12-14-2011 07:58 AM - edited 03-11-2019 03:02 PM
Hello,
i'm in need of some help here, we have multiple public ip.
1 is use for our ASA Outside interface (.179)
1 is use for PAT for SMTP with our mail server (.178)
I'm not able to resolve my problem, our MX Record and RDNS is setup to use (.178) but each time im sending email. if i look in the header the ip sent from is always .179 (The outside interface) and sometime mail bounce back with NO RDNS setup for .179. Can someone explain me where is the problem and where i should look to made sure my email goes out by .178 (I'm gessing thats a PAT or NAT problem)
Here more details,
Exch_PAT1 - Is our .178
DuchExc - Is our Internal Mail server
Here is part of my config
global (outXXX) 1 interface
access-list no_nat_acl extended permit ip object-group inside_network object-group vpnusers_network access-list no_nat_acl extended permit ip object-group inside_network VLAN_100 255.255.255.0
access-list outside_in extended permit tcp any host Exch_PAT1 eq smtp
access-list LAN_access_in extended permit tcp host DuchExc host Exch_PAT1 eq smtp
nat (inside) 0 access-list no_nat_acl nat (inside) 1 Internal_network 255.255.0.0
static (inside,outXXX) tcp Exch_PAT1 smtp DuchExc smtp netmask 255.255.255.255 static (inside,outXXX) tcp Exch_PAT1 https DuchExc https netmask 255.255.255.255 static (inside,outXXX) tcp Exch_PAT1 pop3 DuchExc pop3 netmask 255.255.255.255
access-group outside_in in interface outXXX
access-group LAN_access_in in interface inside
route outXXX 0.0.0.0 0.0.0.0 X.X.X.177 1
Thanks in advance for your help,
Nicholas T.
Solved! Go to Solution.
12-14-2011 09:31 AM
Hello Nicholas,
It is a NAT problem.
The problem here is that you are using port-forwarding and this is just for inbound traffic, so all the outbound traffic from that server will take the outside interface ip address (because of the PAT) so if you need to change this you will need to do a static one to one translation from that server.
Please rate helpful posts.
Regards,
Julio
12-14-2011 09:31 AM
Hello Nicholas,
It is a NAT problem.
The problem here is that you are using port-forwarding and this is just for inbound traffic, so all the outbound traffic from that server will take the outside interface ip address (because of the PAT) so if you need to change this you will need to do a static one to one translation from that server.
Please rate helpful posts.
Regards,
Julio
12-14-2011 10:43 AM
Hello Jcarvaja,
Ok i try just adding those 2 lines
static (inside,outXXX) Exch_PAT1 DuchExc netmask 255.255.255.255 static (outXXX,inside) DuchExc Exch_PAT1 netmask 255.255.255.255
It work, but now im not sure i understand correctly. I know from what you tell me
that i didnt had the one for outbound traffic. But what about beeing specific for the
port ? I'm gessing for specific port it is define in the ACL and not on the nat ?
Thanks to clarify this and thanks for your help
Nicholas T.
12-14-2011 11:05 AM
Hello Nicholas,
The thing is:
Port-forwarding: Its only for inbound traffic.
PAT: Its only for outbound traffic.
Static: Bi-derectional traffic
So in this scenario as soon as you send an email the source ip address (inside host) will be natted to the outside interface ip address ( PAT because is outbound traffic will match that nat rule) as per your nat configuration.
So on the outside world the users are going to see the SMTP traffic comming from the outside ASA ip address so creating a static one to one the ASA will now use that static entry on the nat configuration for the SMTP traffic.
The nat order on versions 8.2 and older versions is the following:
-NAT excempt (Nat 0 with ACL)
-Static Nat
-Policy nat/portforwarding
-Dynamic Nat/PAT
Let me know if this explains a little bit more the scenario or if there is something else I can do for you.
Please rate helpful posts.
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: