Solved

ASA PAT works for incoming SMTP but not outgoing

Posted on 2009-07-02
4
1,124 Views
Last Modified: 2013-11-30
We had an exchange server on our internal 10.x.x.8 and external x.x.x.194 recently we installed a Cisco Ironport Anti-Spam appliance at internal 10.x.x.29 which needs SMTP traffice directed towards it but other protocols still going to 10.x.x.8 so I created a few PAT rules on the ASA to do this. I've confirmed everything coming from the outside in is directed to the correct machine but when the Ironport sends email it's sending it via the wrong external address x.x.x.195

I don't know if I need to specify Ironport to send mail ONLY on port 25 (thus forcing to follow the PAT) if so I don't know how to do that in the Ironport.

Or if there's some way in the ASA to force the Ironport appliance mail through the 194 external IP.


Here are the related config entries from the ASA.
global (outside) 1 interface
global (outside) 2 x.x.x.194 netmask 255.0.0.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
 
 
access-list 100 extended permit ip any any inactive
access-list 100 extended permit tcp any host x.x.x.194 eq www
access-list 100 extended permit tcp any host x.x.x.194 eq 3389
access-list 100 extended permit tcp any host x.x.x.194 eq smtp
 
static (inside,outside) tcp 63.225.3.194 www 10.x.x.8 www netmask 255.255.255.255
static (inside,outside) tcp 63.225.3.194 3389 10.x.x.8 3389 netmask 255.255.255.255
static (inside,outside) tcp 63.225.3.194 smtp 10.x.x.29 smtp netmask 255.255.255.255

Open in new window

0
Comment
Question by:rguadiana
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 24768144
If you can set the Ironport to send mail using a source port of anything other than port 25, that'll be all you need.
Else, you can just change your dns MX record to be the 194 external IP
0
 

Author Comment

by:rguadiana
ID: 24768167
I think the Ironport IS using a source port other than 25 which is causing it to use the dynamic PAT on the ASA and using the 195 ip. Our dns MX record is already set to 194, that's why I need the Ironport to send mail through port 25 and IP 194.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 125 total points
ID: 24768476
Aha... OK..

Access-list IRONPORT permit tcp host 10.x.x.29 any eq smtp
nat (inside) 2 access-list IRONPORT
0
 

Author Closing Comment

by:rguadiana
ID: 31599374
Thanks very much! worked like a charm
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Website Issue 10 77
Port Forwarding on Cisco 881 14 57
Flashing red status light on a Cisco 3702i access point 7 60
cisco sg 200 trunking 4 26
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question