Solved

Replacing PIX with Cisco ASA 5505 issues

Posted on 2011-03-23
8
407 Views
Last Modified: 2012-08-13
We replaced an extremely old PIX with an ASA 5505. We duplicated the old config on the new ASA (when possible) but still having a couple issues. The biggest one is that the old PIX had a rule that assigned an additional wan ip address to the outside interface.

global (outside) 1 74.x.x.12

I don't think the ASA is using that line (if at all) the way the pix did because we are having issues with some outbound email bouncing back due to our SPF record. The SPF record is set to 74.x.x.12 but when I telnet into other mail servers, they are seeing me come from 74.x.x.10 which is the IP assigned to the outside interface 0/0 of the ASA.

Any ideas how to resolve this besides changing the SPF record?
0
Comment
Question by:amkbailey
  • 4
  • 2
  • 2
8 Comments
 
LVL 13

Expert Comment

by:kdearing
Comment Utility
Need to create a static NAT rule for your email server and 74.x.x.12
0
 

Author Comment

by:amkbailey
Comment Utility
Here was the existing NAT rule.

access-list acl_inbound permit tcp any host 74.x.x.11 eq smtp

I added
access-list acl_inbound permit tcp any host 74.x.x.12 eq smtp

but when I telent into other mail servers, it is seeing my ip in the greeting as 74.x.x.10
0
 
LVL 13

Accepted Solution

by:
kdearing earned 250 total points
Comment Utility
Those are access rules, not NAT commands.

What CLI version are you running, 8.2 or 8.3?
0
 

Author Comment

by:amkbailey
Comment Utility
8.2 (1)

nat (inside,outside) tcp 74.x.x.11 smtp 10.x.x.113 smtp netmask
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
Comment Utility
>nat (inside,outside) tcp 74.x.x.11 smtp 10.x.x.113 smtp netmask

This should say
 static (inside,outside) 74.x.x.11  10.x.x.113 netmask 255.255.255.255
 ^^^
0
 

Author Comment

by:amkbailey
Comment Utility
sorry. it does. left that part off. I guess I need to post both config files to see the difference.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
It should be a 1-1 static nat, or a policy nat and not just the smtp port static.
0
 

Author Closing Comment

by:amkbailey
Comment Utility
We ended up just going to 1 static IP so we have it working ok now.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now