Internal to external NAT for Exchange

I have a client who bought an ASA5505 and requested me to replace existing firewall.
As I am not an expert in Cisco I seek help from a friend and did it.
Now if I send an email from Exchange it goes with internet/gateway IP not the email server dedicated IP.
If I type whatismy IP I get gateway IP.
I did it many times in Sophos and Fortinet but I am not good in ASA.
Is there anyone who is good in Cisco  can guide me?

Thanks
LVL 31
MASEE Solution Guide - Technical Dept HeadAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
No problem you need a static NAT to the Exchanges Public IP

access-list inbound permit tcp any host 172.16.254.1
access-group inbound in interface outside
object network obj-Exchange-Server
 host 172.16.254.1
 nat (inside,outside) static 123.123.123.123

e.g. Inside IP is 172.16.254.1
Outside IP 123.123.123.123

And Read my warning here before executing the access-group command!
0
Pete LongTechnical ConsultantCommented:
And make sure you disable ESMTP inspection or the Exchange wont send

Cisco ASA Disable ESMTP Inspection


Pete
0
Pete LongTechnical ConsultantCommented:
O0ps change the ACL

access-list inbound permit tcp any host 172.16.254.1 eq smtp

or if you need OWA as well

access-list inbound permit tcp any host 172.16.254.1 eq https
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

MASEE Solution Guide - Technical Dept HeadAuthor Commented:
Hi Pete,
Thanks for your quick reply.

-->or if you need OWA as well.
access-list inbound permit tcp any host 172.16.254.1 eq https

Emails goes from Edge server (192.168.1.22) and OWA traffic comes to Exchange CAS(192.168.1.30)

SO I will use these commands in ASA to send email with source IP as 123.123.123.123

access-list inbound permit tcp any host 192.168.1.100
access-group inbound in interface outside
object network obj-Exchange-Server
 host 192.168.1.100
 nat (inside,outside) static 123.123.123.123
access-list inbound permit tcp any host 172.16.254.1 eq smtp

Lets assume my Exchange Edge server IP is 192.168.1.100 and public IP of Exchange is 123.123.123.123

BTW I already have thse ACLs in place
access-list from_outside extended permit icmp any any echo
access-list inside_access_in remark OUTBOUND_ACCESS
access-list inside_access_in extended permit ip any any
access-list EXIN remark EMAIL_SERVER ACCESS
access-list EXIN extended permit tcp any host 123.123.123.123 eq smtp
access-list EXIN extended permit tcp any host 123.123.123.123 eq https
access-list EXIN extended permit tcp any host 123.123.123.123 eq www
access-list EXIN remark SKYPE_ACCESS
access-list EXIN extended permit tcp any host 123.123.123.124 eq https
access-list EXIN extended permit tcp any host 123.123.123.124 eq 5061
access-list EXIN extended permit tcp any host 123.123.123.124 eq 5269
access-list EXIN extended permit tcp any host 123.123.123.125 eq www
access-list EXIN extended permit tcp any 123.123.123.126 eq https
access-list EXIN extended permit tcp any host 123.123.123.126 eq 3478
access-list EXIN extended permit tcp any host 123.123.123.126 range 50000 59999
access-list EXIN extended permit tcp any host 123.123.123.127 eq https
access-list EXIN extended permit tcp any host 123.123.123.128 eq https
0
Pete LongTechnical ConsultantCommented:
How old is the code on the firewall (show version) after version 8.3 you allow traffic to the private translated IP not the public IP?
0
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
object-group network SFB_AV_NET
network-object host 96.73.118.9
 
object-group service SFB_AV_SERVICE
service-object tcp eq https
 service-object tcp-udp eq 3478
 service-object tcp-udp range 50000 59999
 
object-group network SIP_SERVERS
network-object host 74.112.29.40
 
! --- for class inspect
access-list SIP_TRAFFIC extended permit ip any object-group SIP_SERVERS
access-list SIP_TRAFFIC extended permit ip object-group SIP_SERVERS any
!Missing permissions on server 96.73.118.10
access-list EXIN line 16 extended permit udp any host 96.73.118.10 eq 3478
! --- to allow port range
access-list EXIN line 9 extended permit object-group SFB_AV_SERVICE any object-group SFB_AV_NET
 
! ---To remove innecessary lines ----
no access-list EXIN line 13 extended permit tcp any host 96.73.118.9 range 50000 59999
no access-list EXIN line 12 extended permit tcp any host 96.73.118.9 eq 3478
no access-list EXIN line 11 extended permit tcp any host 96.73.118.9 eq https
!--- To modify NAT in order to allow port range
no static (inside,outside) tcp 96.73.118.9 3478 192.168.1.39 3478 netmask 255.255.255.255
no static (inside,outside) tcp 96.73.118.9 https 192.168.1.39 https netmask 255.255.255.255
static (inside,outside) 96.73.118.9 192.168.1.39 netmask 255.255.255.255
 
class-map inspect_sip
match access-list SIP_TRAFFIC
policy-map global_policy
  class inspect_sip
  inspect sip


This is what I did with help from another expert.

Anyway Thanks a lot.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MASEE Solution Guide - Technical Dept HeadAuthor Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.