We help IT Professionals succeed at work.

ASA and setting outbound email IP

entserv asked
Last Modified: 2010-04-09
We are using the Cisco ASA and using Exchange server.  Currently our MX record points to another server that forwards mail to the inside Exchange server.  What I want to do is make that when mail is sent out from Exchange that the ASA uses the same IP as what's on the MX record instead of the firewall IP.  This is to make sure that any email servers that do reverse MX lookups will accept our mail properly.  How would I best accomplish this via NAT - would I make a global pool for the outside IP?  I though a static one to one would work but I'm not sure that's correct.  I get a little confused when talkinig about Dynamic NAT since I thought Dynamic was one to many and I would think a NAT from the Exchange server to an outside IP would be one to one?  I'm probably confusing myself the more I type - any suggestions greatly appreciated!!
Watch Question


What you are asking is not necessary. The only important thing is that when your server sends mail outside the hame it gives in the HELO/EHLO command matches the IP address it is connecting from. A reverse DNS lookup on the IP should also refer back to the same name.
Having a different set of servers for receiving and sending mail is extremely common and so it would not be expected that the server sending mail from a domain would be in the MX list for that domain.

How would you like to proceed?
If you post your pix configuration I can give you the commands to do as you originally asked or if you are having a problem with some of your mail being classed as spam or rejected I can help you out with that aswell.


Well that's what I would have expected too.  What I believe happened - and this was a few years ago - but we had problems sending emails to AOL (I'm porting over the setup from another firewall to the ASA).  After a little investigation I saw some information that indicated that AOL would only accept email from a site where the MX record is the same as the outbound email IP.  Once we changed that we had no difficulty.  I believe that was the only provider we had issues with.  I believe it was related to trying to combat spam - perhaps that's been changed now.  Does this make sense what I'm describing?

It is possible. If it was a few years ago then it would definetly have changed since SPF has been established since then and AOL would use it. SPF is where you publish a list of machines which are permitted to send email from your domain. Any mail pretending to be from your domain which does not come from a machine in that list can be rejected.

I have links and some infor about this on my website at http://www.gbnetwork.co.uk:/mailscanner (whitelist section).


We do have an SPF record so I think I'll see if that alone is enough, otherwise maybe I can check back later and go from there.  AOL has always been a tough provider to email to so it wouldn't surprise me if things are different now than even a few months ago.  Thanks for the help!
Unlock this solution and get a sample of our free trial.
(No credit card required)
Forced accept.

EE Admin

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.