Cisco ASA route stmp from exhange server out to specific WAN IP that is different than the primary WAN IP
Greetings-
I would like to route outbound mail from our onsite exchange box out a specific IP to match our inbound mail flow. We have a Cisco ASA we'll be doing this on. I'm sure this is possible but I haven't found a good article on how to do it.
Thanks!
I would like to route outbound mail from our onsite exchange box out a specific IP to match our inbound mail flow. We have a Cisco ASA we'll be doing this on. I'm sure this is possible but I haven't found a good article on how to do it.
Thanks!
Hi,
Is it just the one network host on the inside of your network (ie an email server) that you need to do this for? If so a one to one NAT will do the trick. Let me know if you need a hand with the config and I'll post you an example.
All the best, James.
Is it just the one network host on the inside of your network (ie an email server) that you need to do this for? If so a one to one NAT will do the trick. Let me know if you need a hand with the config and I'll post you an example.
All the best, James.
ASKER
Thanks for the suggestions. It is a single LAN host IP to one of the External IPs we have in our block of addresses. Just not the first one. Currently it is flowing out the first one.
So for the example EXCHBOX is 192.168.1.10 and external address are x.x.x.100-104. Mail headers currently show it going out x.x.x.100 and we'd like it to go out x.x.x.101
So for the example EXCHBOX is 192.168.1.10 and external address are x.x.x.100-104. Mail headers currently show it going out x.x.x.100 and we'd like it to go out x.x.x.101
Sorry, I didn't see Daniel's comment before I posted! Assuming you want to route inbound mail to the same address Daniel's first example along with a suitable access list will do the job.
ASKER
Mail is already routed inbound with a static rule. Will I need to remove the static rule for this to work?
Do you want the inbound to go out 101?
The commands I posted should do it for you.
One of these is what you will want
Outbound and Inbound, all ports forwarded off the .101 IP
Outbound and Inbound, Only SMTP and HTTPS
Outbound Only, All Ports
Outbound Only, Only SMTP and HTTPS
The commands I posted should do it for you.
One of these is what you will want
Outbound and Inbound, all ports forwarded off the .101 IP
object network exchange-internal
host 192.168.1.10
object network exchange-external
host x.x.x.101
nat (inside,outside) source static exchange-internal exchange-externalOutbound and Inbound, Only SMTP and HTTPS
object network exchange-internal
host 192.168.1.10
object network exchange-external
host x.x.x.101
object service tcp_smtp
service tcp destination eq 25
object service tcp_https
service tcp destination eq 443
nat (inside,outside) source static exchange-internal exchange-external serivce tcp_smtp tcp_smtp
nat (inside,outside) source static exchange-internal exchange-external serivce tcp_https tcp_httpsOutbound Only, All Ports
object network exchange-internal
host 192.168.1.10
object network exchange-external
host x.x.x.101
nat (inside,outside) source static exchange-internal exchange-external unidirectionalOutbound Only, Only SMTP and HTTPS
object network exchange-internal
host 192.168.1.10
object network exchange-external
host x.x.x.101
object service tcp_smtp
service tcp destination eq 25
object service tcp_https
service tcp destination eq 443
nat (inside,outside) source static exchange-internal exchange-external serivce tcp_smtp tcp_smtp unidirectional
nat (inside,outside) source static exchange-internal exchange-external serivce tcp_https tcp_https unidirectional
Yes you will need to remove the static rule
ASKER
In attempting to build the service object here the commands I ran-
ASA(config)# object service tcp_smtp
ASA(config-service)# service tcp destination eq 25
^
ERROR: % Invalid input detected at '^' marker.
It does accept the command if I leave the destination out. In the help it only has source and not destination as options for that.
ASA(config)# object service tcp_smtp
ASA(config-service)# service tcp destination eq 25
^
ERROR: % Invalid input detected at '^' marker.
It does accept the command if I leave the destination out. In the help it only has source and not destination as options for that.
You can leave it out, chances are it is a different ASA version and the version you have doesn't have the destination command (but destination is implied in this case).
What version of ASA and ASDM do you have?
What version of ASA and ASDM do you have?
ASKER
I'm going to attempt the production changes during our maint window. I'll let you know how it goes. Thanks for all the help Daniel.
ASKER
Seems like we are working from different versions the nat policy didn't work either. It only allows for either inside or outside but not both. I'm working from an ASA version 8.2(5) and ADSM 6.4(5)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think it is addressed/in the process.
Is your current incoming IP for your exchange the same IP as the one you wish to have the data come out on?
Daniel has you on the right path. Please provide the information on the version of IOS on your ASA.
Is your current incoming IP for your exchange the same IP as the one you wish to have the data come out on?
Daniel has you on the right path. Please provide the information on the version of IOS on your ASA.
ASKER
Pete - I think I may have discovered my issue with the firewall. When I attempt to input your suggestion - static (inside,outside) 123.123.123.101 192.168.1.10 net mask 255.255.255.255 - The nat statment is converted a name and that name is specified in the following command - global (outside) 1 NAME netmask 255.255.255.240. Does the 1 in that command indicate the VLAN that it is associated with?
