ASA 5505 incoming traffic issue

Answered Question
Jun 19th, 2008

I have an issue getting email through the Cisco ASA to our email server

Everything else is working. We have internet. All outgoin traffic is OK. Is anybody see what's wrong. Thanks,

ASA Version 8.0(2)


hostname ASA



interface Vlan1

nameif inside

security-level 100

ip address

ospf cost 10


interface Vlan2

nameif outside

security-level 0

ip address xxx.yyy.15.10

ospf cost 10


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS


object-group service VideoFlow

service-object tcp range 3230 3253

service-object tcp eq h323

service-object udp range 3230 3235

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

static (inside,outside) xxx.yyy.15.10 netmask

access-group out_in in interface outside

route outside xxx.yyy.15.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet inside

telnet timeout 30

ssh timeout 5

console timeout 30

dhcpd auto_config outside


no threat-detection basic-threat

no threat-detection statistics access-list


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default


service-policy global_policy global

prompt hostname context

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 7 months ago


static (inside,outside) xxx.yyy.15.10 netmask


static (inside,outside) interface netmask

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Fernando_Meza Thu, 06/19/2008 - 15:57


Try disabling inspect esmtp from your default-inspection-traffic rule.

From config mode:

policy-map global_policy

class inspection_default

no inspect esmtp

I hope it helps .. please rate helpful posts

Correct Answer
acomiskey Thu, 06/19/2008 - 18:43


static (inside,outside) xxx.yyy.15.10 netmask


static (inside,outside) interface netmask

Marwan ALshawi Thu, 06/19/2008 - 22:08

if you are using the same public IP the one on global (outside)

you'd better try to make a static PAT to forward the smtp for example in the inbound direction to you internal mail server

rate if worked please,

rashev_kamen Fri, 06/20/2008 - 06:45

Great! It's working.

But I would like to configure xxx.yyy.15.10 for my emai traffic and xxx.yyy.15.11 for video conferencing? How I suppose to do it now? What is the best way to configure this?


acomiskey Fri, 06/20/2008 - 07:58

no static (inside,outside) interface netmask

static (inside,outside) tcp interface smtp smtp netmask

then add another static with the new port and new destination address...example....

static (inside,outside) interface netmask

rashev_kamen Fri, 06/20/2008 - 13:28

This is fine if we have just one protocol, but in my case I need to open tcp 3230-3238, udp 3230-3258. And with PAT I can't use object groups. How I can resolve this? Thanks for the help!

Marwan ALshawi Fri, 06/20/2008 - 16:26

first i guess the way i have sent you solved your problem i mean static PAT ?

secondley for VOIP and vedio you dont have to open these udp ports, what you have to do first make (access lists) and static PAT for the tcp signaling protocols only

then make a policy inspection for that vedio traffic for example H323

if you gonna open all these udp port as u said then you dont need firewall because this security will be so weak..

thanks and let me know if worked


rashev_kamen Sun, 06/22/2008 - 19:12

I totally agree with you, but this is a customer firewall and the management is asking me to open all these ports. How I can do this just with one IP address xxx.yyy.15.10? If it's not possibel, what will be the config if we get second IP address.

Why with ASA the command

static (inside,outside) xxx.yyy.15.10 netmask

is not working and need to be replaced with

static (inside,outside) interface netmask

It's working on another ASA5510.

Thanks for the help!

Marwan ALshawi Sun, 06/22/2008 - 19:28

about the static nat if you static IP address it supposed to work, unless u have DHCP address from you ISP in this case the interface word will be must

and about opening ports with pat could you send me the case in more details and what the required result

rashev_kamen Sun, 06/22/2008 - 19:48

This is what I need exactly to do:

I need to forward all HTTP, HTTPS, SMTP traffic to and all the packets on the range of tcp 3230-3238 and udp ports 3230-3258 and h323 to (this is for video conferencing, it's not cisco, not sure what kind).

We have just one IP address xxx.yyy.15.10? Can I do this?

With my firs config that I had posted niether one was working.When I replaced

static (inside,outside) xxx.yyy.15.10 netmask


static (inside,outside) interface netmask

I got it working for

Why the first one is not working here, no idea. It's working on another ASA5510.

Can I forward now the video conferencing traffic to

Also if it's not possible what will be the config if we get a second IP address.

Thanks for the help!

Marwan ALshawi Sun, 06/22/2008 - 20:28

i am not sure but try this method and rate if helpful

make a NAMED ACL which contains in its ACE

source of any and distination should be

and with the acl entry make the http, https and range of udp and so on make all the required entries


go to the static pat stage

remove th old one

and make new one that should be like

static (inside, outside) xx.yyy access-list (ACL NAME)

and let me know

rashev_kamen Mon, 06/23/2008 - 13:06

This is what I'm getting when I try this:

ASA(config)# static (inside,outside) interface access-list ABC

WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.

ERROR: Invalid netmask with interface option

What I'M putting wrong? I tried with Netmask option but I'm getting the same.

rashev_kamen Mon, 06/23/2008 - 20:12

When I tried this I'm getting:

RedRiverASA(config)# static (inside,outside) access-list ABC

global address overlaps with mask

Usage: [no] static [(real_ifc, mapped_ifc)]


I tried also and I get the same

rashev_kamen Mon, 06/23/2008 - 20:45

When I replaced the 'any' with the external IP address xxx.yyy.15.10 in the access list

#access-list AAA extended permit tcp host xxx.yyy.15.10 host eq smtp

I was able to apply

#static (inside,outside) interface access-list AAA


#static (inside,outside) xxx.yyy.15.10 access-list AAA

But either one I use the traffic is not getting in again.

Marwan ALshawi Mon, 06/23/2008 - 22:02

i think better to try the simplist way

which as follow

first make you global nat with interface or ip address given to u by the ISP

then make a normal simple static nat

without puting any tcp or udp to translate evry thing in inbound direction to the internal server

finaly make an access-list to limit what is permited from any source to ur nated outside interface ip

in this case with static nat u gonna translte evry thing comes to ur public ip adddress to ur inside server

then by the ACL u gonna fillter what permited and whats not

and let me know

good luck

keep it as simple as possible

by the way dont forget to remove the old nat config!


This Discussion