Ping a Specific Port

Question

virtualeyes

Asked: 2013-08-17 10:55:14 +0800 CST2013-08-17 10:55:14 +0800 CST 2013-08-17 10:55:14 +0800 CST

Cisco: Route Outbound SMTP Traffic on Same IP as Inbound

772

Have a few servers setup behind an ASA 5505, all is well, except for the fact that the ASA only sends the correct smtp outbound IP for the mail server domain itself.

Any other domain that sends outbound email shows the ASA external IP as the from address, which raises red flags with recipient mail servers as we have no reverse DNS setup on this IP.

What we would like to have happen is either:

1) Have outbound smtp ip be the same as inbound ip (preferred)
-or
2) Have our mail server ip show as the from address for ALL outbound smtp traffic, and then setup SPF DNS records for our domains that list the mail server domain as an authorized sender.

Applicable config lines:

object-group network web-services
network-object host xx.xxx.xx.101
network-object host xx.xxx.xx.102
...
object-group service open-tcp tcp
port-object eq smtp
...

access-list out_in extended permit tcp any object-group web-services object-group open-tcp
...
global (outside) 1 interface
global (dmz) 1 interface
nat (dmz) 0 access-list nonat
nat (dmz) 1 0.0.0.0 0.0.0.0 # perhaps here some magic can be worked

Is there a way to get only outbound smtp traffic bound to the mail server IP? I'd prefer that over globbing everything outbound onto mail server IP, which is what the solution in this thread appears to do.

Ideas appreciated, thanks

2 Answers

Voted

Geraint Jones · Answer 1 · 2013-08-17T14:43:27+08:00

Geraint Jones

2013-08-17T14:43:27+08:002013-08-17T14:43:27+08:00

something like static (inside,outside) tcp mail.server.ip.here smtp your.internal.subnet.here smtp netmask net.mask.for.the.internal.subnet.here should do the trick.

0

virtualeyes · Answer 2 · 2013-08-21T17:59:44+08:00

Best Answer

virtualeyes

2013-08-21T17:59:44+08:002013-08-21T17:59:44+08:00

Got help on Cisco forums, here's the solution that works for my setup:

global (outside) 25 xx.xxx.xx.101
access-list Dmz-Smtp-PolicyPAT
access-list Dmz-Smtp-PolicyPAT extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
nat (dmz) 25 access-list Dmz-Smtp-PolicyPAT

This routes all outbound smtp traffic via external xx.xxx.xx.101 IP, the public facing IP address of my mail server.

Would have preferred inbound smtp to go out on same public IP smtp came in on, but Qmail, my mail server, does not support multiple outgoing ip address in the version I have installed (v1.03).

Anyway this works, all outbound traffic appears to the outside world to be coming from my mail server and not the external IP of ASA itself. Now just need to setup SPF records for client domains and authorize mycompany.com as the authorized mail sender.

0

Cisco: Route Outbound SMTP Traffic on Same IP as Inbound

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?