It does not matter if the default route is

eth1 inside, as long as he has static routes

for the eth0 outside interface. Look to me like

this a bug in this code.

I wasn't saying that was a problem, just throwing ideas out there with limited knowledge of the problem and no config. Almost look like traffic is going out around the asa, then the return traffic is hitting outside of asa, that would explain the source port of 25.

Here are the relevant parts of the config. I do not have any statics defined. Shouldn't the nat exemption take care of that? Thanks for all your help, folks. I'm just trying to retrofit all the commands from the PIX 6.2(4) over to the ASA 7.2(1) and maybe it isn't that simple.

Cisco Adaptive Security Appliance Software Version 7.2(1)

Device Manager Version 5.2(1)

Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

This platform has an ASA 5510 Security Plus license.

ASA Version 7.2(1)

interface Ethernet0/0

speed 100

duplex full

nameif pgpserv

security-level 0

ip address 192.168.52.1 255.255.255.0

!

interface Ethernet0/1

speed 100

duplex full

nameif cpt

security-level 90

ip address 172.16.250.7 255.255.255.0

!

access-list matchall extended permit ip any any

access-list acl-pgpserv extended permit tcp host 192.168.52.2 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended permit tcp host 192.168.52.3 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended permit tcp host 192.168.52.4 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended permit tcp host 192.168.52.5 192.29.152.0 255.255.255.0 eq smtp

access-list acl-pgpserv extended deny ip any any

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.2 eq smtp

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.3 eq smtp

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.4 eq smtp

access-list acl-cpt extended permit tcp 192.29.152.0 255.255.255.0 host 192.168.52.5 eq smtp

access-list acl-cpt extended deny ip any any

mtu pgpserv 1500

mtu cpt 1500

arp timeout 14400

nat (cpt) 0 access-list matchall

access-group acl-pgpserv in interface pgpserv

access-group acl-cpt in interface cpt

route cpt 0.0.0.0 0.0.0.0 172.16.250.2 1

Well, I can't explain it, and I don't want to leave this in place, but I added an acl line to acl-cpt, just before the deny line:

access-list acl-cpt line 54 extended permit tcp 192.29.152.0 255.255.255.0 eq smtp host 192.168.52.2 (hitcnt=0)

The "sh access-list" does not indicate any hits on this line, but the hitcnt on the other acl line for dest port 25 is now incrementing, and I don't see any drops. This makes no sense. Does anyone have any ideas?

I can't explain why the new ACE doesn't increment you number count, but you can see why it doesn't work without it. Your ACL on the CPT interface is only allowing traffic back to the PGPSERV interface that has a destination port of 25. Obviously the return traffic is to port 32819 which was the source port of the device originating the request on the 192.168.52.x network.

It works with the added ACE because you are finally allowing traffic back through the CPT interface that is going to all TCP ports other than just 25.

So why did it work with the PIX 6.2(4)? With a stateful firewall, if smtp (dest port 25) is allowed from point A to point B, the return traffic should be allowed, it should not require explicit permit in the ACL.