gakhan
asked on
how to NAT my MX record to my ISP smart host using ASA5520
we have Exchange 2007 with EDGE server on DMZ and its configured now to sending and recieving emails and its working fine.
but when i telnet port 25 of my maildomain i recieved the hello reply with my internal server name so my ISP saying that its not properly statically NAT-ed on my firewall / router
and it should be reply with our mail domain as mail.mydomain.com
any suggestions to solve this ?
this is my firewall configurations
my MX record 213.x.x.163
EDGE server 172.16..1.10
and is it correct to keep access-list inside permit ip any any
access-list outside permit icmp any any ??
but when i telnet port 25 of my maildomain i recieved the hello reply with my internal server name so my ISP saying that its not properly statically NAT-ed on my firewall / router
and it should be reply with our mail domain as mail.mydomain.com
any suggestions to solve this ?
this is my firewall configurations
my MX record 213.x.x.163
EDGE server 172.16..1.10
and is it correct to keep access-list inside permit ip any any
access-list outside permit icmp any any ??
ASA5520# sho run
: Saved
:
ASA Version 7.0(7)
!
hostname ASA5520
domain-name mydomain.com
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 213.x.x.109 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.110 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 172.16.x.x 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.100.50 255.255.255.0
management-only
!
passwd bWynhNAxeuWqXNuM encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 212.71.x.x
dns name-server 212.71.x.x
dns name-server 208.67.222.222
dns name-server 208.67.220.220
access-list inside_access_in extended permit ip any any
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any host 213.x.x.163 eq 995
access-list acl-out extended permit tcp any host 213.x.x.163 eq 587
access-list acl-out extended permit tcp any host 213.x.x.163 eq www
access-list acl-out extended permit tcp any host 213.x.x.163 eq citrix-ica
access-list acl-out extended permit tcp any host 213.x.x.163 eq 2598
access-list acl-out extended permit tcp any host 213.x.x.163 eq https
access-list acl-out extended permit tcp any host 213.x.x.163 eq smtp
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq smtp
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50389
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50636
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.2
55.255.0
access-list inside_to_DMZ extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging buffered alerts
logging class ids buffered alerts
logging class session buffered alerts
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_to_DMZ
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp 213.x.x.163 smtp 172.16.1.10 smtp netmask 255.255.2
55.255
static (inside,outside) tcp 213.x.x.163 https 192.168.1.6 https netmask 255.
255.255.255
static (inside,outside) tcp 213.x.x.163 995 192.168.1.6 995 netmask 255.255.
255.255
static (inside,outside) tcp 213.x.x.163 587 192.168.1.6 587 netmask 255.255.
255.255
static (inside,outside) tcp 213.x.x.163 www 192.168.1.11 www netmask 255.255
.255.255
static (inside,outside) tcp 213.x.x.163 citrix-ica 192.168.1.11 citrix-ica n
etmask 255.255.255.255
static (inside,outside) tcp 213.x.x.163 2598 192.168.1.11 2598 netmask 255.2
55.255.255
static (DMZ,outside) tcp 213.x.x.163 50389 172.16.1.10 50389 netmask 255.255
.255.255
static (DMZ,outside) tcp 213.x.x.163 50636 172.16.1.10 50636 netmask 255.255
.255.255
access-group acl-out in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 213.x.x.161 1
route inside 192.168.0.0 255.255.255.0 192.168.1.100 1
route inside 192.168.6.0 255.255.255.0 213.x.x.161 1
route inside 192.168.100.0 255.255.255.0 192.x.1.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
default-domain value mydomain.com
webvpn
vpn-group-policy test
webvpn
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
address-pool test-pool
default-group-policy test
tunnel-group test ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:53f1757178a72c9e5d642f93fee27d1c
: end
ASKER
thanx for your quick reply i tried this but when i reach "inspect" i couldnt add smtp it gives invalide input
when i try "?" there is no smtp its only esmtp
any suggestions ??
thanx again
when i try "?" there is no smtp its only esmtp
any suggestions ??
thanx again
Sorry, esmtp is correct.
In your Edge Server Open the exchange management tool > Organization Configuration > Hub Transport > Send Connector > Properties
In the Specify FQDM this connector will provide in response to HELO oe EHLO
Enter the FQDN of your MX Record (note to avoid reverse DNS problems make sure your ISP has set up a PTR record for the A record that this MX record points to).
In the Specify FQDM this connector will provide in response to HELO oe EHLO
Enter the FQDN of your MX Record (note to avoid reverse DNS problems make sure your ISP has set up a PTR record for the A record that this MX record points to).
ASKER
sorry to tell its not working yet with these two solutions
i still receive the emails from the firewall outside port IP "which is public IP" and with my internal exchange server name
of course in hello msg still the same
plz f someone can show how should be the static NAT between an 2007exchange and the MX-Public IP
with the access lists related ?
thanx
i still receive the emails from the firewall outside port IP "which is public IP" and with my internal exchange server name
of course in hello msg still the same
plz f someone can show how should be the static NAT between an 2007exchange and the MX-Public IP
with the access lists related ?
thanx
My apologies. I initially misunderstood the problem.
I believe PeteLong's solution is correcty, but you must be running Exchange 2007 SP1 or later. There's a bug in the Gold version.
I believe PeteLong's solution is correcty, but you must be running Exchange 2007 SP1 or later. There's a bug in the Gold version.
ASKER
i will try to explain my problem again
1st issue is: when i send emails to outside it shows that its recieved from the IP of my firewall outside port not from my MX-IP.
2nd issue is : when i try to hello mail.mymailserver.com the replay come with my internal exchange server name also with outside port IP of firewall not the MX-IP .
and our ISP smarthost says its not secure to be like this and its no NAT-ed correctly
outside port IP : 213.x.x.109
MX-IP : 213.x.x.163
and by the way i already tested PeteLong's solution ...nothing changed
any experts help please ?
1st issue is: when i send emails to outside it shows that its recieved from the IP of my firewall outside port not from my MX-IP.
2nd issue is : when i try to hello mail.mymailserver.com the replay come with my internal exchange server name also with outside port IP of firewall not the MX-IP .
and our ISP smarthost says its not secure to be like this and its no NAT-ed correctly
outside port IP : 213.x.x.109
MX-IP : 213.x.x.163
and by the way i already tested PeteLong's solution ...nothing changed
any experts help please ?
access-list NAT-SMTP extended permit tcp any any ex 25
no global (outside) 1 interface
no nat (inside) 1 0.0.0.0 0.0.0.0
no nat (DMZ) 1 0.0.0.0 0.0.0.0
global (outside) 1 213.x.x.163
nat (inside) 1 access-list NAT-SMTP
nat (DMZ) 1 access-list NAT-SMTP
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (DMZ) 2 0.0.0.0 0.0.0.0
Oops. Access-list should be:
access-list NAT-SMTP extended permit tcp any any eq 25
access-list NAT-SMTP extended permit tcp any any eq 25
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
class inspection_default
inspect smtp
http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/overvw.html#wp1002503