Solved

how to NAT my MX record to my ISP smart host using ASA5520

Posted on 2009-04-06
11
678 Views
Last Modified: 2012-05-06
we have Exchange 2007 with EDGE server on DMZ and its configured now to sending and recieving emails and its working fine.
but when i telnet port 25 of my maildomain i recieved the hello reply with my internal server name so my ISP saying that its not properly statically NAT-ed on my firewall / router
and it should be reply with our mail domain as mail.mydomain.com
any suggestions to solve this ?
this is my firewall configurations
my MX record 213.x.x.163
EDGE server 172.16..1.10

and is it correct to keep access-list inside permit ip any any
access-list outside permit icmp any any ??
ASA5520# sho run

: Saved

:

ASA Version 7.0(7)

!

hostname ASA5520

domain-name mydomain.com
 

names

dns-guard

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 213.x.x.109 255.255.255.0

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.110 255.255.255.0

!

interface GigabitEthernet0/2

 nameif DMZ

 security-level 50

 ip address 172.16.x.x 255.255.255.0

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 nameif management

 security-level 100

 ip address 192.168.100.50 255.255.255.0

 management-only

!

passwd bWynhNAxeuWqXNuM encrypted

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns name-server 212.71.x.x

dns name-server 212.71.x.x

dns name-server 208.67.222.222

dns name-server 208.67.220.220

access-list inside_access_in extended permit ip any any

access-list acl-out extended permit icmp any any
 

access-list acl-out extended permit tcp any host 213.x.x.163 eq 995

access-list acl-out extended permit tcp any host 213.x.x.163 eq 587

access-list acl-out extended permit tcp any host 213.x.x.163 eq www

access-list acl-out extended permit tcp any host 213.x.x.163 eq citrix-ica

access-list acl-out extended permit tcp any host 213.x.x.163 eq 2598

access-list acl-out extended permit tcp any host 213.x.x.163 eq https

access-list acl-out extended permit tcp any host 213.x.x.163 eq smtp

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq smtp

access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50389

access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50636

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.2

55.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.2

55.255.0

access-list inside_to_DMZ extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

logging enable

logging console debugging

logging buffered alerts

logging class ids buffered alerts

logging class session buffered alerts

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500
 

no failover

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_to_DMZ

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (DMZ,outside) tcp 213.x.x.163 smtp 172.16.1.10 smtp netmask 255.255.2

55.255

static (inside,outside) tcp 213.x.x.163 https 192.168.1.6 https netmask 255.

255.255.255

static (inside,outside) tcp 213.x.x.163 995 192.168.1.6 995 netmask 255.255.

255.255

static (inside,outside) tcp 213.x.x.163 587 192.168.1.6 587 netmask 255.255.

255.255

static (inside,outside) tcp 213.x.x.163 www 192.168.1.11 www netmask 255.255

.255.255

static (inside,outside) tcp 213.x.x.163 citrix-ica 192.168.1.11 citrix-ica n

etmask 255.255.255.255

static (inside,outside) tcp 213.x.x.163 2598 192.168.1.11 2598 netmask 255.2

55.255.255

static (DMZ,outside) tcp 213.x.x.163 50389 172.16.1.10 50389 netmask 255.255

.255.255

static (DMZ,outside) tcp 213.x.x.163 50636 172.16.1.10 50636 netmask 255.255

.255.255

access-group acl-out in interface outside

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 213.x.x.161 1

route inside 192.168.0.0 255.255.255.0 192.168.1.100 1

route inside 192.168.6.0 255.255.255.0 213.x.x.161 1

route inside 192.168.100.0 255.255.255.0 192.x.1.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy test internal

group-policy test attributes

 default-domain value mydomain.com

 webvpn

 vpn-group-policy test

 webvpn

http server enable

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

 address-pool test-pool

 default-group-policy test

tunnel-group test ipsec-attributes

 pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

Cryptochecksum:53f1757178a72c9e5d642f93fee27d1c

: end

Open in new window

0
Comment
Question by:gakhan
  • 5
  • 4
11 Comments
 
LVL 28

Expert Comment

by:asavener
Comment Utility
policy-map global_policy
 class inspection_default
 inspect smtp

http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/overvw.html#wp1002503
0
 

Author Comment

by:gakhan
Comment Utility
thanx for your quick reply i tried this but when i reach "inspect" i couldnt add smtp it gives invalide input
when i try "?" there is no smtp its only esmtp

any suggestions ??
thanx again
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Sorry, esmtp is correct.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
In your Edge Server Open the exchange management tool > Organization Configuration > Hub Transport > Send Connector > Properties
In the Specify FQDM this connector will provide in response to HELO oe EHLO
Enter the FQDN of your MX Record (note to avoid reverse DNS problems make sure your ISP has set up a PTR record for the A record that this MX record points to).
0
 

Author Comment

by:gakhan
Comment Utility
sorry to tell its not working yet with these two solutions
i still receive the emails from the firewall outside port IP "which is public IP" and with my internal exchange server name
of course in hello msg still the same
plz f someone can show how should be the static NAT between an 2007exchange and the MX-Public IP
with the access lists related ?
thanx
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 28

Expert Comment

by:asavener
Comment Utility
My apologies.  I initially misunderstood the problem.

I believe PeteLong's solution is correcty, but you must be running Exchange 2007 SP1 or later.  There's a bug in the Gold version.
0
 

Author Comment

by:gakhan
Comment Utility
i will try to explain my problem again
1st issue is: when i send emails to outside it shows that its recieved from the IP of my firewall outside port not from my MX-IP.
2nd issue is : when i try to hello mail.mymailserver.com the replay come with my internal exchange server name also with outside port IP of firewall not the MX-IP .
and our ISP smarthost says its not secure to be like this and its no NAT-ed correctly
outside port IP : 213.x.x.109
MX-IP : 213.x.x.163
and by the way i already tested PeteLong's solution ...nothing changed
any experts help please ?
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility

access-list NAT-SMTP extended permit tcp any any ex 25

no global (outside) 1 interface
no nat (inside) 1 0.0.0.0 0.0.0.0
no nat (DMZ) 1 0.0.0.0 0.0.0.0
 
global (outside) 1 213.x.x.163
nat (inside) 1 access-list NAT-SMTP
nat (DMZ) 1 access-list NAT-SMTP
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (DMZ) 2 0.0.0.0 0.0.0.0
 
 
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
Oops.  Access-list should be:

access-list NAT-SMTP extended permit tcp any any eq 25
0
 

Accepted Solution

by:
gakhan earned 0 total points
Comment Utility
hello again experts
after long time of searching and testing we found the problem and we solve it as below:
you can see that our static-NAT are assigned with ports, also all our access-lists are assigned with ports also ... so this was the problem and once we make the static-NAT from Public IP to local IP without assigning ports on static-NAT and we keep the access-lists as its (with ports assigned) then it works fine now we are receiving from our MX-record IP not from outside interface IP.
but unfortunately we still receiving it with our local exchange server  name so any suggestions for exchange configurations here ?  
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now