Cisco ASA route stmp from exhange server out to specific WAN IP that is different than the primary WAN IP

Greetings-

I would like to route outbound mail from our onsite exchange box out a specific IP to match our inbound mail flow. We have a Cisco ASA we'll be doing this on. I'm sure this is possible but I haven't found a good article on how to do it.

Thanks!
LVL 1
microtechboiseAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
If it is on the same interface as the existing IP, you will just need to configure a separate NAT entry for the outbound mail:

object network exchange-internal
  host w.x.y.z

object network exchange-external
  host a.b.c.d

nat (inside,outside) source static exchange-internal exchange-external

Open in new window


You can get specific with:

object network exchange-internal
  host w.x.y.z

object network exchange-external
  host a.b.c.d

object service tcp_smtp
 service tcp destination eq 25


nat (inside,outside) source static exchange-internal exchange-external serivce tcp_smtp tcp_smtp

Open in new window


You can also make this a one way only with the "unidirectional" keyword.  This will make it so that inbound flows will need to come in on the previously configured port, however I would not recommend that unless this is to prevent spam listings on your main IP.
James HoodAssistant Technical Manager (IT Infrastructure)Commented:
Hi,
Is it just the one network host on the inside of your network (ie an email server) that you need to do this for? If so a one to one NAT will do the trick. Let me know if you need a hand with the config and I'll post you an example.

All the best, James.
microtechboiseAuthor Commented:
Thanks for the suggestions. It is a single LAN host IP to one of the External IPs we have in our block of addresses. Just not the first one. Currently it is flowing out the first one.

So for the example EXCHBOX is 192.168.1.10 and external address are x.x.x.100-104. Mail headers  currently show it going out x.x.x.100 and we'd like it to go out x.x.x.101
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

James HoodAssistant Technical Manager (IT Infrastructure)Commented:
Sorry, I didn't see Daniel's comment before I posted! Assuming you want to route inbound mail to the same address Daniel's first example along with a suitable access list will do the job.
microtechboiseAuthor Commented:
Mail is already routed inbound with a static rule. Will I need to remove the static rule for this to work?
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Do you want the inbound to go out 101?

The commands I posted should do it for you.

One of these is what you will want

Outbound and Inbound, all ports forwarded off the .101 IP
object network exchange-internal
  host 192.168.1.10
object network exchange-external
  host x.x.x.101
nat (inside,outside) source static exchange-internal exchange-external

Open in new window


Outbound and Inbound, Only SMTP and HTTPS
object network exchange-internal
  host 192.168.1.10
object network exchange-external
  host x.x.x.101
object service tcp_smtp
 service tcp destination eq 25
object service tcp_https
 service tcp destination eq 443
nat (inside,outside) source static exchange-internal exchange-external serivce tcp_smtp tcp_smtp
nat (inside,outside) source static exchange-internal exchange-external serivce tcp_https tcp_https

Open in new window


Outbound Only, All Ports
object network exchange-internal
  host 192.168.1.10
object network exchange-external
  host x.x.x.101
nat (inside,outside) source static exchange-internal exchange-external unidirectional

Open in new window


Outbound Only, Only SMTP and HTTPS
object network exchange-internal
  host 192.168.1.10
object network exchange-external
  host x.x.x.101
object service tcp_smtp
 service tcp destination eq 25
object service tcp_https
 service tcp destination eq 443
nat (inside,outside) source static exchange-internal exchange-external serivce tcp_smtp tcp_smtp unidirectional
nat (inside,outside) source static exchange-internal exchange-external serivce tcp_https tcp_https unidirectional

Open in new window

Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Yes you will need to remove the static rule
microtechboiseAuthor Commented:
In attempting to build the service object here the commands I ran-

ASA(config)# object service tcp_smtp
ASA(config-service)# service tcp destination eq 25
                                                            ^
ERROR: % Invalid input detected at '^' marker.


It does accept the command if I leave the destination out. In the help it only has source and not destination as options for that.
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
You can leave it out, chances are it is a different ASA version and the version you have doesn't have the destination command (but destination is implied in this case).

What version of ASA and ASDM do you have?
microtechboiseAuthor Commented:
I'm going to attempt the production changes during our maint window. I'll let you know how it goes. Thanks for all the help Daniel.
microtechboiseAuthor Commented:
Seems like we are working from different versions the nat policy didn't work either. It only allows for either inside or outside but not both. I'm working from an ASA version 8.2(5) and ADSM 6.4(5)
Pete LongTechnical ConsultantCommented:
Ok - the reason you are struggling is your firewall is running a version older than 8.3 all the nat commands above are for post 8.3.

