Did you add your exchange server to the Ironports relaylist? "Mail Policies" -> "HAT Overview". Select your Outbound Listener from the dropdown and click the relaylist. The relaylist might be called differently in your setup. It's the "Sender Group" which uses the "Mail Flow Policy" with "Relay" behavoir. If you don't have one, you need to create it.
If the RAT is rejecting it then your Exchange server isn't being classified in the RELAYLIST. This could be due to the fact that the Exchange server is going through a device that is NATing the source IP address.
What you need to pay attention is the information in the logs that contain the ICID (Incoming Connection ID). This will show you IP address that the IronPort see's and also the Sender Group that the IP address is falling under. Below is an example output:
Mon Jun 11 14:37:49 2007 Info: New SMTP ICID 6349140 interface PublicNet (10.12.23.12) address 10.12.23.55 reverse dns host mybook.bivens.us verified yes Mon Jun 11 14:37:49 2007 Info: ICID 6349140 RELAY SG RELAYLIST match 10.12.23.0/24 SBRS rfc1918 Mon Jun 11 14:37:49 2007 Info: ICID 6349140 TLS success protocol TLSv1 cipher DES-CBC3-SHA Mon Jun 11 14:37:49 2007 Info: SMTP Auth: (ICID 6349140) succeeded for user: jbivens using AUTH mechanism: LOGIN with profile: OpenLDAP Mon Jun 11 14:37:49 2007 Info: Start MID 636797 ICID 6349140 Mon Jun 11 14:37:49 2007 Info: MID 636797 ICID 6349140 From: Mon Jun 11 14:37:49 2007 Info: MID 636797 ICID 6349140 RID 0 To: Mon Jun 11 14:37:49 2007 Info: MID 636797 Message-ID '' Mon Jun 11 14:37:49 2007 Info: MID 636797 Subject 'Test Message for IronPort Nation' Mon Jun 11 14:37:49 2007 Info: MID 636797 ready 649 bytes from Mon Jun 11 14:37:50 2007 Info: MID 636797 DomainKeys: signing with bivens-us - matches email@example.com Mon Jun 11 14:37:50 2007 Info: MID 636797 matched all recipients for per-recipient policy DEFAULT in the outbound table Mon Jun 11 14:37:50 2007 Info: MID 636797 interim AV verdict using Sophos CLEAN Mon Jun 11 14:37:50 2007 Info: MID 636797 antivirus negative Mon Jun 11 14:37:50 2007 Info: MID 636797 queued for delivery Mon Jun 11 14:37:52 2007 Info: ICID 6349140 close Mon Jun 11 14:37:53 2007 Info: Delivery start DCID 364856 MID 636797 to RID  Mon Jun 11 14:37:54 2007 Info: Message done DCID 364856 MID 636797 to RID  Mon Jun 11 14:37:54 2007 Info: MID 636797 RID  Response 'ok dirdel' Mon Jun 11 14:37:54 2007 Info: Message finished MID 636797 done
If you look at the first two lines you'll see the connecting IP address and the second line has a statement for SG (abbreviation for Sender Group) followed by RELAYLIST. Check these two pieces of information and verify that the IP address isn't changing and also what Sender Group the IP address is falling under.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...