ASA 5510 not passing smtp

Unanswered Question
Mar 13th, 2007

Hi, I have a new 5510 that I have enabled smtp service but when I try to telnet to the firewall port 25 the display is just garbled characters and it wont allow the connection to my server. What could I be missing in the config?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
osoamazin Tue, 03/13/2007 - 09:23

Sorry! I guess that would help, Duh!

ASA Version 7.0(6)


hostname something


enable password xxx


name server3 description Mail Server



interface Ethernet0/0

nameif External

security-level 0

ip address 69.15.x.x.255.255.248


interface Ethernet0/1

nameif Internal

security-level 90

ip address


interface Ethernet0/2


no nameif

security-level 50

no ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd xxx

ftp mode passive

access-list External_access_in extended permit tcp interface External eq smtp host server3 eq smtp

pager lines 24

logging enable

logging timestamp

logging buffer-size 9000

logging asdm-buffer-size 512

logging asdm informational

mtu External 1500

mtu Internal 1500

mtu management 1500

asdm image disk0:/asdm506.bin

asdm history enable

arp timeout 14400

global (External) 100 netmask

global (Internal) 500 netmask

nat (Internal) 100

nat (management) 0

access-group External_access_in in interface External

route External 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http Internal

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet Internal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global


: end

laurent.geyer Tue, 03/13/2007 - 09:35

I'm guessing you have an Exchange server behind the asa/pix. From my experiencing they don't like Cisco's SMTP fixup very much.

In global configuration mode execute following:

policy-map global_policy

class inspection_default

no inspect esmtp

osoamazin Tue, 03/13/2007 - 09:41

Its actually a Domino server but after executing that command, I get the same response.

acomiskey Tue, 03/13/2007 - 10:16

I dont think your access-list entry is correct. You specified a source port of 25 and incorrect source host. And you have no static for your server.

no access-list External_access_in extended permit tcp interface External eq smtp host server3 eq smtp

access-list External_access_in extended permit tcp any host eq smtp

static (Internal,External) tcp interface 25 25 netmask

osoamazin Tue, 03/13/2007 - 13:43

This did not work either. I get the same response. I saw this problem once before about 5 or 6 years ago and I think it had something to do with a protocol not being enabled but I can't remember....

suschoud Tue, 03/13/2007 - 14:03


are u sure u have the static in the configuration now??

let's say you wnat to use the interface ip address as the public ip which corresponds to the mail server.

you need to have these two commands in the configuration :

static (inside,outside) tcp interface 25 25

access-l External_access_in permit tcp any interface outside eq 25

After putting in these two commands,put in"

cl xlate local

Try after that.It should work.



osoamazin Tue, 03/13/2007 - 14:36

static (inside,outside) tcp interface 25 25


ERROR: % Invalid input detected at '^' marker.

acomiskey Tue, 03/13/2007 - 14:48

config t

then the static command and replace inside with Internal

osoamazin Mon, 03/19/2007 - 13:22

Thanks to all who contributed to my question. I just found out that my ISP had another route set up on my connection instead of bridging it. Now, I have to start from the beginning because I may have had it configured right at first.


This Discussion