03-13-2007 09:11 AM - edited 03-11-2019 02:45 AM
Hi, I have a new 5510 that I have enabled smtp service but when I try to telnet to the firewall port 25 the display is just garbled characters and it wont allow the connection to my server. What could I be missing in the config?
03-13-2007 09:12 AM
nat, access-list, etc. Post your config.
03-13-2007 09:23 AM
Sorry! I guess that would help, Duh!
ASA Version 7.0(6)
!
hostname something
domain-name something.com
enable password xxx
names
name 192.168.7.201 server3 description Mail Server
dns-guard
!
interface Ethernet0/0
nameif External
security-level 0
ip address 69.15.x.x.255.255.248
!
interface Ethernet0/1
nameif Internal
security-level 90
ip address 192.168.7.253 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
security-level 50
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
access-list External_access_in extended permit tcp interface External eq smtp host server3 eq smtp
pager lines 24
logging enable
logging timestamp
logging buffer-size 9000
logging asdm-buffer-size 512
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu management 1500
asdm image disk0:/asdm506.bin
asdm history enable
arp timeout 14400
global (External) 100 69.15.235.109-69.15.235.110 netmask 255.255.255.248
global (Internal) 500 192.168.7.51-192.168.7.99 netmask 255.255.255.0
nat (Internal) 100 192.168.7.0 255.255.255.0
nat (management) 0 0.0.0.0 0.0.0.0
access-group External_access_in in interface External
route External 0.0.0.0 0.0.0.0 69.15.235.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.7.0 255.255.255.0 Internal
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.7.0 255.255.255.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
03-13-2007 09:35 AM
I'm guessing you have an Exchange server behind the asa/pix. From my experiencing they don't like Cisco's SMTP fixup very much.
In global configuration mode execute following:
policy-map global_policy
class inspection_default
no inspect esmtp
03-13-2007 09:41 AM
Its actually a Domino server but after executing that command, I get the same response.
03-13-2007 10:16 AM
I dont think your access-list entry is correct. You specified a source port of 25 and incorrect source host. And you have no static for your server.
no access-list External_access_in extended permit tcp interface External eq smtp host server3 eq smtp
access-list External_access_in extended permit tcp any host 69.15.235.106 eq smtp
static (Internal,External) tcp interface 25 192.168.7.201 25 netmask 255.255.255.255
03-13-2007 11:36 AM
Good point, skipped right over the access-list entries.
03-13-2007 01:43 PM
This did not work either. I get the same response. I saw this problem once before about 5 or 6 years ago and I think it had something to do with a protocol not being enabled but I can't remember....
03-13-2007 02:03 PM
hi,
are u sure u have the static in the configuration now??
let's say you wnat to use the interface ip address as the public ip which corresponds to the mail server.
you need to have these two commands in the configuration :
static (inside,outside) tcp interface 25
access-l External_access_in permit tcp any interface outside eq 25
After putting in these two commands,put in"
cl xlate local
Try after that.It should work.
Regards,
Sushil.
03-13-2007 02:36 PM
static (inside,outside) tcp interface 25 192.168.7.201 25
^
ERROR: % Invalid input detected at '^' marker.
03-13-2007 02:48 PM
config t
then the static command and replace inside with Internal
03-13-2007 03:00 PM
Same result....
03-13-2007 03:06 PM
post the config now...
03-19-2007 01:22 PM
Thanks to all who contributed to my question. I just found out that my ISP had another route set up on my connection instead of bridging it. Now, I have to start from the beginning because I may have had it configured right at first.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: