Link to home
Start Free TrialLog in
Avatar of gakhan
gakhan

asked on

how to NAT my MX record to my ISP smart host using ASA5520

we have Exchange 2007 with EDGE server on DMZ and its configured now to sending and recieving emails and its working fine.
but when i telnet port 25 of my maildomain i recieved the hello reply with my internal server name so my ISP saying that its not properly statically NAT-ed on my firewall / router
and it should be reply with our mail domain as mail.mydomain.com
any suggestions to solve this ?
this is my firewall configurations
my MX record 213.x.x.163
EDGE server 172.16..1.10

and is it correct to keep access-list inside permit ip any any
access-list outside permit icmp any any ??
ASA5520# sho run
: Saved
:
ASA Version 7.0(7)
!
hostname ASA5520
domain-name mydomain.com
 
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 213.x.x.109 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.110 255.255.255.0
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 50
 ip address 172.16.x.x 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.100.50 255.255.255.0
 management-only
!
passwd bWynhNAxeuWqXNuM encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server 212.71.x.x
dns name-server 212.71.x.x
dns name-server 208.67.222.222
dns name-server 208.67.220.220
access-list inside_access_in extended permit ip any any
access-list acl-out extended permit icmp any any
 
access-list acl-out extended permit tcp any host 213.x.x.163 eq 995
access-list acl-out extended permit tcp any host 213.x.x.163 eq 587
access-list acl-out extended permit tcp any host 213.x.x.163 eq www
access-list acl-out extended permit tcp any host 213.x.x.163 eq citrix-ica
access-list acl-out extended permit tcp any host 213.x.x.163 eq 2598
access-list acl-out extended permit tcp any host 213.x.x.163 eq https
access-list acl-out extended permit tcp any host 213.x.x.163 eq smtp
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq smtp
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50389
access-list DMZ_access_in extended permit tcp any host 213.x.x.163 eq 50636
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.2
55.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.2
55.255.0
access-list inside_to_DMZ extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging console debugging
logging buffered alerts
logging class ids buffered alerts
logging class session buffered alerts
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
 
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_to_DMZ
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp 213.x.x.163 smtp 172.16.1.10 smtp netmask 255.255.2
55.255
static (inside,outside) tcp 213.x.x.163 https 192.168.1.6 https netmask 255.
255.255.255
static (inside,outside) tcp 213.x.x.163 995 192.168.1.6 995 netmask 255.255.
255.255
static (inside,outside) tcp 213.x.x.163 587 192.168.1.6 587 netmask 255.255.
255.255
static (inside,outside) tcp 213.x.x.163 www 192.168.1.11 www netmask 255.255
.255.255
static (inside,outside) tcp 213.x.x.163 citrix-ica 192.168.1.11 citrix-ica n
etmask 255.255.255.255
static (inside,outside) tcp 213.x.x.163 2598 192.168.1.11 2598 netmask 255.2
55.255.255
static (DMZ,outside) tcp 213.x.x.163 50389 172.16.1.10 50389 netmask 255.255
.255.255
static (DMZ,outside) tcp 213.x.x.163 50636 172.16.1.10 50636 netmask 255.255
.255.255
access-group acl-out in interface outside
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 213.x.x.161 1
route inside 192.168.0.0 255.255.255.0 192.168.1.100 1
route inside 192.168.6.0 255.255.255.0 213.x.x.161 1
route inside 192.168.100.0 255.255.255.0 192.x.1.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
 default-domain value mydomain.com
 webvpn
 vpn-group-policy test
 webvpn
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
 address-pool test-pool
 default-group-policy test
tunnel-group test ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:53f1757178a72c9e5d642f93fee27d1c
: end

Open in new window

Avatar of asavener
asavener
Flag of United States of America image

policy-map global_policy
 class inspection_default
 inspect smtp

http://www.cisco.com/en/US/docs/security/pix/pix61/configuration/guide/overvw.html#wp1002503
Avatar of gakhan
gakhan

ASKER

thanx for your quick reply i tried this but when i reach "inspect" i couldnt add smtp it gives invalide input
when i try "?" there is no smtp its only esmtp

any suggestions ??
thanx again
Sorry, esmtp is correct.
In your Edge Server Open the exchange management tool > Organization Configuration > Hub Transport > Send Connector > Properties
In the Specify FQDM this connector will provide in response to HELO oe EHLO
Enter the FQDN of your MX Record (note to avoid reverse DNS problems make sure your ISP has set up a PTR record for the A record that this MX record points to).
Avatar of gakhan

ASKER

sorry to tell its not working yet with these two solutions
i still receive the emails from the firewall outside port IP "which is public IP" and with my internal exchange server name
of course in hello msg still the same
plz f someone can show how should be the static NAT between an 2007exchange and the MX-Public IP
with the access lists related ?
thanx
My apologies.  I initially misunderstood the problem.

I believe PeteLong's solution is correcty, but you must be running Exchange 2007 SP1 or later.  There's a bug in the Gold version.
Avatar of gakhan

ASKER

i will try to explain my problem again
1st issue is: when i send emails to outside it shows that its recieved from the IP of my firewall outside port not from my MX-IP.
2nd issue is : when i try to hello mail.mymailserver.com the replay come with my internal exchange server name also with outside port IP of firewall not the MX-IP .
and our ISP smarthost says its not secure to be like this and its no NAT-ed correctly
outside port IP : 213.x.x.109
MX-IP : 213.x.x.163
and by the way i already tested PeteLong's solution ...nothing changed
any experts help please ?

access-list NAT-SMTP extended permit tcp any any ex 25

no global (outside) 1 interface
no nat (inside) 1 0.0.0.0 0.0.0.0
no nat (DMZ) 1 0.0.0.0 0.0.0.0
 
global (outside) 1 213.x.x.163
nat (inside) 1 access-list NAT-SMTP
nat (DMZ) 1 access-list NAT-SMTP
global (outside) 2 interface
nat (inside) 2 0.0.0.0 0.0.0.0
nat (DMZ) 2 0.0.0.0 0.0.0.0
 
 
Oops.  Access-list should be:

access-list NAT-SMTP extended permit tcp any any eq 25
ASKER CERTIFIED SOLUTION
Avatar of gakhan
gakhan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial