.255.255
static (INSIDE,OUTSIDE) xxx.xxx.xxx.253 192.168.1.11 netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE

Any ideas and suggestions of what I am missing would be great. I am stumped, with only the option to reset the ASA to default and rebuilding the configuration from scratch, which could possibly result in ending back at the same position.

Jouni Forss · ‎01-10-2013

Hi,

So you are saying that your SMTP server has changed in the LAN and you need to configure the new IP address to the Public Static NAT configuration?

Only thing I can think of fast is that since you have the new server on the LAN before the actual Static NAT configuration change it might still have the PAT translation active for the public IP address xxx.xxx.xxx.251 since its the only public IP usable for the new server before you configure the new Static NAT.

Here comes the part I'm not really sure about without checking some documents. Will configuring of the Static NAT clear the old PAT xlate and create the 1:1 Static NAT.

When you next try this configuration change issue the following command before and after changes

show xlate | inc

If you happen to find an old hanging PAT translation for the new servers IP address issue the following command (it will quite probably close all its connections travelling through the ASA)

clear xlate local

After this check the command I listed before to see what NAT translation becomes active next

You can also use the following command to simulate a packet entering the ASA on some interface and seing what exactly the ASA would do to it regarding NAT, ACL and other settings

packet-tracer input tcp 25

This should list what happens to the packet if it were to really enter the source interface specified. Copy/Paste output here.

And finally....the ASA NAT order of operations for your software should go in the following order

NAT0 configurations with ACLs in "nat" statement
Static NAT/PAT and Static Policy NAT/PAT in the order they come in the running configuration
Dynamic Policy NAT ("global" using ACLs in the "nat" statement)
Regular Dynamic NAT/PAT

Looking at your above configuration (if its all regarding NAT) there should be no rule on the basis of the above that would overrule the Static NAT then perhaps the also above mention old NAT translation hanging on the ASA that needs to be cleared.

You should post this on the Firewall section of the Security forums to get more eyes on this post. I dont theres nearly as much visitors in this section. I myself just stumbled upon this while checking after a long time.

Hopefully the above has been helpfull information

- Jouni

paul.harvey · ‎01-15-2013

Thanks for the reply

my feeling was also the NAT order of operations, but I thought I had discounted that by taking the ASA out of production and re-entering the NAT and ACL configuration.

The only other thing that concerns me, is that I believe at ASA 8.3 and above the NAt config start using Object statements amongst other things.

The configuration shown first was the original config, initially setup on the default ASA/ASDM version 6.?.? some years ago and worked correctly. The ASA has been upgraded over these years to version 8.2(1) with no change to the config, and continued to work correctly. This error has only happened in the last month when deploying a new SMTP Server on the LAN, and updating the NAT config to direct traffic to the New SMTP Server.

Whatever I change, re-order or replace including re-writing the config, the SMTP server always sends mail out via the Global IP Address .251 not its Static NAT .254

paul.harvey · ‎01-30-2013

ALL found the answer to this issue.

Prior to this problem we had been using Server 2003 R2 and Exchange 2003. We upgraded to Server 2008 R2 and Exchange 2010.

After much research and a factory reset and reinstall of the ASA...... throw in the Microsoft Issue discussed at http://support.microsoft.com/kb/2386184 PRIMARY IP ADDRESS on the SERVER

As per best practice in Exchange 2010 we had multiple IP addresses configured on the 2008R2 NIC for smtp connectors etc.

So while NAT can always cause issues; and NAT was the last thing we had change "the internal ip address of the SMTP server in the NAT statement" of course all thoughts concerned an issue with our Cisco configuration. "sorry Cisco" Microsoft does it again......

Hope this helps others with similar issues.

RESOLVED asa5520 nat smtp "reverse dns wrong" after inside smtp server ip change