Re: ASA 9.8.4 - Round Robin NAT for SMTP email send not working

MarcoLazzarotto · ‎05-08-2024

Where I work we are having some problems with sending bulk email from a single public IP address, as several emails are being blocked or delayed.
Currently the server has a 1-to-1 NAT with a specific .73 IP address.

The request I got is to distribute email sending to 2 different public Ip addresses, and I immediately thought of using a NAT with PAT pool in round robin.
I then used this configuration on my Cisco ASA-SM to try to distribute the outbound SMTP "load" over the 2 IP addresses, namely .73 and .74, keeping the .73 for access to other services on the Internet:

nat (webdmz,outside) source dynamic email-server pat-pool smtp_addresses_range round-robin service smtp smtp description For SMTP email send
-
object-group network smtp_addresses_range
 description Used in Round-robin for email send
 network-object host xx.yy.zz.73
 network-object host xx.yy.zz.74
-
# THIS IS THE ORIGINAL 1-to-1 NAT THAT MUST BE KEPT
object network email-server
 host 10.aa.bb.73
 nat (webdmz,outside) static xx.yy.zz.73

The problem is that all the connections were always NAT'ed using the .73 address.

MHM Cisco World · ‎05-08-2024

You have two private IP and one public IP or opposite?

MHM

MarcoLazzarotto · ‎05-08-2024

One private IP, the server (10.x.x.73), and I'd like it to use 2 public Ip addresses (207.x.x.73 and 207.x.x.74) to spread the email send and avoid the email delay/blocking issue.
Note that the private IP address already has a one-to-one nat to one public Ip address (last octet of the address is the same) through which receives incoming connections (FTPS server).

MarcoLazzarotto · ‎05-21-2024

@MHM Cisco World I would like to know if you spotted any error in my configuration, or if you have a workaround for my issue.

I do really appreciate your support.