• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 484
  • Last Modified:

Replacing PIX with Cisco ASA 5505 issues

We replaced an extremely old PIX with an ASA 5505. We duplicated the old config on the new ASA (when possible) but still having a couple issues. The biggest one is that the old PIX had a rule that assigned an additional wan ip address to the outside interface.

global (outside) 1 74.x.x.12

I don't think the ASA is using that line (if at all) the way the pix did because we are having issues with some outbound email bouncing back due to our SPF record. The SPF record is set to 74.x.x.12 but when I telnet into other mail servers, they are seeing me come from 74.x.x.10 which is the IP assigned to the outside interface 0/0 of the ASA.

Any ideas how to resolve this besides changing the SPF record?
0
amkbailey
Asked:
amkbailey
  • 4
  • 2
  • 2
2 Solutions
 
kdearingCommented:
Need to create a static NAT rule for your email server and 74.x.x.12
0
 
amkbaileyAuthor Commented:
Here was the existing NAT rule.

access-list acl_inbound permit tcp any host 74.x.x.11 eq smtp

I added
access-list acl_inbound permit tcp any host 74.x.x.12 eq smtp

but when I telent into other mail servers, it is seeing my ip in the greeting as 74.x.x.10
0
 
kdearingCommented:
Those are access rules, not NAT commands.

What CLI version are you running, 8.2 or 8.3?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
amkbaileyAuthor Commented:
8.2 (1)

nat (inside,outside) tcp 74.x.x.11 smtp 10.x.x.113 smtp netmask
0
 
lrmooreCommented:
>nat (inside,outside) tcp 74.x.x.11 smtp 10.x.x.113 smtp netmask

This should say
 static (inside,outside) 74.x.x.11  10.x.x.113 netmask 255.255.255.255
 ^^^
0
 
amkbaileyAuthor Commented:
sorry. it does. left that part off. I guess I need to post both config files to see the difference.
0
 
lrmooreCommented:
It should be a 1-1 static nat, or a policy nat and not just the smtp port static.
0
 
amkbaileyAuthor Commented:
We ended up just going to 1 static IP so we have it working ok now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now