ASA 5505 sends mail out the wrong gateway

My config has mail coming in on x.x.x.242 and works fine. But, when I look at the email headers on mail that goes outside, mail is sent from x.x.x.254.

x.x.x.254 is the designation of the 0/1 interface that is connected to the internet.

This is and issue because it causes problems with reverse name lookups. In short, our mail mx records are not resolving to the correct ip address which makes us look like spammers.

Any suggestions?

Not an expert in ASAs. But I'll give it a shot,

I assume here that your x.x.x.242 server is either on a dmz or inside. In this case, make sure that you don't have any "nat" statements which wrongly cause the source address to translate from x.x.x.242 to x.x.x.254 while sending to outside.

Here's part of the config.


[code:1]ASA Version 7.2(3)
!
hostname PTIFW01
domain-name pharma-tech.net

names
name 66.23.208.82 ATP1 description Athens Technology Partners
name 66.23.208.83 ATP2 description Athens Technology Partners
name 192.168.1.29 Spam-Int description Spam Internal Address
name 192.168.3.53 FTP-Int description FTP
name 12.43.185.244 FTP-Ext description FTP
name 12.43.185.246 pez-Ext description pez.pharma-tech.net
name 12.43.185.242 Mail2-Ext description mail2.pharma-tech.net
name 192.168.3.60 Mail-Int description Mail
name 192.168.1.77 Mail2-Int description roymail2 - mail2.pharma-tech.net
name 12.43.185.243 Mail3-Ext description Mail 3 Public
name 192.168.1.71 Mail3-Int
!
interface Vlan1
nameif inside
security-level 100

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name pharma-tech.net
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service FTP-ALL tcp
port-object eq ftp
port-object eq ftp-data
object-group icmp-type ICMP-FW
description Firewall ICMP
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service JJVPN udp
port-object eq 10001
port-object eq 151
port-object range tacacs 51
access-list outside_access_in remark SMTP
access-list outside_access_in extended permit tcp any host Mail2-Ext eq smtp
access-list outside_access_in remark OWA SSL Access
access-list outside_access_in extended permit tcp any host Mail2-Ext eq https
access-list outside_access_in remark OWA Normal Access
access-list outside_access_in extended permit tcp any host Mail2-Ext eq www
access-list outside_access_in remark POP3 Secure
access-list outside_access_in extended permit tcp any host Mail2-Ext eq 995
access-list outside_access_in remark Spam Filter Command Line
access-list outside_access_in extended permit tcp any host Mail2-Ext eq ssh
access-list outside_access_in remark Spam Filter Web Access
access-list outside_access_in extended permit tcp any host Mail2-Ext eq 10000
access-list outside_access_in remark telnet test
access-list outside_access_in extended permit tcp any host Mail2-Ext eq telnet
access-list outside_access_in remark FTP Access
access-list outside_access_in extended permit tcp any host FTP-Ext object-group FTP-ALL
access-list outside_access_in remark SSL Access
access-list outside_access_in extended permit tcp any host pez-Ext eq https
access-list outside_access_in remark Web Access
access-list outside_access_in extended permit tcp any host pez-Ext eq www
access-list outside_access_in remark ICMP
access-list outside_access_in extended permit icmp any interface outside object-group ICMP-FW
access-list outside_access_in remark UDP Ports
access-list outside_access_in extended permit udp any host 12.43.185.253 object-group JJVPN inactive
access-list outside_access_in remark ICMP
access-list outside_access_in extended permit icmp any host 12.43.185.253 object-group ICMP-FW inactive
access-list outside_access_in remark ICMP
access-list outside_access_in extended permit icmp any host Mail2-Ext object-group ICMP-FW
access-list outside_access_in remark ICMP
access-list outside_access_in extended permit icmp any host pez-Ext object-group ICMP-FW
access-list outside_access_in remark ICMP
access-list outside_access_in extended permit icmp any host FTP-Ext object-group ICMP-FW
access-list outside_access_in remark J&J VPN
access-list outside_access_in extended permit ip host 148.177.0.111 192.168.0.0 255.255.252.0 log emergencies
access-list outside_access_in remark J&J VPN
access-list outside_access_in extended permit ip host 148.177.0.112 192.168.0.0 255.255.252.0 log emergencies
access-list outside_access_in remark J&J VPN
access-list outside_access_in extended permit ip 148.177.0.48 255.255.255.240 192.168.0.0 255.255.252.0 log emergencies
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 10.101.0.0 255.255.248.0
access-list inside_nat0_outbound extended permit ip any 10.100.240.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.252.0 10.100.240.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.252.0 10.101.0.0 255.255.248.0
access-list PTI-Users_splitTunnelAcl standard permit 192.168.0.0 255.255.252.0
access-list DSL_access_in remark ICMP
access-list DSL_access_in extended permit icmp any interface DSL object-group ICMP-FW inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DSL 1492
ip local pool VPN1 10.100.240.1-10.100.240.254 mask 255.255.255.0
ip local pool VPN2 10.100.241.1-10.100.241.254 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
monitor-interface inside
monitor-interface outside
monitor-interface DSL
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (outside) 2 12.43.185.253 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail2-Ext https Mail2-Int https netmask 255.255.255.255
static (inside,outside) tcp Mail2-Ext www Mail2-Int www netmask 255.255.255.255
static (inside,outside) tcp Mail2-Ext 995 Mail2-Int 995 netmask 255.255.255.255
static (inside,outside) tcp Mail2-Ext smtp Spam-Int smtp netmask 255.255.255.255
static (inside,outside) tcp Mail2-Ext ssh Spam-Int ssh netmask 255.255.255.255
static (inside,outside) tcp Mail2-Ext telnet Spam-Int telnet netmask 255.255.255.255
static (inside,outside) tcp Mail2-Ext echo Mail2-Int echo netmask 255.255.255.255
static (inside,outside) tcp Mail2-Ext 10000 Spam-Int 10000 netmask 255.255.255.255
static (inside,outside) FTP-Ext FTP-Int netmask 255.255.255.255
static (inside,outside) pez-Ext 192.168.1.25 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.43.185.241 1</CODE>[/code:1]

Try adding the following:

[code:1]nat (inside) 3 Mail2-Int 255.255.255.255
global (outside) 3 Mail2-Ext netmask 255.255.255.255
[/code:1]

Thats assuming your Mail2-Int (192.168.1.77) is the internal/inside address of your mail server.