?
Solved

Cisco ASA 5505 and mail server in inside network, outgoing mail ip-address

Posted on 2008-11-18
8
Medium Priority
?
2,494 Views
Last Modified: 2015-05-04
Hi!

So, this is my first ASA... little bit help needed:

I have Cisco ASA 5505 and two public ip-address, one for outside interface, one for incoming mail server.  I have configured Static nat rules to asa and incoming mail is working ok, but when i send mail i.e Outlook Web Access 2007 and look for message source when it comes to it´s destination, this  "Received: from  " field shows my Outside interface ip address? is it possible to change it to my public mail server address? Add Nat rule to ASA i think?

Is this a problem? should i fix it? :)

Sorry my bad english.... :)

 
0
Comment
Question by:Ippes
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 2

Accepted Solution

by:
dano2112 earned 375 total points
ID: 22988369

Hi lppes...

Yes, it sounds like your mail server is using your general PAT pool when making connections to the outside.  By using the PAT pool, your mail server will use the IP address assigned to the outside interface.

What you would want to do is set up a 1-to-1 NAT between your secondary public IP address and the inside address of your mail server.  For example, if your secondary public IP address is 1.1.1.2 and your inside mail server is 10.1.1.2, the statement would be something like this:

static (inside,outside) 1.1.1.2 10.1.1.2 netmask 255.255.255.255

This will set up the 1-to-1 translation between your secondary public IP and your mail server.  

Now, once you've got this new NAT set up, you'll need to modify your outside access rules to allow for the new address.  So, something like this:

access-list outside_access_in extended permit tcp any host 1.1.1.2 eq smtp

This statement says allow any outside host to reach your mail server using tcp/25 (smtp).  Note that we're now allowing smtp traffic to your secondary public IP address.

Hope this helps!
0
 
LVL 9

Expert Comment

by:hodgeyohn
ID: 22988377
you can setup a static nat rule the exact oposite of the one you have.  it would make the mail server have the address you are looking for.

if mail is flowing i would not bother, but that is just me.
0
 

Author Comment

by:Ippes
ID: 22989140
Ok, thanks for your answers, about dano2112 solution, as i can remember i have tried that, but i should try it again when i get to office.

And for the hodgeyohn, what would be opposite to this NAT rule:

static (inside,outside) tcp 62.106.12.2 https 192.168.1.10 https netmask 255.255.255.255

I have this rule now in use... and yes, mail is flowing ok, so maybe better do leave it as it is :)
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 9

Expert Comment

by:hodgeyohn
ID: 22989152
your call.  i was suggesting that you can turn the nat rule around.
0
 
LVL 2

Expert Comment

by:dano2112
ID: 22990139

lppes...

If you tried adding a second NAT already and it didn't work, it may have been because there was still an active translation in the ASA's translation table.  From an enable prompt, you can enter asa#clear xlate  or you can bounce the ASA.  That should clear any active translations for your mail server and it should then start using the other public IP that you specified in the additonal NAT statement.

You could certainly just leave this alone but depending on how your DNS records are configured, some receiving systems may reject some of your mail if those systems perform reverse-DNS lookups and find an IP address that they weren't expecting to find.

You may want to verify what IP your MX record is currently pointing to and then you may also want to find out if you have any current PTR (reverse DNS) records created for your mail server.  If both of those are currently pointing to the IP address that you have assigned to the outside interface, then yes, I would just leave the configuration alone at that point.

Or, if you really wanted to keep the mail server on it's own address, you could redefine your global PAT pool to use the other public IP address instead of the one assigned to the outside interface.

Again, if you're receiving mail okay AND you don't have any remote systems rejecting your messages, then you should be okay.

Hope this helps...
0
 

Author Comment

by:Ippes
ID: 22992372
HI!
Is there some kind of security risk to make "full nat" instead just do pat like i have done now:? That mailserver is also my DC and GC (yeah, i know, microsoft doesn´t recommed this, but in SMB circles this is the only option.

It´s it possible to make "reverse" PAT rule that only transfers outgoing smtp traffic from my mail server public ip address?

My MX record is pointing to my mailserver public ip address, not outside interface, reverse dns is also pointing to mail server ip address, so these are ok.


Those reverse dns check are the reason why i´m asking this question, no problems so far, but if  these checks are coming popular then this is problem.

Thanks.


0
 
LVL 9

Expert Comment

by:hodgeyohn
ID: 22995637
the main reason to pat is if you do not have sufficient internet live ip addresses for what you are trying to do.
there is not a secuity reason.
i would only allow the access list, or conduit for the services you are intending.
0
 

Expert Comment

by:platotld
ID: 40759002
I was having the same issue and this solution worked for me!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Integration Management Part 2
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 8 hours left to enroll

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question