Solved

Outgoing NAT for Exchange Email

Posted on 2010-11-09
3
867 Views
Last Modified: 2012-06-21
So we got a new internet line here at work to replace our old T1.  Along with the new line we were given new IP addresses.

We were given a new WAN IP of xxx.xxx.30.178 /30 which I assigned to the outside interface of the firewall which is a Cisco ASA 5510

We were also given a block of usable public IPs which are xxx.xxx.164.0 - xxx.xxx.164.31 /27

So we made the switchover and everything went fine.  But then people in the company started getting all kinds of email bounce backs from people they were trying to send emails to.  Apparently this is because our new WAN IP doesn't have a legitimate reverse ARP assigned to it.

Ok no big deal, I call up bellsouth and ask them to do it and they say that our new WAN IP is a Serial IP and that it cannot ever have a reverse arp assigned to it.

The guy at bellsouth told me that we need to configure the firewall in such a way so that the outgoing email looks like it is coming from one of our new Public IPs and not the WAN IP.

So i'm thinking this is going to require some kind of NAT rule, i'm just unsure of how to configure it.

The Internal interface on the ASA is 150.50.1.29 and the Exchange Server is 150.50.1.37.
0
Comment
Question by:gedruspax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34092772
You don't need a reverse ARP, you need Reverse POINTER record in DNS to match the new IP address in your MX record. You did change the MX record, didn't you?

This is what I would do on the ASA:

global (outside) 1 interface
nat (inside) 1 0 0 0
static (inside,outside) tcp interface smtp 150.50.1.37 smtp netmask 255.255.255.255 dns
access-list outside_access_in permit tcp any interface outside eq smtp
access-group outside_access_in in interface outside

I this case, make sure your MX record and the PTR record all point to the new WAN IP of xxx.xxx.30.178

OR, you can do a static 1-1 NAT using one of the IP address out of the block of IP's

static (inside,outside) xxx.xxx.164.x 150.50.1.37 netmask 255.255.255.255 dns

In this case, the MX/PTR records must point to the xxx.xxx.164.x IP address.

0
 

Author Comment

by:gedruspax
ID: 34095510
Our MX records point to Postini because we use them for spam filtering.

I tried doing the 1-1 Nat rule like you specified, then went into bellsouth DNS dashboard and updated forward pointers to point to correct new public IP.

sent test email to myself and still is sourcing from xxx.xxx.30.178 and not xxx.xxx.164.31 like i need it to.
0
 

Author Comment

by:gedruspax
ID: 34096820
thank you for your help but i was able to find the answer to my question here

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23915594.html
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Not seeing additional mailbox after upgrading to 2013 1 46
exchange , email 8 44
Exchange 2010 CAS array Load Balancing. 7 61
exchange 2013 10 38
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question