Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
2
Replies

Port translation in router causing some email to fail

danielmroberts
Level 1
Level 1

‎08-05-2010 01:40 PM - edited ‎03-11-2019 11:21 AM

We are in the process of setting up a spam filter  (SAVASM). One change we are making is to push incoming email on port 25  through our spam filter/server but have users actually send their email  on a different port. I am attempting to make this happen by using port  address translation to send port 25 traffic to the SAVASM server IP.

As a step in making this change I setup port translation without  actually changing the IP addresses. The NAT rules for the email server  went from one Static NAT rule with no port specified, to multiple Static  NAT rules each with a port or group matching the Access Rules for that  server (smtp, pop3, http, https, and some other custom ports).

The problem we are running into is confusing. Some outgoing mail  through this server is failing when the router has the multiple NAT  rules with port translation settings. Email goes through fine FROM our  email to our internal accounts and to Gmail. However email fails when  FROM our client's email address TO our client's email or their personal  Comcast. The only situation that worked for them was if they changed  FROM to Comcast and then messages went through fine to both Comcast and  the client's accounts. Switching back to regular Static NAT rule  everything then worked for them.

Does anyone have a clue as to what might be going on? We are on a  Cisco ASA 5500 box. Thansk

Labels:
0 Helpful
2 Replies 2

August Ritchie
Level 1
Level 1

‎08-05-2010 02:09 PM

Hmm, I think I have seen issues like this and the true problem was that when the server would go out, it would use the interface IP like a normal host instead of whatever IP address was on the PAT statement.

So like if you are patting with something like this

static (inside,outside) tcp 5.5.5.5 25 192.168.1.5 25

You sometimes need to add something like

nat (inside) 55 192.168.1.5 255.255.255.255

global (outside) 55 5.5.5.5

That way you appear as 5.5.5.5 when you go out.

0 Helpful

danielmroberts
Level 1
Level 1
In response to August Ritchie

‎08-06-2010 09:58 AM

I gave up getting port translation going and went with two unique IP addresses. Thanks anyway for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card