Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
5
Replies

Using NAT to change origin IP of outgoing mail

Go to solution
Mortenbk
Level 1
Level 1

‎02-25-2018 12:38 PM - edited ‎02-21-2020 07:26 AM

Hello! 

 

I am new to ASDM, so please bear with me if my question does not make sense. 

 

The situation:

We have a Cisco ASA 5505 and a range of IPs going from x.x.x.40 to 46. Two of the IPs are mapped to a sub-domain namely:

x.x.x.42 -> mail.company.com

x.x.x.44 -> vpn.company.com

The outside interface of the ASA is mapped to .44 so people can access the VPN using the vpn.company.com address. Using NAT, people can access the webmail using the mail.company.com address. We have our own mail server on the inside interface of the ASA

Now, when we send out e-mails they can be traced back to the .44 IP which is setup with reverse DNS that points back to mail.company.com. However, we have been experiencing that some of our mails are classified as spam, since mail.company.com points to the .42 IP and not the .44 IP. 

My question is: is there a way that I can use NAT to translate mails (i.e. SMTP) to be send from the .42 IP when my outside interface is setup with the .44 IP? 

If not, is there any other way I can have my emails sent from the same IP as the mail.company.com subdomain without compromising VPN connectivity? I have full access to the DNS settings of our domain 

 

Thanks in advance! 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎02-25-2018 01:40 PM

You can NAT in whatever IP you want. You could also specify the service, so only email traffic will use the .42 IP .

The steps in ASDM should be something like:

Configuration -> Firewall -> NAT Rules -> Add Network Object -> Add Automatic Address Translation Rules
Type: Dynamic PAT
Translated Addr: .42
Advanced -> Service
Protocol: tcp
Real and Mapped port: 25

 

HTH

Bogdan

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎02-25-2018 01:40 PM

You can NAT in whatever IP you want. You could also specify the service, so only email traffic will use the .42 IP .

The steps in ASDM should be something like:

Configuration -> Firewall -> NAT Rules -> Add Network Object -> Add Automatic Address Translation Rules
Type: Dynamic PAT
Translated Addr: .42
Advanced -> Service
Protocol: tcp
Real and Mapped port: 25

 

HTH

Bogdan

0 Helpful

Go to solution
Mortenbk
Level 1
Level 1
In response to Bogdan Nita

‎02-26-2018 03:00 AM

Thanks for your reply! I tried this earlier with static translation which did not work, but I did not try with Dynamic PAT. I will try this tonight and let you know how it went!
0 Helpful

Go to solution
Mortenbk
Level 1
Level 1
In response to Bogdan Nita

‎02-26-2018 12:58 PM

It worked! It actually worked as well with the static route I tried earlier. I have just learned the hard way that the packet trace tool does not take unsaved changes into effect (I was a bit cautious, so I did not dare applying changes I was not sure about).
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-25-2018 08:54 PM

The header IP will be always the natted IP. Create SPF record pointing to
.42 IP which is used for email. This should stop spam
0 Helpful

Go to solution
Mortenbk
Level 1
Level 1
In response to Mohammed al Baqari

‎02-26-2018 03:03 AM

Hello! Thanks for your reply!

I assume I should do this after implementing Bogdan's solution? I am also looking at the SPF, but I am currently waiting for a reply from the people handling our newsletter since they changed the SPF record to make it work with MailChimp. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card