Solved

how to NAT my MX record to my ISP smart host using ASA5520

Posted on 2009-04-06
11
691 Views
Last Modified: 2012-05-06
we have Exchange 2007 with EDGE server on DMZ and its configured now to sending and recieving emails and its working fine.
but when i telnet port 25 of my maildomain i recieved the hello reply with my internal server name so my ISP saying that its not properly statically NAT-ed on my firewall / router
and it should be reply with our mail domain as mail.mydomain.com
any suggestions to solve this ?
this is my firewall configurations
my MX record 213.x.x.163
EDGE server 172.16..1.10

and is it correct to keep access-list inside permit ip any any
access-list outside permit icmp any any ??
ASA5520# sho run
: Saved
:
ASA Version 7.0(7)
!
hostname ASA5520
domain-name mydomain.com
 
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 213.x.x.109 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.110 255.255.255.0
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 50
 ip address 172.16.x.x 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.100.50 255.255.255.0
 management-only
!
passwd bWynhNAxeuWqXNuM encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 212.71.x.x
dns name-server 212.71.x.x
dns name-server 208.67.222.222
dns name-server 208.67.220.220
access-list inside_access_in extended permit ip any any
access-list acl-out extended permit icmp any any
 
access-list acl-out extended permit tcp any host 213.x.x.163 eq 995
access-list acl-out extended permit tcp any host 213.x.x.163 eq 587
access-list acl-out extended permit tcp any host 213.x.x.163 eq www
access-list acl-out extended permit tcp any host 213.x.x.163 eq citrix-ica
access-list acl-out extended permit tcp any host 213.x.x.163 eq 2598
access-list acl-out extended permit tcp any host 213.x.x.163 eq https
access-list acl-out extended permit tcp any host 213.x.x.163 eq smtp
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq smtp
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50389
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50636
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.2
55.255.0
access-list inside_to_DMZ extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging buffered alerts
logging class ids buffered alerts
logging class session buffered alerts
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
 
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_to_DMZ
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp 213.x.x.163 smtp 172.16.1.10 smtp netmask 255.255.2
55.255
static (inside,outside) tcp 213.x.x.163 https 192.168.1.6 https netmask 255.
255.255.255
static (inside,outside) tcp 213.x.x.163 995 192.168.1.6 995 netmask 255.255.
255.255
static (inside,outside) tcp 213.x.x.163 587 192.168.1.6 587 netmask 255.255.
255.255
static (inside,outside) tcp 213.x.x.163 www 192.168.1.11 www netmask 255.255
.255.255
static (inside,outside) tcp 213.x.x.163 citrix-ica 192.168.1.11 citrix-ica n
etmask 255.255.255.255
static (inside,outside) tcp 213.x.x.163 2598 192.168.1.11 2598 netmask 255.2
55.255.255
static (DMZ,outside) tcp 213.x.x.163 50389 172.16.1.10 50389 netmask 255.255
.255.255
static (DMZ,outside) tcp 213.x.x.163 50636 172.16.1.10 50636 netmask 255.255
.255.255
access-group acl-out in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 213.x.x.161 1
route inside 192.168.0.0 255.255.255.0 192.168.1.100 1
route inside 192.168.6.0 255.255.255.0 213.x.x.161 1
route inside 192.168.100.0 255.255.255.0 192.x.1.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
 default-domain value mydomain.com
 webvpn
 vpn-group-policy test
 webvpn
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
 address-pool test-pool
 default-group-policy test
tunnel-group test ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:53f1757178a72c9e5d642f93fee27d1c
: end

Open in new window

0
Comment
Question by:gakhan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
11 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24077574
policy-map global_policy
 class inspection_default
 inspect smtp

http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/overvw.html#wp1002503
0
 

Author Comment

by:gakhan
ID: 24077983
thanx for your quick reply i tried this but when i reach "inspect" i couldnt add smtp it gives invalide input
when i try "?" there is no smtp its only esmtp

any suggestions ??
thanx again
0
 
LVL 28

Expert Comment

by:asavener
ID: 24078840
Sorry, esmtp is correct.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 57

Expert Comment

by:Pete Long
ID: 24085419
In your Edge Server Open the exchange management tool > Organization Configuration > Hub Transport > Send Connector > Properties
In the Specify FQDM this connector will provide in response to HELO oe EHLO
Enter the FQDN of your MX Record (note to avoid reverse DNS problems make sure your ISP has set up a PTR record for the A record that this MX record points to).
0
 

Author Comment

by:gakhan
ID: 24088144
sorry to tell its not working yet with these two solutions
i still receive the emails from the firewall outside port IP "which is public IP" and with my internal exchange server name
of course in hello msg still the same
plz f someone can show how should be the static NAT between an 2007exchange and the MX-Public IP
with the access lists related ?
thanx
0
 
LVL 28

Expert Comment

by:asavener
ID: 24088667
My apologies.  I initially misunderstood the problem.

I believe PeteLong's solution is correcty, but you must be running Exchange 2007 SP1 or later.  There's a bug in the Gold version.
0
 

Author Comment

by:gakhan
ID: 24094632
i will try to explain my problem again
1st issue is: when i send emails to outside it shows that its recieved from the IP of my firewall outside port not from my MX-IP.
2nd issue is : when i try to hello mail.mymailserver.com the replay come with my internal exchange server name also with outside port IP of firewall not the MX-IP .
and our ISP smarthost says its not secure to be like this and its no NAT-ed correctly
outside port IP : 213.x.x.109
MX-IP : 213.x.x.163
and by the way i already tested PeteLong's solution ...nothing changed
any experts help please ?
0
 
LVL 28

Expert Comment

by:asavener
ID: 24096427

access-list NAT-SMTP extended permit tcp any any ex 25

no global (outside) 1 interface
no nat (inside) 1 0.0.0.0 0.0.0.0
no nat (DMZ) 1 0.0.0.0 0.0.0.0
 
global (outside) 1 213.x.x.163
nat (inside) 1 access-list NAT-SMTP
nat (DMZ) 1 access-list NAT-SMTP
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (DMZ) 2 0.0.0.0 0.0.0.0
 
 
0
 
LVL 28

Expert Comment

by:asavener
ID: 24096434
Oops.  Access-list should be:

access-list NAT-SMTP extended permit tcp any any eq 25
0
 

Accepted Solution

by:
gakhan earned 0 total points
ID: 24148049
hello again experts
after long time of searching and testing we found the problem and we solve it as below:
you can see that our static-NAT are assigned with ports, also all our access-lists are assigned with ports also ... so this was the problem and once we make the static-NAT from Public IP to local IP without assigning ports on static-NAT and we keep the access-lists as its (with ports assigned) then it works fine now we are receiving from our MX-record IP not from outside interface IP.
but unfortunately we still receiving it with our local exchange server  name so any suggestions for exchange configurations here ?  
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question