OK you are using the IP you want to assign to Exchange in a global NAT statement
issue a
show run nat
you will have a Nat statement with priority 1 that matches that global statement that will look like
nat (inside) 1 {something}
that IP address or network is getting NATTED to the 101 address. :)
Pete
issue a
show run nat
you will have a Nat statement with priority 1 that matches that global statement that will look like
nat (inside) 1 {something}
that IP address or network is getting NATTED to the 101 address. :)
Pete
ASKER
The global is as follows - global (outside) 2 interface.
These are the nat -
nat (inside) 0 access-list nonat
nat (inside) 1 access-list SMTP_Outbound
nat (inside) 2 0.0.0.0 0.0.0.0
nat (Public) 1 0.0.0.0 0.0.0.0
More on the smtp_outbound
access-group smtp_outbound in interface inside
There are several access-list defined with services and network objects
Does the help clarify? I think the global is assigned to the VLAN we have setup for our external range.
These are the nat -
nat (inside) 0 access-list nonat
nat (inside) 1 access-list SMTP_Outbound
nat (inside) 2 0.0.0.0 0.0.0.0
nat (Public) 1 0.0.0.0 0.0.0.0
More on the smtp_outbound
access-group smtp_outbound in interface inside
There are several access-list defined with services and network objects
Does the help clarify? I think the global is assigned to the VLAN we have setup for our external range.
the outside is always on its own OUTSIDE with security 0 (Unsecure) with the inside with security 100 (Secure)
Your issue is that your nonat list is what interfers with your SMTP_Outbound rule.
i.e. the packet from 192.168.x.x matches the nat (inside) 0 access-list nonat.
Your setup seems to be a Port Address Translation. commonly and I think the example given earlier deals with NAT i.e. a one to one IP address translation. i.e. in comformity with the ACL
packets to Public_IP port are translated to internal_ip port and in this setup, outgoing packets from internal_ip anyport will be translated to public_ip anyport.
Your translation rule, must take into account originating on port 25 or destined to port 25. from this IP need to ......
Please advise which version of IOS is running on your ASA/PIX 6,7,8?
Your issue is that your nonat list is what interfers with your SMTP_Outbound rule.
i.e. the packet from 192.168.x.x matches the nat (inside) 0 access-list nonat.
Your setup seems to be a Port Address Translation. commonly and I think the example given earlier deals with NAT i.e. a one to one IP address translation. i.e. in comformity with the ACL
packets to Public_IP port are translated to internal_ip port and in this setup, outgoing packets from internal_ip anyport will be translated to public_ip anyport.
Your translation rule, must take into account originating on port 25 or destined to port 25. from this IP need to ......
Please advise which version of IOS is running on your ASA/PIX 6,7,8?
ASKER
ASA version 8.2(5)
I think PeteLong provided you the answer to static (inside,outside)
Do you have multiple ports that are being forwarded from the second IP i.e. 123.123.123.123 80 goes to 192.168.0.15 etc. and you need all of those destinations to also be routed back as originating from 123.123.123.123?
The object definition that combines the IPs into a group and the ports. would be needed.
Do you have multiple ports that are being forwarded from the second IP i.e. 123.123.123.123 80 goes to 192.168.0.15 etc. and you need all of those destinations to also be routed back as originating from 123.123.123.123?
The object definition that combines the IPs into a group and the ports. would be needed.
ASKER
There are other (inside,outside) entries that point certain services from the outside to the various inside network devices. But those are all just outside in. Not inside out. And when I attempt to specify the actual IP it changes it to the group name. That group name is defined with the global command. Not sure why I can't specify the actual IP.
How many internal IPs/port combinations do you need to appear as originating from the same WAN IP address not the primary IP on the firewall?
one option could be to change the primary IP on the WAN side of the firewall though it may lead to other issue, i.e. a virus infected system that mass mails, will trigger the blacklisting of the IP.
one option could be to change the primary IP on the WAN side of the firewall though it may lead to other issue, i.e. a virus infected system that mass mails, will trigger the blacklisting of the IP.
ASKER
We have about 10 static (inside,outside) rules to non primary wan IPs. These all still seem to be directing traffic from the outside in. Which part of this direct traffic from the lan to the proper wan IP?
The static method I think is a one to one map.
You might be looking for
IP port _> wan IP
ip1 port1 => wan1 IP
ip2 port2 => wan IP
etc.
This is what I believe Daniels IOS >8.3 example deals with.
You may have to prioritize the WAN source IP, i.e serverX is irrelavent what WAN IP it comes out of while exchange it is important, make sure only exchange has the static outgoing map.
.....
You might be looking for
IP port _> wan IP
ip1 port1 => wan1 IP
ip2 port2 => wan IP
etc.
This is what I believe Daniels IOS >8.3 example deals with.
You may have to prioritize the WAN source IP, i.e serverX is irrelavent what WAN IP it comes out of while exchange it is important, make sure only exchange has the static outgoing map.
.....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window
You can get specific with:
Open in new window
You can also make this a one way only with the "unidirectional" keyword. This will make it so that inbound flows will need to come in on the previously configured port, however I would not recommend that unless this is to prevent spam listings on your main IP.