ASA PAT works for incoming SMTP but not outgoing

We had an exchange server on our internal 10.x.x.8 and external x.x.x.194 recently we installed a Cisco Ironport Anti-Spam appliance at internal 10.x.x.29 which needs SMTP traffice directed towards it but other protocols still going to 10.x.x.8 so I created a few PAT rules on the ASA to do this. I've confirmed everything coming from the outside in is directed to the correct machine but when the Ironport sends email it's sending it via the wrong external address x.x.x.195

I don't know if I need to specify Ironport to send mail ONLY on port 25 (thus forcing to follow the PAT) if so I don't know how to do that in the Ironport.

Or if there's some way in the ASA to force the Ironport appliance mail through the 194 external IP.


Here are the related config entries from the ASA.
global (outside) 1 interface
global (outside) 2 x.x.x.194 netmask 255.0.0.0
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
 
 
access-list 100 extended permit ip any any inactive
access-list 100 extended permit tcp any host x.x.x.194 eq www
access-list 100 extended permit tcp any host x.x.x.194 eq 3389
access-list 100 extended permit tcp any host x.x.x.194 eq smtp
 
static (inside,outside) tcp 63.225.3.194 www 10.x.x.8 www netmask 255.255.255.255
static (inside,outside) tcp 63.225.3.194 3389 10.x.x.8 3389 netmask 255.255.255.255
static (inside,outside) tcp 63.225.3.194 smtp 10.x.x.29 smtp netmask 255.255.255.255

Open in new window

rguadianaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
If you can set the Ironport to send mail using a source port of anything other than port 25, that'll be all you need.
Else, you can just change your dns MX record to be the 194 external IP
0
rguadianaAuthor Commented:
I think the Ironport IS using a source port other than 25 which is causing it to use the dynamic PAT on the ASA and using the 195 ip. Our dns MX record is already set to 194, that's why I need the Ironport to send mail through port 25 and IP 194.
0
lrmooreCommented:
Aha... OK..

Access-list IRONPORT permit tcp host 10.x.x.29 any eq smtp
nat (inside) 2 access-list IRONPORT
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rguadianaAuthor Commented:
Thanks very much! worked like a charm
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.