My ASA 5510 is intermittently denying access form my ISP's mail server to our internal SMTP gatway.

The acl applied to the outside interface of the firewall allows tcp any any to the smtp server on port 25. There is no access-list applied to inside interface. A packet trace yeilds the following result.

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) 193.201.254.66 128.1.100.199 netmask 255.255.255.255

nat-control

match ip inside host 128.1.100.199 outside any

static translation to 193.201.254.66

translate_hits = 1584262, untranslate_hits = 7749710

Additional Information:

NAT divert to egress interface inside

Untranslate 193.201.254.66/0 to 128.1.100.199/0 using netmask 255.255.255.255

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x47de0a0, priority=11, domain=permit, deny=true

hits=7928006, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The packet is being dropped by an implicit rule? Any ideas.