ASA PAT works for incoming SMTP but not outgoing

We had an exchange server on our internal 10.x.x.8 and external x.x.x.194 recently we installed a Cisco Ironport Anti-Spam appliance at internal 10.x.x.29 which needs SMTP traffice directed towards it but other protocols still going to 10.x.x.8 so I created a few PAT rules on the ASA to do this. I've confirmed everything coming from the outside in is directed to the correct machine but when the Ironport sends email it's sending it via the wrong external address x.x.x.195

I don't know if I need to specify Ironport to send mail ONLY on port 25 (thus forcing to follow the PAT) if so I don't know how to do that in the Ironport.

Or if there's some way in the ASA to force the Ironport appliance mail through the 194 external IP.


Here are the related config entries from the ASA.

global (outside) 1 interface
global (outside) 2 x.x.x.194 netmask 255.0.0.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
 
 
access-list 100 extended permit ip any any inactive
access-list 100 extended permit tcp any host x.x.x.194 eq www
access-list 100 extended permit tcp any host x.x.x.194 eq 3389
access-list 100 extended permit tcp any host x.x.x.194 eq smtp
 
static (inside,outside) tcp 63.225.3.194 www 10.x.x.8 www netmask 255.255.255.255
static (inside,outside) tcp 63.225.3.194 3389 10.x.x.8 3389 netmask 255.255.255.255
static (inside,outside) tcp 63.225.3.194 smtp 10.x.x.29 smtp netmask 255.255.255.255

Select allOpen in new window