To do what you want in version 8.2 - nat are different and ACLS are written the other way round :)

What you need is an old school Cisco firewall ninja :)

You haven't given me IP's to work with so Ill assume

Exchange in 192.168.1.10 Internally
Firewall external is 123.123.123.100
Exchange External is 123.123.123.101
You have an inbound ACL called inbound (run a 'show run access-group' command and see it you have one called 'access-group NAME in interface outside' If you do replace the word inbound with your NAME. If you DONT have an inbound ACL then execute the last 'optional' command;

access-list inbound extended permit ip any host 123.123.123.101 eq smtp
static (inside,outside) 123.123.123.101 192.168.1.10 net mask 255.255.255.255


Optional command (see my comment above)

access-group inbound in interface outside

OK if you are also running Outlook Web Access you may also want

access-list inbound extended permit ip any host 123.123.123.101 eq https

As you already have exchange running we don't need to turn of ESMTP inspection :)

But you will need to clear the firewalls nat table when you have finished with a;

clear xlate

Then save the changed with a;

write mem

Then sit back, light your pipe and admire your handiwork.

If you update your firewall past 8.3 the previous comments would have worked, the upgrade process sis on my website see here and here

Regards,


Pete

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
I think it is addressed/in the process.
Is your current incoming IP for your exchange the same IP as the one you wish to have the data come out on?
Daniel has you on the right path. Please  provide the information on the version of IOS on your ASA.
microtechboiseAuthor Commented:
Pete - I think I may have discovered my issue with the firewall. When I attempt to input your suggestion - static (inside,outside) 123.123.123.101 192.168.1.10 net mask 255.255.255.255 - The nat statment is converted a name and that name is specified in the following command - global (outside) 1 NAME netmask 255.255.255.240. Does the 1 in that command indicate the VLAN that it is associated with?
Pete LongTechnical ConsultantCommented:
OK you are using the IP you want to assign to Exchange in a global NAT statement

issue a

show run nat

you will have a Nat statement with priority 1 that matches that global statement that will look like

nat (inside) 1 {something}

that IP address or network is getting NATTED to the 101 address. :)

Pete
microtechboiseAuthor Commented:
The global is as follows - global (outside) 2 interface.

These are the nat -

nat (inside) 0 access-list nonat
nat (inside) 1 access-list SMTP_Outbound
nat (inside) 2 0.0.0.0 0.0.0.0
nat (Public) 1 0.0.0.0 0.0.0.0

More on the smtp_outbound

access-group smtp_outbound in interface inside

There are several access-list defined with services and network objects

Does the help clarify? I think the global is assigned to the VLAN we have setup for our external range.
arnoldCommented:
the outside is always on its own OUTSIDE with security 0 (Unsecure) with the inside with security 100 (Secure)

Your issue is that your nonat list is what interfers with your SMTP_Outbound rule.
i.e. the packet from 192.168.x.x matches the nat (inside) 0 access-list nonat.


Your setup seems to be a Port Address Translation. commonly and I think the example given earlier deals with NAT i.e. a one to one IP address translation.  i.e. in comformity with the ACL
packets to Public_IP port are translated to internal_ip port and in this setup, outgoing packets from internal_ip anyport will be translated to public_ip anyport.

Your translation rule, must take into account originating on port 25 or destined to port 25. from this IP need to ......

Please advise which version of IOS is running on your ASA/PIX 6,7,8?
microtechboiseAuthor Commented:
ASA version 8.2(5)
arnoldCommented:
I think PeteLong provided you the answer to static (inside,outside)
Do you have multiple ports that are being forwarded from the second IP i.e. 123.123.123.123 80 goes to 192.168.0.15 etc. and you need all of those destinations to also be routed back as originating from 123.123.123.123?

The object definition that combines the IPs into a group and the ports. would be needed.
microtechboiseAuthor Commented:
There are other (inside,outside) entries that point certain services from the outside to the various inside network devices. But those are all just outside in. Not inside out. And when I attempt to specify the actual IP it changes it to the group name. That group name is defined with the global command. Not sure why I can't specify the actual IP.
arnoldCommented:
How many internal IPs/port combinations do you need to appear as originating from the same WAN IP address not the primary IP on the firewall?
one option could be to change the primary IP on the WAN side of the firewall though it may lead to other issue, i.e. a virus infected system that mass mails, will trigger the blacklisting of the IP.
microtechboiseAuthor Commented:
We have about 10 static (inside,outside) rules to non primary wan IPs. These all still seem to be directing traffic from the outside in. Which part of this direct traffic from the lan to the proper wan IP?
arnoldCommented:
The static method I think is a one to one map.
You might be looking for
IP port _> wan IP
ip1 port1 => wan1 IP
ip2 port2 => wan  IP
etc.

This is what I believe Daniels IOS >8.3 example deals with.

You may have to prioritize the WAN source IP, i.e serverX is irrelavent what WAN IP it comes out of while exchange it is important, make sure only exchange has the static outgoing map.
.....
microtechboiseAuthor Commented:
Daniel's commands are based on a new IOS. Since we are on 8.2 they don't work. I guess at this point we'll have to engage cisco.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.