Cisco ASA 5505 and mail server in inside network, outgoing mail ip-address

Posted on 2008-11-18
Last Modified: 2015-05-04

So, this is my first ASA... little bit help needed:

I have Cisco ASA 5505 and two public ip-address, one for outside interface, one for incoming mail server.  I have configured Static nat rules to asa and incoming mail is working ok, but when i send mail i.e Outlook Web Access 2007 and look for message source when it comes to it´s destination, this  "Received: from  " field shows my Outside interface ip address? is it possible to change it to my public mail server address? Add Nat rule to ASA i think?

Is this a problem? should i fix it? :)

Sorry my bad english.... :)

Question by:Ippes
    LVL 2

    Accepted Solution


    Hi lppes...

    Yes, it sounds like your mail server is using your general PAT pool when making connections to the outside.  By using the PAT pool, your mail server will use the IP address assigned to the outside interface.

    What you would want to do is set up a 1-to-1 NAT between your secondary public IP address and the inside address of your mail server.  For example, if your secondary public IP address is and your inside mail server is, the statement would be something like this:

    static (inside,outside) netmask

    This will set up the 1-to-1 translation between your secondary public IP and your mail server.  

    Now, once you've got this new NAT set up, you'll need to modify your outside access rules to allow for the new address.  So, something like this:

    access-list outside_access_in extended permit tcp any host eq smtp

    This statement says allow any outside host to reach your mail server using tcp/25 (smtp).  Note that we're now allowing smtp traffic to your secondary public IP address.

    Hope this helps!
    LVL 9

    Expert Comment

    you can setup a static nat rule the exact oposite of the one you have.  it would make the mail server have the address you are looking for.

    if mail is flowing i would not bother, but that is just me.

    Author Comment

    Ok, thanks for your answers, about dano2112 solution, as i can remember i have tried that, but i should try it again when i get to office.

    And for the hodgeyohn, what would be opposite to this NAT rule:

    static (inside,outside) tcp https https netmask

    I have this rule now in use... and yes, mail is flowing ok, so maybe better do leave it as it is :)
    LVL 9

    Expert Comment

    your call.  i was suggesting that you can turn the nat rule around.
    LVL 2

    Expert Comment



    If you tried adding a second NAT already and it didn't work, it may have been because there was still an active translation in the ASA's translation table.  From an enable prompt, you can enter asa#clear xlate  or you can bounce the ASA.  That should clear any active translations for your mail server and it should then start using the other public IP that you specified in the additonal NAT statement.

    You could certainly just leave this alone but depending on how your DNS records are configured, some receiving systems may reject some of your mail if those systems perform reverse-DNS lookups and find an IP address that they weren't expecting to find.

    You may want to verify what IP your MX record is currently pointing to and then you may also want to find out if you have any current PTR (reverse DNS) records created for your mail server.  If both of those are currently pointing to the IP address that you have assigned to the outside interface, then yes, I would just leave the configuration alone at that point.

    Or, if you really wanted to keep the mail server on it's own address, you could redefine your global PAT pool to use the other public IP address instead of the one assigned to the outside interface.

    Again, if you're receiving mail okay AND you don't have any remote systems rejecting your messages, then you should be okay.

    Hope this helps...

    Author Comment

    Is there some kind of security risk to make "full nat" instead just do pat like i have done now:? That mailserver is also my DC and GC (yeah, i know, microsoft doesn´t recommed this, but in SMB circles this is the only option.

    It´s it possible to make "reverse" PAT rule that only transfers outgoing smtp traffic from my mail server public ip address?

    My MX record is pointing to my mailserver public ip address, not outside interface, reverse dns is also pointing to mail server ip address, so these are ok.

    Those reverse dns check are the reason why i´m asking this question, no problems so far, but if  these checks are coming popular then this is problem.


    LVL 9

    Expert Comment

    the main reason to pat is if you do not have sufficient internet live ip addresses for what you are trying to do.
    there is not a secuity reason.
    i would only allow the access list, or conduit for the services you are intending.

    Expert Comment

    I was having the same issue and this solution worked for me!

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now