Solved

ASA PAT works for incoming SMTP but not outgoing

Posted on 2009-07-02
4
1,129 Views
Last Modified: 2013-11-30
We had an exchange server on our internal 10.x.x.8 and external x.x.x.194 recently we installed a Cisco Ironport Anti-Spam appliance at internal 10.x.x.29 which needs SMTP traffice directed towards it but other protocols still going to 10.x.x.8 so I created a few PAT rules on the ASA to do this. I've confirmed everything coming from the outside in is directed to the correct machine but when the Ironport sends email it's sending it via the wrong external address x.x.x.195

I don't know if I need to specify Ironport to send mail ONLY on port 25 (thus forcing to follow the PAT) if so I don't know how to do that in the Ironport.

Or if there's some way in the ASA to force the Ironport appliance mail through the 194 external IP.


Here are the related config entries from the ASA.
global (outside) 1 interface
global (outside) 2 x.x.x.194 netmask 255.0.0.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
 
 
access-list 100 extended permit ip any any inactive
access-list 100 extended permit tcp any host x.x.x.194 eq www
access-list 100 extended permit tcp any host x.x.x.194 eq 3389
access-list 100 extended permit tcp any host x.x.x.194 eq smtp
 
static (inside,outside) tcp 63.225.3.194 www 10.x.x.8 www netmask 255.255.255.255
static (inside,outside) tcp 63.225.3.194 3389 10.x.x.8 3389 netmask 255.255.255.255
static (inside,outside) tcp 63.225.3.194 smtp 10.x.x.29 smtp netmask 255.255.255.255

Open in new window

0
Comment
Question by:rguadiana
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 24768144
If you can set the Ironport to send mail using a source port of anything other than port 25, that'll be all you need.
Else, you can just change your dns MX record to be the 194 external IP
0
 

Author Comment

by:rguadiana
ID: 24768167
I think the Ironport IS using a source port other than 25 which is causing it to use the dynamic PAT on the ASA and using the 195 ip. Our dns MX record is already set to 194, that's why I need the Ironport to send mail through port 25 and IP 194.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 24768476
Aha... OK..

Access-list IRONPORT permit tcp host 10.x.x.29 any eq smtp
nat (inside) 2 access-list IRONPORT
0
 

Author Closing Comment

by:rguadiana
ID: 31599374
Thanks very much! worked like a charm
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question