Proper setup for ASA 5510 and Exchange Email so IP matches smtp banner

Our network topology is pretty simple:

Cisco 2901 -- Cisco ASA 5510 -- Switches -- LAN -- Exchange server

The ASA5510 has a global (outside) IP address of 66.239.221.131
I disabled inspect esmtp on the firewall since it was masking our SMTP banner
The Exchange server has a public IP address of 66.239.221.132 established with a static route in the firewall.
Our MX record for the Exchange server is mail.pageinc.org
I have set the FQDN in Exchange to also be mail.pageinc.org so the SMTP banner matches
I have setup rDNS with our ISP to be 66.239.221.132.

When I go to whatsmyIP.org from the exchange server, it shows the .131 ip address of the firewall.

When I send an email from the Exchange server to an outside account, it shows the IP as being the .131 ip address of the firewall.

This is causing issues for us due to SPAM filters blocking email since it appears to originate from .131.

How can I configure the firewall so all outgoing email is coming from the proper .132 address as indicated by our MX record instead of using the ASA5510 Firewall's global (outside) ip address?

Here's the firewall config:

ASA Version 8.2(1)
!
hostname gateway
domain-name pageinc.org
enable password REMOVED
passwd REMOVED
no names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 66.239.221.130 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 10
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name pageinc.org
access-list external extended permit tcp any host 66.239.221.132 eq https
access-list external extended permit tcp any host 66.239.221.132 eq smtp
access-list external extended permit icmp any any echo-reply
access-list external extended permit icmp any any time-exceeded
access-list external extended permit icmp any any unreachable
access-list external extended permit tcp any host 66.239.221.132 eq pop3
access-list external extended permit tcp any host 66.239.221.132 eq www

access-list external extended permit tcp any any eq https

access-list dmz-acl extended permit icmp any any
access-list dmz-acl extended permit tcp any any eq 1433
access-list dmz-acl extended permit tcp any any eq www
access-list dmz-acl extended permit udp any any eq domain
access-list dmz-acl extended permit tcp any any eq https
access-list acl-outbound extended permit tcp host 192.168.100.14 any eq smtp
access-list acl-outbound extended permit tcp host 192.168.100.15 any eq smtp
access-list acl-outbound extended permit tcp host 192.168.100.16 any eq smtp
access-list acl-outbound extended permit tcp host 192.168.100.17 any eq smtp
access-list acl-outbound extended permit tcp host 192.168.100.23 any eq smtp
access-list acl-outbound extended permit tcp host 192.168.100.31 any eq smtp
access-list acl-outbound extended permit tcp host 192.168.100.32 any eq smtp
access-list acl-outbound extended deny tcp any any eq smtp
access-list acl-outbound extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (outside) 1 66.239.221.131
nat (inside) 1 192.168.100.0 255.255.255.0
nat (dmz) 1 192.168.1.0 255.255.255.0
static (inside,outside) 66.239.221.135 192.168.100.12 netmask 255.255.255.255
static (inside,outside) 66.239.221.141 192.168.100.21 netmask 255.255.255.255
static (inside,outside) 66.239.221.140 192.168.100.20 netmask 255.255.255.255
static (inside,outside) 66.239.221.136 192.168.100.23 netmask 255.255.255.255
static (inside,outside) 66.239.221.137 192.168.100.24 netmask 255.255.255.255
static (inside,outside) 66.239.221.132 192.168.100.14 netmask 255.255.255.255
static (dmz,outside) 66.239.221.133 192.168.1.5 netmask 255.255.255.255
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,outside) 66.239.221.134 192.168.100.13 netmask 255.255.255.255
access-group external in interface outside
access-group acl-outbound in interface inside
access-group dmz-acl in interface dmz
route outside 0.0.0.0 0.0.0.0 66.239.221.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.100.43 255.255.255.255 inside
http 192.168.100.20 255.255.255.255 inside
http 192.168.100.31 255.255.255.255 inside
http 192.168.100.53 255.255.255.255 inside
http 192.168.100.12 255.255.255.255 inside
snmp-server host inside 192.168.100.48 community page
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.100.12 255.255.255.255 inside
telnet 192.168.100.20 255.255.255.255 inside
telnet timeout 60
ssh 192.168.100.20 255.255.255.255 inside
ssh 192.168.100.12 255.255.255.255 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 17.254.0.26 source outside
webvpn
username REMOVED
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect h323 ras
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ils
  inspect icmp
  inspect pptp
  inspect http
  inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:dd2cf737898387106e42eac05c82e8c0
: end
KarrillionAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mwblszCommented:
yes, you need to add the following NAT setting to make sure, traffic from 100.14 goes out on 221.132

global (outside) 10 66.239.221.132 netmask 255.255.255.255
nat (inside) 10 192.168.100.14 255.255.255.255

sincerely

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KarrillionAuthor Commented:
OK, I added that so now it looks like this:

global (outside) 1 66.239.221.131
global (outside) 10 66.239.221.132 netmask 255.255.255.255
nat (inside) 10 192.168.100.14 255.255.255.255
nat (inside) 1 192.168.100.0 255.255.255.0

I forgot to mention that the exchange server is a cluster.  The virtual server IP is 192.168.100.14.  The nodes each have .15 and .16 as their IPs and the cluster IP is .17.

I changed the NAT to this:

global (outside) 1 66.239.221.131
global (outside) 10 66.239.221.132 netmask 255.255.255.255
nat (inside) 10 192.168.100.14 255.255.255.255
nat (inside) 10 192.168.100.15 255.255.255.255
nat (inside) 10 192.168.100.16 255.255.255.255
nat (inside) 10 192.168.100.17 255.255.255.255
nat (inside) 1 192.168.100.0 255.255.255.0

So far it seems to work whereas when I just had the virtual node's IP it was not working.  Does this configuration look OK?


Thanks!
mwblszCommented:
yes, with this config, everything comes from 100.14/15/16/17 will go out on 221.132

on the other hand
static (inside,outside) 66.239.221.132 192.168.100.14 netmask 255.255.255.255
will take care inbound traffic

should be good :-)

sincerely
KarrillionAuthor Commented:
Great, it seems to be working!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.