I added a mail-filtering gateway(Symantec Brightmail) into the configuration. On the mail gateway, I use two NICs; one for incoming mail and one for outgoing mail. I have modified the above mapping to point to the incoming NIC on the mail gateway as below:
Once the incoming mails are filtered, they will be relayed to my Exchange server.
I have configured my Exchange server to relay outgoing mail to the gateway outoging NIC (192.168.1.9). The outgoing mail reach the mail gateway, but I don't know how to configure the ASA to map the outgoing NIC of the mail gateway (192.168.1.9) to my public mail ip address (69.3.216.x).
You won't be able to create another static mapping the 192.168.1.9 internal address to the same external IP address as the .8 server. If you have a spare public IP address allocated from your ISP then you can just create a second static for the outgoing mail, although that will obviously cost you additional money.
However, you may not really need a specific public IP address for outgoing mail. Certainly you need a public one for your incoming mail so that the mail can be properly directed to your incoming mail server, but outgoing mail could be treated just like any other outgoing traffic, couldn't it? What I mean by that is, why do you need a specific public IP for your outgoing mail, why not just let it use the standard nat/global that all your other outgoing traffic is using? That way you wouldn't need a second static nor need a second public IP address.
Not sure if that helps you or not. As I said at the start though, if your outgoing mail must come from a specific IP address then your only option is to get a second public IP address and add a second static. You canNOT create two statics mapping the same external address to two different internal addresses.
Is your SPAM filtering server located on inside as well ? Or is on DMZ network ? Anyways, let me assume you have the filtering server on inside just like your exchange server.
You really want your outbound mails to be filtered..?
In case you did not want that to be filtered, and exchange erver can send out the emails directly to internet then ALONG with the static for spam filtering server you could have made everything work with a simple dynamic NAT :
nat (inside) 2 192.168.1.8
global (outside) 2 69.3.216.x
Now, lets assume you DO want the outbound emails to be filtered. Then your requirement would be to map several internal IPs (since both servers are on inside) to one public IP address. We can acheive that using static Policy NAT :
access-list POLICY extended permit tcp any 192.168.1.8
1. When you are saying you have two NIC on mail gateway ,what subnet they belongs to ?
2. How the mail gateway connected to your mail server, Is your mail server too have two NICs?
3. You mentioned netmask as 255.255.255.254 in SNAT what are you try to achive by this?
And If you are using any public ip address apart one currently configured for mail server, make sure that you have configured correct DNS PTR record for that IP pointing to your domain. Otherwise some mail server will reject mails from your server.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...