Cisco ASA 5505 and mail server in inside network, outgoing mail ip-address


So, this is my first ASA... little bit help needed:

I have Cisco ASA 5505 and two public ip-address, one for outside interface, one for incoming mail server.  I have configured Static nat rules to asa and incoming mail is working ok, but when i send mail i.e Outlook Web Access 2007 and look for message source when it comes to it´s destination, this  "Received: from  " field shows my Outside interface ip address? is it possible to change it to my public mail server address? Add Nat rule to ASA i think?

Is this a problem? should i fix it? :)

Sorry my bad english.... :)

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Hi lppes...

Yes, it sounds like your mail server is using your general PAT pool when making connections to the outside.  By using the PAT pool, your mail server will use the IP address assigned to the outside interface.

What you would want to do is set up a 1-to-1 NAT between your secondary public IP address and the inside address of your mail server.  For example, if your secondary public IP address is and your inside mail server is, the statement would be something like this:

static (inside,outside) netmask

This will set up the 1-to-1 translation between your secondary public IP and your mail server.  

Now, once you've got this new NAT set up, you'll need to modify your outside access rules to allow for the new address.  So, something like this:

access-list outside_access_in extended permit tcp any host eq smtp

This statement says allow any outside host to reach your mail server using tcp/25 (smtp).  Note that we're now allowing smtp traffic to your secondary public IP address.

Hope this helps!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
you can setup a static nat rule the exact oposite of the one you have.  it would make the mail server have the address you are looking for.

if mail is flowing i would not bother, but that is just me.
IppesAuthor Commented:
Ok, thanks for your answers, about dano2112 solution, as i can remember i have tried that, but i should try it again when i get to office.

And for the hodgeyohn, what would be opposite to this NAT rule:

static (inside,outside) tcp https https netmask

I have this rule now in use... and yes, mail is flowing ok, so maybe better do leave it as it is :)
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

your call.  i was suggesting that you can turn the nat rule around.


If you tried adding a second NAT already and it didn't work, it may have been because there was still an active translation in the ASA's translation table.  From an enable prompt, you can enter asa#clear xlate  or you can bounce the ASA.  That should clear any active translations for your mail server and it should then start using the other public IP that you specified in the additonal NAT statement.

You could certainly just leave this alone but depending on how your DNS records are configured, some receiving systems may reject some of your mail if those systems perform reverse-DNS lookups and find an IP address that they weren't expecting to find.

You may want to verify what IP your MX record is currently pointing to and then you may also want to find out if you have any current PTR (reverse DNS) records created for your mail server.  If both of those are currently pointing to the IP address that you have assigned to the outside interface, then yes, I would just leave the configuration alone at that point.

Or, if you really wanted to keep the mail server on it's own address, you could redefine your global PAT pool to use the other public IP address instead of the one assigned to the outside interface.

Again, if you're receiving mail okay AND you don't have any remote systems rejecting your messages, then you should be okay.

Hope this helps...
IppesAuthor Commented:
Is there some kind of security risk to make "full nat" instead just do pat like i have done now:? That mailserver is also my DC and GC (yeah, i know, microsoft doesn´t recommed this, but in SMB circles this is the only option.

It´s it possible to make "reverse" PAT rule that only transfers outgoing smtp traffic from my mail server public ip address?

My MX record is pointing to my mailserver public ip address, not outside interface, reverse dns is also pointing to mail server ip address, so these are ok.

Those reverse dns check are the reason why i´m asking this question, no problems so far, but if  these checks are coming popular then this is problem.


the main reason to pat is if you do not have sufficient internet live ip addresses for what you are trying to do.
there is not a secuity reason.
i would only allow the access list, or conduit for the services you are intending.
I was having the same issue and this solution worked for me!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.