NAT statements for Exchange

We have some Exchange servers hosted in our data center and are having issues getting the NAT rules to match the public host name to the proper external IP address. Currently they are NAT-ing to the outside interface of the ASA5510 we have in place. This is causing some blacklist issues and the only way around that we have found so far is open NAT-ing  which cannot be the permanent solution since it leaves so many ports open. I've tried some ports to get the IP address to properly NAT but have not had any luck. Could anyone shed some light as to what NAT statement needs to be in place to have the Exchange servers properly link to their outside IP addresses? Thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Im assuming the Exchange server have their own public IP address son their ASA? If so this is the procedure;
Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall
Or if you only have one public IP, so your port forwarding SMTP (TCP port 25) to the Exchange server this is the procedure;
Cisco PIX / ASA Port Forwarding

PIMSupportAuthor Commented:

I'm not able to start from the beginning via the first link you sent because the infrastructure has already been in place. The tech that designed it is no longer with the company so I am not able to go back to the source. That is the process I need in place, however. We have a block of IP addresses and assign them as we get clients in with exchange servers. If I go through the process outlined in the article and NAT with no specific port info that it will keep all TCP ports open? That is currently how we have it set up and I am concerned about having that many ports open. I am hoping to find out what ports I need open to not only have mail move but also marry up the proper external IP address and not have them linked to the external interface for the ASA itself. I want to make them as small a target as I can
Pete LongTechnical ConsultantCommented:
>>If I go through the process outlined in the article and NAT with no specific port info that it will keep all TCP ports open?

No NAT and port opening are done with different things. Nat is sone with a NAT rule and ports are allowed with ACL's
You only need to open TCP port 25 for Email, and https (TCP443) if the client is using OWA/Outlook Anywhere/ActiveSync.

That's it just the two ports.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PIMSupportAuthor Commented:
Pete, you are the man. I can't thank you enough. The issue was the previous tech had all the service specific NAT statements which linked them to the outside interface of the firewall regardless of the interface that was designated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.