We are setting up a GWAVA smtp filter (IP address: 10.10.10.1) appliance that needs incoming smtp traffic redirected to it. I still need the mail server (IP address 10.10.10.2) to have a 1 to 1 nat translation to an outside IP address (IP address 188.8.131.52).
The way I have it setup now, smtp traffic is being redirected to our GWAVA filter , and outside users can still connect their email clients to the internal mail server. However, outbound mail being generating by our email server is being sent out a different external IP (184.108.40.206) causing some emails to get returned because they don't match the mx records.
It seems simple enough, but when I create a static NAT rule mapping 10.10.10.2 to the outside IP 220.127.116.11, it seems to overule the smtp redirect rule.
Could someone give me a set of simple commands to add these rules?
Your setup isn't unique. There are many clients out there that has this similar setup running. Hence, this should be easy to resolve. Are you able to paste your latest show running-config here, so that I can advice you accordingly what needs to be added/remove etc.?
Ramraj Sivagnanam Sivajanam
Technical Specialist/Service Delivery Manager – Managed Service Department
I din't really understand your scenario. Please correct me if am wrong.
Your incoming smtp requests alone needs to be pointed to the GWAVA smtp filter Appliance (10.10.10.1 which is translated from 18.104.22.168). But your outbound smtp request has to be pointed to your smtp server (10.10.10.2 which is translated to 22.214.171.124). But now your SMTP request which is going out also getting translated to 126.96.36.199 and getting bounced right?????
Please let me know i will suggest you some ideas????
Sorry for the delay, I got the smtp redirect working along with the outgoing mail being mapped correctly. However, I have a new issue now, I posted parts of my sh run output below.
I believe the issue I need to figure out is called "Hairpinning" but I"m not sure. I'm running ASA 8.3 by the way.
The issue is, the GWAVA filter sends out digests where users can click on a link to release any quarantined mail. The link can be edited, but right now it uses the internal ip address of the GWAVA filter (10.10.10.1) so interally the link works perfectly. However, on the public side the link doesn't work obviously because it it can't see 10.10.10.1. So I wanted to put in the public IP of the mail server 188.8.131.52 and just have the ASA redirect the port 49285 to the internal GWAVA appliance (10.10.10.1) Now this works perfectly on the outside and the redirect for port 49285 is working, but it doesn't work on the inside because users can't see the external IP of the GWSRV mail server 184.108.40.206.
Everything I've read seems to point to hairpinning, but I can't seem to get the right configuration. I just need internal requests for 220.127.116.11 on port 49285 to be directed to the GWAVA internal IP 10.10.10.1 so the "Release" link in those emails will works both on the public and private side of the firewall.
I also have a cisco 3560 l3 swith in place on the network that all hosts use as their default gateway. The default gateway of that switch is the ASA device. So I'm not sure if that's interfering either. We have an internal dns server 10.10.10.4 that resolves the mail server domain name to its internal ip 10.10.10.2
Any help would be greatly appreciated!!
interface GigabitEthernet0/0 nameif inside security-level 100 ip address 10.10.10.3 255.0.0.0 ! interface GigabitEthernet0/3 speed 100 duplex full nameif outside security-level 100 ip address 18.104.22.168 255.255.255.224
dns domain-lookup inside dns server-group DefaultDNS name-server 10.10.10.4 same-security-traffic permit inter-interface same-security-traffic permit intra-interface
object service GWClient service tcp destination eq 1677 object network GWAVA host 10.10.10.1 object network GWSRV host 10.10.10.2 object service GWWEB service tcp destination eq www object service QMS service tcp destination eq 49285 object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group network obj_any service-object object GWClient service-object object GWWEB service-object object QMS service-object object SMTP
access-list outside_in extended permit object-group DM_INLINE_SERVICE_2 any host 10.10.10.1 access-list outside_in extended permit object-group DM_INLINE_SERVICE_1 any host 10.10.10.2 access-list outside_in extended deny ip any any
access-list inside_access_in extended permit ip object 10.0.0.0 any access-list inside_access_in extended deny ip any any
nat (outside,inside) source static any any destination static A_22.214.171.124 GWAVA service SMTP SMTP unidirectional nat (outside,inside) source static any any destination static A_126.96.36.199 GWAVA service QMS QMS unidirectional nat (outside,any) source static any any destination static A_188.8.131.52 GWSRV service GWClient GWClient unidirectional nat (outside,any) source static any any destination static A_184.108.40.206 GWSRV service GWWEB GWWEB unidirectional nat (inside,outside) source static GWSRV A_220.127.116.11 unidirectional ! object network 10.0.0.0 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 18.104.22.168 1
I understand your concern. So you need to do NAT from outside to inside using general NAT. And NAT hairpinning concept to use when it is in local from the LAN. It should take the local address instead of public. So that it will go through.
Yes.If the you should have the follwing command enabled for this reverse turn for local requests.
same-security-traffic permit intra-interface. This will make the traffic to in and out on the same interface.
static (inside,outside) 22.214.171.124 10.10.10.1
static (inside,inside) 126.96.36.199 10.10.10.1
Make some alterations as per your 8.3 version commands. Still i have not used to that one. . But this is the concept. When the request comes for LAN network of the inside network it translates to 10.10.10.1 and goes locally using intra interface. When it comes from outside it will go through the static nat from public to private.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...