Solved

how to NAT my MX record to my ISP smart host using ASA5520

Posted on 2009-04-06
11
679 Views
Last Modified: 2012-05-06
we have Exchange 2007 with EDGE server on DMZ and its configured now to sending and recieving emails and its working fine.
but when i telnet port 25 of my maildomain i recieved the hello reply with my internal server name so my ISP saying that its not properly statically NAT-ed on my firewall / router
and it should be reply with our mail domain as mail.mydomain.com
any suggestions to solve this ?
this is my firewall configurations
my MX record 213.x.x.163
EDGE server 172.16..1.10

and is it correct to keep access-list inside permit ip any any
access-list outside permit icmp any any ??
ASA5520# sho run

: Saved

:

ASA Version 7.0(7)

!

hostname ASA5520

domain-name mydomain.com
 

names

dns-guard

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 213.x.x.109 255.255.255.0

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.110 255.255.255.0

!

interface GigabitEthernet0/2

 nameif DMZ

 security-level 50

 ip address 172.16.x.x 255.255.255.0

!

interface GigabitEthernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 nameif management

 security-level 100

 ip address 192.168.100.50 255.255.255.0

 management-only

!

passwd bWynhNAxeuWqXNuM encrypted

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns name-server 212.71.x.x

dns name-server 212.71.x.x

dns name-server 208.67.222.222

dns name-server 208.67.220.220

access-list inside_access_in extended permit ip any any

access-list acl-out extended permit icmp any any
 

access-list acl-out extended permit tcp any host 213.x.x.163 eq 995

access-list acl-out extended permit tcp any host 213.x.x.163 eq 587

access-list acl-out extended permit tcp any host 213.x.x.163 eq www

access-list acl-out extended permit tcp any host 213.x.x.163 eq citrix-ica

access-list acl-out extended permit tcp any host 213.x.x.163 eq 2598

access-list acl-out extended permit tcp any host 213.x.x.163 eq https

access-list acl-out extended permit tcp any host 213.x.x.163 eq smtp

access-list DMZ_access_in extended permit ip any any

access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq smtp

access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50389

access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50636

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.2

55.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.2

55.255.0

access-list inside_to_DMZ extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

pager lines 24

logging enable

logging console debugging

logging buffered alerts

logging class ids buffered alerts

logging class session buffered alerts

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500
 

no failover

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_to_DMZ

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 0.0.0.0 0.0.0.0

static (DMZ,outside) tcp 213.x.x.163 smtp 172.16.1.10 smtp netmask 255.255.2

55.255

static (inside,outside) tcp 213.x.x.163 https 192.168.1.6 https netmask 255.

255.255.255

static (inside,outside) tcp 213.x.x.163 995 192.168.1.6 995 netmask 255.255.

255.255

static (inside,outside) tcp 213.x.x.163 587 192.168.1.6 587 netmask 255.255.

255.255

static (inside,outside) tcp 213.x.x.163 www 192.168.1.11 www netmask 255.255

.255.255

static (inside,outside) tcp 213.x.x.163 citrix-ica 192.168.1.11 citrix-ica n

etmask 255.255.255.255

static (inside,outside) tcp 213.x.x.163 2598 192.168.1.11 2598 netmask 255.2

55.255.255

static (DMZ,outside) tcp 213.x.x.163 50389 172.16.1.10 50389 netmask 255.255

.255.255

static (DMZ,outside) tcp 213.x.x.163 50636 172.16.1.10 50636 netmask 255.255

.255.255

access-group acl-out in interface outside

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 213.x.x.161 1

route inside 192.168.0.0 255.255.255.0 192.168.1.100 1

route inside 192.168.6.0 255.255.255.0 213.x.x.161 1

route inside 192.168.100.0 255.255.255.0 192.x.1.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy test internal

group-policy test attributes

 default-domain value mydomain.com

 webvpn

 vpn-group-policy test

 webvpn

http server enable

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

 address-pool test-pool

 default-group-policy test

tunnel-group test ipsec-attributes

 pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

Cryptochecksum:53f1757178a72c9e5d642f93fee27d1c

: end

Open in new window

0
Comment
Question by:gakhan
  • 5
  • 4
11 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 24077574
policy-map global_policy
 class inspection_default
 inspect smtp

http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/overvw.html#wp1002503
0
 

Author Comment

by:gakhan
ID: 24077983
thanx for your quick reply i tried this but when i reach "inspect" i couldnt add smtp it gives invalide input
when i try "?" there is no smtp its only esmtp

any suggestions ??
thanx again
0
 
LVL 28

Expert Comment

by:asavener
ID: 24078840
Sorry, esmtp is correct.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24085419
In your Edge Server Open the exchange management tool > Organization Configuration > Hub Transport > Send Connector > Properties
In the Specify FQDM this connector will provide in response to HELO oe EHLO
Enter the FQDN of your MX Record (note to avoid reverse DNS problems make sure your ISP has set up a PTR record for the A record that this MX record points to).
0
 

Author Comment

by:gakhan
ID: 24088144
sorry to tell its not working yet with these two solutions
i still receive the emails from the firewall outside port IP "which is public IP" and with my internal exchange server name
of course in hello msg still the same
plz f someone can show how should be the static NAT between an 2007exchange and the MX-Public IP
with the access lists related ?
thanx
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 28

Expert Comment

by:asavener
ID: 24088667
My apologies.  I initially misunderstood the problem.

I believe PeteLong's solution is correcty, but you must be running Exchange 2007 SP1 or later.  There's a bug in the Gold version.
0
 

Author Comment

by:gakhan
ID: 24094632
i will try to explain my problem again
1st issue is: when i send emails to outside it shows that its recieved from the IP of my firewall outside port not from my MX-IP.
2nd issue is : when i try to hello mail.mymailserver.com the replay come with my internal exchange server name also with outside port IP of firewall not the MX-IP .
and our ISP smarthost says its not secure to be like this and its no NAT-ed correctly
outside port IP : 213.x.x.109
MX-IP : 213.x.x.163
and by the way i already tested PeteLong's solution ...nothing changed
any experts help please ?
0
 
LVL 28

Expert Comment

by:asavener
ID: 24096427

access-list NAT-SMTP extended permit tcp any any ex 25

no global (outside) 1 interface
no nat (inside) 1 0.0.0.0 0.0.0.0
no nat (DMZ) 1 0.0.0.0 0.0.0.0
 
global (outside) 1 213.x.x.163
nat (inside) 1 access-list NAT-SMTP
nat (DMZ) 1 access-list NAT-SMTP
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (DMZ) 2 0.0.0.0 0.0.0.0
 
 
0
 
LVL 28

Expert Comment

by:asavener
ID: 24096434
Oops.  Access-list should be:

access-list NAT-SMTP extended permit tcp any any eq 25
0
 

Accepted Solution

by:
gakhan earned 0 total points
ID: 24148049
hello again experts
after long time of searching and testing we found the problem and we solve it as below:
you can see that our static-NAT are assigned with ports, also all our access-lists are assigned with ports also ... so this was the problem and once we make the static-NAT from Public IP to local IP without assigning ports on static-NAT and we keep the access-lists as its (with ports assigned) then it works fine now we are receiving from our MX-record IP not from outside interface IP.
but unfortunately we still receiving it with our local exchange server  name so any suggestions for exchange configurations here ?  
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
what is the difference between Cisco catalyst 2960 and Cisco series SG300-52MP? 8 66
Tagging ports on a managed switch 6 52
Cisco prime 3 35
Sonicwall blocks a site 49 57
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now