Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 870
  • Last Modified:

Outgoing NAT for Exchange Email

So we got a new internet line here at work to replace our old T1.  Along with the new line we were given new IP addresses.

We were given a new WAN IP of xxx.xxx.30.178 /30 which I assigned to the outside interface of the firewall which is a Cisco ASA 5510

We were also given a block of usable public IPs which are xxx.xxx.164.0 - xxx.xxx.164.31 /27

So we made the switchover and everything went fine.  But then people in the company started getting all kinds of email bounce backs from people they were trying to send emails to.  Apparently this is because our new WAN IP doesn't have a legitimate reverse ARP assigned to it.

Ok no big deal, I call up bellsouth and ask them to do it and they say that our new WAN IP is a Serial IP and that it cannot ever have a reverse arp assigned to it.

The guy at bellsouth told me that we need to configure the firewall in such a way so that the outgoing email looks like it is coming from one of our new Public IPs and not the WAN IP.

So i'm thinking this is going to require some kind of NAT rule, i'm just unsure of how to configure it.

The Internal interface on the ASA is 150.50.1.29 and the Exchange Server is 150.50.1.37.
0
gedruspax
Asked:
gedruspax
  • 2
1 Solution
 
lrmooreCommented:
You don't need a reverse ARP, you need Reverse POINTER record in DNS to match the new IP address in your MX record. You did change the MX record, didn't you?

This is what I would do on the ASA:

global (outside) 1 interface
nat (inside) 1 0 0 0
static (inside,outside) tcp interface smtp 150.50.1.37 smtp netmask 255.255.255.255 dns
access-list outside_access_in permit tcp any interface outside eq smtp
access-group outside_access_in in interface outside

I this case, make sure your MX record and the PTR record all point to the new WAN IP of xxx.xxx.30.178

OR, you can do a static 1-1 NAT using one of the IP address out of the block of IP's

static (inside,outside) xxx.xxx.164.x 150.50.1.37 netmask 255.255.255.255 dns

In this case, the MX/PTR records must point to the xxx.xxx.164.x IP address.

0
 
gedruspaxAuthor Commented:
Our MX records point to Postini because we use them for spam filtering.

I tried doing the 1-1 Nat rule like you specified, then went into bellsouth DNS dashboard and updated forward pointers to point to correct new public IP.

sent test email to myself and still is sourcing from xxx.xxx.30.178 and not xxx.xxx.164.31 like i need it to.
0
 
gedruspaxAuthor Commented:
thank you for your help but i was able to find the answer to my question here

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23915594.html
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now