SMTP in problem

Unanswered Question

I'm testing inbound connections using a port listener software.

all ports are working, only port 25 fail

this is what I use to route inbound connections:

access-list outside_access_in extended permit tcp any host 63.x.y.26 eq 951

access-list outside_access_in extended permit tcp any host 63.x.y.27 eq 952

static (inside,outside) tcp 63.x.y.26 951 192.168.200.2 951 netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.27 952 192.168.200.2 952 netmask 255.255.255.255

using the exact command with port 25 replacing port 951\952 fail.

any reason?

is there a different way of testing SMTP inbound traffic (test environment - no SMTP server)?

which log records will show me what exactly happen to those incoming packets that never show on the port listener?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lolayo_19 Wed, 08/06/2008 - 08:15

Hello,

Try Disabling smtp inspection and see if you get a different result.

robertson.michael Wed, 08/06/2008 - 16:06

Hi,

Is the 192.168.200.2 host listening on port 25? If so, what do the syslogs show when you try to connect to the outside address on port 25? Do you see a connection being built in the conn table?

-Mike

Marwan ALshawi Wed, 08/06/2008 - 21:31

add the following to ur config

access-list outside_access_in extended permit tcp any host 63.x.y.26 eq 25

access-list outside_access_in extended permit tcp any host 63.x.y.27 eq 25

then make static nat for smtp

static (inside,outside) tcp 63.x.y.26 25 192.168.200.2 25 netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.27 25 192.168.200.2 25 netmask 255.255.255.255

by the way i have don it for both IPs

u can do it for one if u want

i have don that because i cant see static nat also there is no ACL entry to permit tcp 25(smtp)

**AFTER THAT RELOAD THE firewall THEN TEST IT**

good lcuk

please, if helpful rate

it is NOT working

first, I had a problem adding these static commands - the first was good (after deleting the previous statics) but the second produced this error:

***********

ERROR: duplicate of existing static

TCP inside:192.168.200.6/25 to outside:63.x.y.26/25 netmask 255.255.255.255

the current config include this:

********************************

config;

ASA# sh run | inc static

static (inside,outside) tcp 63.x.y.28 953 192.168.200.2 953 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.200.6 smtp netmask 255.255.255.255

ASA# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_access_in; 7 elements

access-list outside_access_in line 1 extended permit icmp any interface outside (hitcnt=0) 0xbdd73ad6

access-list outside_access_in line 2 extended permit tcp any host 63.x.y.26 eq 951 (hitcnt=0) 0x3ce31844

access-list outside_access_in line 3 extended permit tcp any host 63.x.y.27 eq 952 (hitcnt=0) 0x47759ff9

access-list outside_access_in line 4 extended permit tcp any host 63.x.y.28 eq 953 (hitcnt=0) 0x34502744

access-list outside_access_in line 5 extended permit tcp any host 63.x.y.29 eq smtp (hitcnt=0) 0x9c033920

access-list outside_access_in line 6 extended permit tcp any host 63.x.y.26 eq smtp (hitcnt=0) 0xc254efef

access-list outside_access_in line 7 extended permit tcp any host 63.x.y.27 eq smtp (hitcnt=0) 0xc9867e83

reload, retry port 25 via 63.x.y.26, this is the log:

log file:

6|Aug 07 2008 08:46:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:46:18|302021: Teardown ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:46:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:46:18|302021: Teardown ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:46:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:46:18|302021: Teardown ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302021: Teardown ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302021: Teardown ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302021: Teardown ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

10.a.b.c => source IP (PC that connect to test enc)

192.168.200.6 => destination IP (PC that listen to port 25)

Actions

This Discussion