How to configure outgoing NAT for a SMTP server

davealessi · ‎08-30-2010

I have web servers behind the ASA5500 that use an SMTP server to send email traffic. I need some assistance in configuring the router so the the email messages are from the desired IP address. Currently, all smtp messages are sent using the routers public IP address. I have a inbound NAT entry to translate a public IP to a private one for reverse lookup. Whenever it tries to reverse lookup, it fails beause the originating address is mot the one coded in the A record for that address, eg mail.test.com A record = 222.333.444.555. The router address is different.

I am assuming that when a SMTP server sends an outgoing email, that it uses the first IP address configured on the server. In my case, I have an address of 192.168.1.50 as the first, but the server also has IP's 192.168.1.100-120, which are part of an NLM cluster (server farm). Not sure if the network load balancing stuff matters, but how do I tell which IP address the SMTP server will use send sending the outgoing message? Seems that that address must be coded in the NAT table.

I suspect that this is a simple NAT entry, but I have tried it and can't get it to work. Can someone provide be the cli syntax to add a nat rule for this?

Nagaraja Thanthry · ‎08-30-2010

Hello,

Please try the following on the ASA:

global (outside) 199

access-list Mail permit tcp any any eq 25

nat (inside) 199 access-list Mail

This will ensure that all IP addresses used by the mail server use the

desired IP when sending mail to outside servers (on port 25).

Hope this helps.

Regards,

NT

davealessi · ‎08-30-2010

Thanks for your respnse. I am a rookie at configuring the ASA.

What in this example sets the desired IP?

Nagaraja Thanthry · ‎08-30-2010

Hello,

My earlier email to this post was truncated for some reason.

It will be:

global (outside) 199

Regards,

NT

Nagaraja Thanthry · ‎08-30-2010

Hello,

My earlier email to this post was truncated for some reason.

It will be:

global (outside) 199 "public IP"

Regards,

NT

davealessi · ‎08-30-2010

I still don’t understand. I would expect to see an IP address that is the public address. Is 199 an IP address?

I am a novice at ASA CLI. I will type in what you give me. There is nothing here that can define the IP address.

Dave

Nagaraja Thanthry · ‎08-30-2010

Hello,

If we assume that the FQDN address for your SMTP server is 100.1.1.1, then

global (outside) 199 100.1.1.1

One way to find that address would be to use "nslookup" and type your mail

servers FQDN name

Example:

nslookup smtp.yahoo.com

Hope this helps.

Regards,

NT

davealessi · ‎08-31-2010

Thank you for your assistance...

Here are the commands that I entered:

global (outside) 199 xxx.xxx.xxx.xxx (where xxx is the public address)

access-list Mail permit tcp any any eq 25

nat (inside) 199 access-list Mail

This does appear to work for outgoing mail. Now, my email from the server is from the address above (xxx).

The reverse lookup still fails however. I cannot access the SMTP server using telnet. I have the port opened:

In the GUI, it shows:

Inside 192.168.1.119

Outside xxx.xxx.xxx.xxx (my public address)

Enable port translation smtp,smtp

Also, I have the Security policy set to enable traffic from any to the destination IP of my public address.

Any ideas on why I cannot access the SMTP server. BTW. I can access it from inside the firewall.