Solved

Outgoing NAT for Exchange Email

Posted on 2010-11-09
3
864 Views
Last Modified: 2012-06-21
So we got a new internet line here at work to replace our old T1.  Along with the new line we were given new IP addresses.

We were given a new WAN IP of xxx.xxx.30.178 /30 which I assigned to the outside interface of the firewall which is a Cisco ASA 5510

We were also given a block of usable public IPs which are xxx.xxx.164.0 - xxx.xxx.164.31 /27

So we made the switchover and everything went fine.  But then people in the company started getting all kinds of email bounce backs from people they were trying to send emails to.  Apparently this is because our new WAN IP doesn't have a legitimate reverse ARP assigned to it.

Ok no big deal, I call up bellsouth and ask them to do it and they say that our new WAN IP is a Serial IP and that it cannot ever have a reverse arp assigned to it.

The guy at bellsouth told me that we need to configure the firewall in such a way so that the outgoing email looks like it is coming from one of our new Public IPs and not the WAN IP.

So i'm thinking this is going to require some kind of NAT rule, i'm just unsure of how to configure it.

The Internal interface on the ASA is 150.50.1.29 and the Exchange Server is 150.50.1.37.
0
Comment
Question by:gedruspax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 34092772
You don't need a reverse ARP, you need Reverse POINTER record in DNS to match the new IP address in your MX record. You did change the MX record, didn't you?

This is what I would do on the ASA:

global (outside) 1 interface
nat (inside) 1 0 0 0
static (inside,outside) tcp interface smtp 150.50.1.37 smtp netmask 255.255.255.255 dns
access-list outside_access_in permit tcp any interface outside eq smtp
access-group outside_access_in in interface outside

I this case, make sure your MX record and the PTR record all point to the new WAN IP of xxx.xxx.30.178

OR, you can do a static 1-1 NAT using one of the IP address out of the block of IP's

static (inside,outside) xxx.xxx.164.x 150.50.1.37 netmask 255.255.255.255 dns

In this case, the MX/PTR records must point to the xxx.xxx.164.x IP address.

0
 

Author Comment

by:gedruspax
ID: 34095510
Our MX records point to Postini because we use them for spam filtering.

I tried doing the 1-1 Nat rule like you specified, then went into bellsouth DNS dashboard and updated forward pointers to point to correct new public IP.

sent test email to myself and still is sourcing from xxx.xxx.30.178 and not xxx.xxx.164.31 like i need it to.
0
 

Author Comment

by:gedruspax
ID: 34096820
thank you for your help but i was able to find the answer to my question here

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_23915594.html
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Remote Powershell Issue 3 30
EXCHANGE 3 24
Exchange 2013 - Recieve Connectors 4 22
Exchange 2013 to another 2013 forest move request 2 16
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question