SMTP traffic with ASA 5510

Unanswered Question
Aug 22nd, 2008


I am wondering if the SMTP (port 25) is being blocked by default on the ASA 5510 Firewall. The reason I am asking is that when one of my exchange server tried to forward emails to the exchange inside the ASA 5510, the connections will always be dropped. I tried the packet tracer and it always say that the packet was dropped and the access rules that dropped it is the Implicit IP deny all rule.

I had performed a NAT on the 5510 for the exchange server and still the traffic does not comes in for Port 25 only. Specific rules had also been added to allow TCP/25 through but still the same problem. I wonder if there is an "inspection" on SMTP/25 which caused the problem? If not, how can I overcome this problem so that connections between the two exchange servers will talk to one another?

Many thanks for any suggestions,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Fri, 08/22/2008 - 06:15

through the reason u got looks like packet filtering issue

could u please post ur config here

tanziweigca Fri, 08/22/2008 - 06:33

Hi Marwanshawi,

Many thanks for your reply.

Attached please find the detailed config of the ASA. Please take note of the server SGPCRS02 which is the server in question. I can ping it from outside but still traffic to Exchange keeps reflecting connection drop.



Marwan ALshawi Fri, 08/22/2008 - 07:18

is this one u have problem with

name 116.x.x.121 SGPCRS02-EXT description Exchange server for PO

is the internal server in the PO interface?

if yes

this line is good

static (PO,Outside) SGPCRS02-EXT SGPCRS02-INT netmask

but u need to add an ACL to permit smtp


access-list 100 permit tcp any host SGPCRS02-EXT eq 25

and shoud be applied in the indound direction on the outside interface

i think u have a poblem with ur ACLs

just check it and let me know

good luck

tanziweigca Fri, 08/22/2008 - 21:31


Had added the followings to the config but still the same problem.

static (PO,Outside) SGPCRS02-EXT SGPCRS02-INT netmask

access-list outside_access_in extended permit tcp any host SGPCRS02-EXT eq 25

access-list PO_access_in extended permit tcp host SGPCRS02-INT eq 25

policy-map asa_global_fw_policy

class inspection_default

inspect ftp

inspect icmp

inspect smtp

The traffic from external SMTP to Internal is still blocked. Can you assist?


Marwan ALshawi Fri, 08/22/2008 - 23:11

first u dont need this line

access-list PO_access_in extended permit tcp host SGPCRS02-INT eq 25

as long as u r using the external IP with static nat

dont forget

access-group outside_access_in in interface outside


try to disable smtp and esmtp instpection from

policy-map asa_global_fw_policy

class inspection_default

because sometimes they make problems

and let me know

good luck

Premdeep Banga Sat, 08/23/2008 - 12:46

Are you trying to send the mails from outside to inside ?

The I think you should also have this in your inside inbound access-list

access-list PO_access_in permit tcy host SGPCRS02-INT eq 25 any



Marwan ALshawi Sat, 08/23/2008 - 17:45

i agree with Prem

because as i mentioned in my first post the problem with packet filtiring and especially with implicit deny ACL entry

so try access-list PO_access_in permit tcy host SGPCRS02-INT eq 25 any

and make sure of the inbound ACL on the outside interface aswel

Premdeep Banga Sun, 08/24/2008 - 06:03

But there is one more thing that I want to point here, If what I think is happening, then because we have allowed the traffic on outside access-list,

The firewall should add a session entry for the connection, and the returning traffic/packet should bypasses the many lookups associated with a new connection. :P

but anyways try "access-list PO_access_in permit tcy host SGPCRS02-INT eq 25 any"

What would really help you in understanding in what is happening is syslogs.

logging on

logging host

logging mon 7 (to troubleshoot this issue)

Or you can collect the logs from console too,

logging on

logging con 7

And then try to do what you are doing and share the logs.

turning logging off,

no logg on

no logg con 7




This Discussion