Solved

ASA PAT works for incoming SMTP but not outgoing

Posted on 2009-07-02
4
1,126 Views
Last Modified: 2013-11-30
We had an exchange server on our internal 10.x.x.8 and external x.x.x.194 recently we installed a Cisco Ironport Anti-Spam appliance at internal 10.x.x.29 which needs SMTP traffice directed towards it but other protocols still going to 10.x.x.8 so I created a few PAT rules on the ASA to do this. I've confirmed everything coming from the outside in is directed to the correct machine but when the Ironport sends email it's sending it via the wrong external address x.x.x.195

I don't know if I need to specify Ironport to send mail ONLY on port 25 (thus forcing to follow the PAT) if so I don't know how to do that in the Ironport.

Or if there's some way in the ASA to force the Ironport appliance mail through the 194 external IP.


Here are the related config entries from the ASA.
global (outside) 1 interface
global (outside) 2 x.x.x.194 netmask 255.0.0.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
 
 
access-list 100 extended permit ip any any inactive
access-list 100 extended permit tcp any host x.x.x.194 eq www
access-list 100 extended permit tcp any host x.x.x.194 eq 3389
access-list 100 extended permit tcp any host x.x.x.194 eq smtp
 
static (inside,outside) tcp 63.225.3.194 www 10.x.x.8 www netmask 255.255.255.255
static (inside,outside) tcp 63.225.3.194 3389 10.x.x.8 3389 netmask 255.255.255.255
static (inside,outside) tcp 63.225.3.194 smtp 10.x.x.29 smtp netmask 255.255.255.255

Open in new window

0
Comment
Question by:rguadiana
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 24768144
If you can set the Ironport to send mail using a source port of anything other than port 25, that'll be all you need.
Else, you can just change your dns MX record to be the 194 external IP
0
 

Author Comment

by:rguadiana
ID: 24768167
I think the Ironport IS using a source port other than 25 which is causing it to use the dynamic PAT on the ASA and using the 195 ip. Our dns MX record is already set to 194, that's why I need the Ironport to send mail through port 25 and IP 194.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 24768476
Aha... OK..

Access-list IRONPORT permit tcp host 10.x.x.29 any eq smtp
nat (inside) 2 access-list IRONPORT
0
 

Author Closing Comment

by:rguadiana
ID: 31599374
Thanks very much! worked like a charm
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Configuring Port Access on Cisco ASA 5 33
Unmanaged Switches for Optimized Network Speeds 7 51
ip igmp join-group 8 42
Setting up NAT translation for RDP 6 41
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question