I'm running ASA 7.2(1) on a 5510 and I'm receiving a deny on smtp:
Feb 07 2007 14:11:51: %ASA-4-106023: Deny tcp src eth1:100.100.252.107/25 dst eth0:220.127.116.11/40281 by access-group "acl-eth1"
The acl specifically allows this traffic, unless I'm misinterpreting the acl or the error. Can one of you see what the problem is?
Here are some statements from my config (sanitized):
ip address 18.104.22.168 255.255.255.0
ip address 22.214.171.124 255.255.255.0
access-list acl-eth1 extended permit tcp 100.100.252.0 255.255.255.0 host 126.96.36.199 eq smtp
access-list acl-eth0 extended permit tcp host 188.8.131.52 100.100.252.0 255.255.255.0 eq smtp
access-list matchall extended permit ip any any
nat (eth1) 0 access-list matchall
access-group acl-eth1 in interface eth1
access-group acl-eth0 in interface eth0
route eth1 0.0.0.0 0.0.0.0 184.108.40.206 1
are you using microsoft Exchange? Perhaps you
need to enter on the ASA:
no fixup protocol smtp 25
I recall running into similar problem like
yours with version 7.0(2) but with icmp.
I did the following and it fixed it:
no access-group acl-eth1 in int inside
access-group acl-eth1 in int inside
maybe it will work in your case well. There
is a bug ID on this one.