Dear Santhosh thanks for the

najeeb_v · ‎05-21-2014

hi,

i recently upgraded an ASA pair from 5510 (ASA OS 8.2) to 5512 (ASA OS 9.1). Many of the services are working fine including VPN after some tweaking and modifications in the new configuration, however the exchange server is not sending the traffic from its designated public IP which is mentioned in NAT statements. Exchange is using the public interface IP of the firewall for outbound communication. If i try to telnet from outside to the public IP addresses of the exchange server its giving proper response. kindly help me with this issue. i believe this is some NAT related issue.

OLD configuration (relevant part only)

access-list out_in extended permit tcp any host 213.42.201.35 eq www
access-list out_in extended permit tcp any host 213.42.201.35 eq https
access-list out_in extended permit icmp any host 213.42.201.35
access-list out_in extended permit tcp any host 213.42.201.35 eq smtp

static (DMZ,outside) tcp 213.42.201.35 www 172.16.2.200 www netmask 255.255.255.255
static (inside,outside) tcp 213.42.201.35 https 192.168.190.57 https netmask 255.255.255.255

static (DMZ,outside) 213.42.201.35 172.16.2.11 netmask 255.255.255.255

access-list out_in extended permit tcp any host 213.42.201.34 eq smtp
static (DMZ,outside) 213.42.201.34 172.16.2.21 netmask 255.255.255.255

New Configuraion

object network obj-172.16.2.21
host 172.16.2.21

description Created during name migration
object network obj-172.16.2.11
host 172.16.2.11

access-list out_in extended permit icmp any host 172.16.2.11

access-list out_in extended permit tcp any host 172.16.2.11 eq smtp

access-list out_in extended permit tcp any host 172.16.2.21 eq smtp

nat (inside,outside) static 213.42.201.35 service tcp https https

object network obj-192.168.0.0
nat (inside,outside) dynamic interface dns
object network obj-192.168.0.0-01
nat (inside,DMZ) dynamic 172.16.2.254 dns
object network obj_any
nat (inside,outside) dynamic obj-0.0.0.0
object network obj_any-01
nat (inside,DMZ) dynamic obj-0.0.0.0
object network obj-172.16.2.21

nat (DMZ,outside) static 213.42.201.34
object network obj-172.16.2.11
nat (DMZ,outside) static 213.42.201.35 service tcp smtp smtp

regards

Najeeb

SANTHOSHKUMAR SARAVANAN · ‎05-22-2014

Hi Najeeb ,

I do see two different public IP address 213.42.201.34 , 213.42.201.35 . which IP address you are able to reach from internet ??

If understand your problem correctly , from internet you can telnet to this Public IP address 213.42.201.35 on port 25 ??

object network obj-172.16.2.11
nat (DMZ,outside) static 213.42.201.35 service tcp smtp smtp

HTH

Sandy

najeeb_v · ‎05-22-2014

Dear Santosh

correction, i am not able to telnet to the public IPs with port 25, but if i do a MXtoolbox portscan i can see ports 25 and 443 responding to the request.

regards

Najeeb

najeeb_v · ‎05-22-2014

Dear Santhosh

thanks for the quick update, yes i am able to telnet to both public IP addresses assigned for the exchange servers (i.e 213.42.201.34 & 35) on ports 25. The issue is exchange is sending the outgoing traffic via the outside interface of my firewall (213.42.201.46). My gut feeling is it has something to do with the new NAT statements. if you need more info regards to this kindly let me know

regards

Najeeb

SANTHOSHKUMAR SARAVANAN · ‎05-22-2014

Hi Najeeb,

If you are able to reach out to your SMTP via Public IP address , 172.16.2.11 will be using public IP address 213.42.201.35 for mail delivery (SMTP service alone) . Server 172.16.2.21 will be using Public IP address 213.42.201.34 for any traffic including SMTP , to double check this open your IE on your 172.16.2.21 google it for what is my IP address , you will see your public ip address 213.42.201.34 on your google results .

At any point time your both server will never use your outside interface for any external communication

The issue is exchange is sending the outgoing traffic via the outside interface of my firewall (213.42.201.46).

HTH

Sandy

najeeb_v · ‎05-22-2014

Dear Santhosh

As i mentioned, i am not able to telnet to port 25 from outside. But my emails are working fine. I tried to figure out which ip is used by exchange using the MXpingtool and it says the outbound IP is 213.42.201.46 which is the outside interface.

In 9.x the access-lists are based on real IP so i am wondering to permit DMZ IPs (172.16.2.11 & 21) in outside acl or it should be in DMZ acl??

regards

Najeeb

SANTHOSHKUMAR SARAVANAN · ‎05-22-2014

Hi najeeb ,

You can verify it by packet-tracer command

packet-tracer input dmz tcp 172.16.2.11 25 8.8.8.8 25 xml ,

packet-tracer input dmz tcp 172.16.2.21 25 8.8.8.8 25 xml ,

the output should show NAT IP being translated when its reaching to internet

Kindly share me your show runn of your ASA box or share me following output .

1) show runn access-list

2) show runn access-group

3) show xlate

4) show run nat

HTH

Sandy

najeeb_v · ‎05-22-2014

Dear Sandy,

I was away from my desk, unfortunately i will not be able to get the information now as the client is already off and its a weekend here. I will provide the details to you as soon as i have the access to the device. Thanks for your support and appreciate your kind efforts.

regards

Najeeb

najeeb_v · ‎05-27-2014

Dear Sandy,

Kindly find the below below information as you requested.

exchange server using interface IP after migrating from 8.2 to 9.1