How to configure outgoing NAT for a SMTP server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2010 10:54 AM - edited 03-06-2019 12:43 PM
I have web servers behind the ASA5500 that use an SMTP server to send email traffic. I need some assistance in configuring the router so the the email messages are from the desired IP address. Currently, all smtp messages are sent using the routers public IP address. I have a inbound NAT entry to translate a public IP to a private one for reverse lookup. Whenever it tries to reverse lookup, it fails beause the originating address is mot the one coded in the A record for that address, eg mail.test.com A record = 222.333.444.555. The router address is different.
I am assuming that when a SMTP server sends an outgoing email, that it uses the first IP address configured on the server. In my case, I have an address of 192.168.1.50 as the first, but the server also has IP's 192.168.1.100-120, which are part of an NLM cluster (server farm). Not sure if the network load balancing stuff matters, but how do I tell which IP address the SMTP server will use send sending the outgoing message? Seems that that address must be coded in the NAT table.
I suspect that this is a simple NAT entry, but I have tried it and can't get it to work. Can someone provide be the cli syntax to add a nat rule for this?
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2010 11:00 AM
Hello,
Please try the following on the ASA:
global (outside) 199
access-list Mail permit tcp any any eq 25
nat (inside) 199 access-list Mail
This will ensure that all IP addresses used by the mail server use the
desired IP when sending mail to outside servers (on port 25).
Hope this helps.
Regards,
NT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2010 11:06 AM
Thanks for your respnse. I am a rookie at configuring the ASA.
What in this example sets the desired IP?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2010 11:16 AM
Hello,
My earlier email to this post was truncated for some reason.
It will be:
global (outside) 199
Regards,
NT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2010 11:18 AM
Hello,
My earlier email to this post was truncated for some reason.
It will be:
global (outside) 199 "public IP"
Regards,
NT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2010 01:33 PM
I still don’t understand. I would expect to see an IP address that is the public address. Is 199 an IP address?
I am a novice at ASA CLI. I will type in what you give me. There is nothing here that can define the IP address.
Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-30-2010 01:43 PM
Hello,
If we assume that the FQDN address for your SMTP server is 100.1.1.1, then
global (outside) 199 100.1.1.1
One way to find that address would be to use "nslookup" and type your mail
servers FQDN name
Example:
nslookup smtp.yahoo.com
Hope this helps.
Regards,
NT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2010 05:23 AM
Thank you for your assistance...
Here are the commands that I entered:
global (outside) 199 xxx.xxx.xxx.xxx (where xxx is the public address)
access-list Mail permit tcp any any eq 25
nat (inside) 199 access-list Mail
This does appear to work for outgoing mail. Now, my email from the server is from the address above (xxx).
The reverse lookup still fails however. I cannot access the SMTP server using telnet. I have the port opened:
In the GUI, it shows:
Inside 192.168.1.119
Outside xxx.xxx.xxx.xxx (my public address)
Enable port translation smtp,smtp
Also, I have the Security policy set to enable traffic from any to the destination IP of my public address.
Any ideas on why I cannot access the SMTP server. BTW. I can access it from inside the firewall.
