How to configure outgoing NAT for a SMTP server

Unanswered Question
Aug 30th, 2010

I have web servers behind the ASA5500 that use an SMTP server to send email traffic.  I need some assistance in configuring the router so the the email messages are from the desired IP address.  Currently, all smtp messages are sent using the routers public IP address.  I have a inbound NAT entry to translate a public IP to a private one for reverse lookup.  Whenever it tries to reverse lookup, it fails beause the originating address is mot the one coded in the A record for that address, eg mail.test.com A record = 222.333.444.555.  The router address is different.


I am assuming that when a SMTP server sends an outgoing email, that it uses the first IP address configured on the server.  In my case, I have an address of 192.168.1.50 as the first, but the server also has IP's 192.168.1.100-120, which are part of an NLM cluster (server farm).  Not sure if the network load balancing stuff  matters, but how do I tell which IP address the SMTP server will use send sending the outgoing message?  Seems that that address must be coded in the NAT table.


I suspect that this is a simple NAT entry, but I have tried it and can't get it to work.  Can someone provide be the cli syntax to add a nat rule for this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Mon, 08/30/2010 - 11:00

Hello,


Please try the following on the ASA:


global (outside) 199


access-list Mail permit tcp any any eq 25


nat (inside) 199 access-list Mail


This will ensure that all IP addresses used by the mail server use the

desired IP when sending mail to outside servers (on port 25).


Hope this helps.


Regards,


NT

davealessi Mon, 08/30/2010 - 11:06

Thanks for your respnse.  I am a rookie at configuring the ASA.


What in this example sets the desired IP?

Nagaraja Thanthry Mon, 08/30/2010 - 11:16

Hello,


My earlier email to this post was truncated for some reason.


It will be:


global (outside) 199


Regards,


NT

Nagaraja Thanthry Mon, 08/30/2010 - 11:18

Hello,


My earlier email to this post was truncated for some reason.


It will be:


global (outside) 199 "public IP"


Regards,


NT

davealessi Mon, 08/30/2010 - 13:33

I still don’t understand. I would expect to see an IP address that is the public address. Is 199 an IP address?


I am a novice at ASA CLI. I will type in what you give me. There is nothing here that can define the IP address.


Dave

Nagaraja Thanthry Mon, 08/30/2010 - 13:43

Hello,


If we assume that the FQDN address for your SMTP server is 100.1.1.1, then


global (outside) 199 100.1.1.1


One way to find that address would be to use "nslookup" and type your mail

servers FQDN name


Example:


nslookup smtp.yahoo.com


Hope this helps.


Regards,


NT

davealessi Tue, 08/31/2010 - 05:23

Thank you for your assistance...


Here are the commands that I entered:


global (outside) 199 xxx.xxx.xxx.xxx (where xxx is the public address)

access-list Mail permit tcp any any eq 25

nat (inside) 199 access-list Mail


This does appear to work for outgoing mail. Now, my email from the server is from the address above (xxx).


The reverse lookup still fails however. I cannot access the SMTP server using telnet. I have the port opened:

In the GUI, it shows:

Inside 192.168.1.119


Outside xxx.xxx.xxx.xxx (my public address)

Enable port translation smtp,smtp


Also, I have the Security policy set to enable traffic from any to the destination IP of my public address.


Any ideas on why I cannot access the SMTP server. BTW. I can access it from inside the firewall.

Actions

This Discussion

Related Content