cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
642
Views
0
Helpful
8
Replies

SMTP traffic with ASA 5510

tanziweigca
Level 1
Level 1

Hi,

I am wondering if the SMTP (port 25) is being blocked by default on the ASA 5510 Firewall. The reason I am asking is that when one of my exchange server tried to forward emails to the exchange inside the ASA 5510, the connections will always be dropped. I tried the packet tracer and it always say that the packet was dropped and the access rules that dropped it is the Implicit IP deny all rule.

I had performed a NAT on the 5510 for the exchange server and still the traffic does not comes in for Port 25 only. Specific rules had also been added to allow TCP/25 through but still the same problem. I wonder if there is an "inspection" on SMTP/25 which caused the problem? If not, how can I overcome this problem so that connections between the two exchange servers will talk to one another?

Many thanks for any suggestions,

Tan

8 Replies 8

Marwan ALshawi
VIP Alumni
VIP Alumni

through the reason u got looks like packet filtering issue

could u please post ur config here

Hi Marwanshawi,

Many thanks for your reply.

Attached please find the detailed config of the ASA. Please take note of the server SGPCRS02 which is the server in question. I can ping it from outside but still traffic to Exchange keeps reflecting connection drop.

Thanks,

Tan

is this one u have problem with

name 116.x.x.121 SGPCRS02-EXT description Exchange server for PO

is the internal server in the PO interface?

if yes

this line is good

static (PO,Outside) SGPCRS02-EXT SGPCRS02-INT netmask 255.255.255.255

but u need to add an ACL to permit smtp

like

access-list 100 permit tcp any host SGPCRS02-EXT eq 25

and shoud be applied in the indound direction on the outside interface

i think u have a poblem with ur ACLs

just check it and let me know

good luck

Hi,

Had added the followings to the config but still the same problem.

static (PO,Outside) SGPCRS02-EXT SGPCRS02-INT netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host SGPCRS02-EXT eq 25

access-list PO_access_in extended permit tcp host SGPCRS02-INT eq 25

policy-map asa_global_fw_policy

class inspection_default

inspect ftp

inspect icmp

inspect smtp

The traffic from external SMTP to Internal is still blocked. Can you assist?

Thanks

first u dont need this line

access-list PO_access_in extended permit tcp host SGPCRS02-INT eq 25

as long as u r using the external IP with static nat

dont forget

access-group outside_access_in in interface outside

secondly

try to disable smtp and esmtp instpection from

policy-map asa_global_fw_policy

class inspection_default

because sometimes they make problems

and let me know

good luck

Are you trying to send the mails from outside to inside ?

The I think you should also have this in your inside inbound access-list

access-list PO_access_in permit tcy host SGPCRS02-INT eq 25 any

Regards,

Prem

i agree with Prem

because as i mentioned in my first post the problem with packet filtiring and especially with implicit deny ACL entry

so try access-list PO_access_in permit tcy host SGPCRS02-INT eq 25 any

and make sure of the inbound ACL on the outside interface aswel

But there is one more thing that I want to point here, If what I think is happening, then because we have allowed the traffic on outside access-list,

The firewall should add a session entry for the connection, and the returning traffic/packet should bypasses the many lookups associated with a new connection. :P

but anyways try "access-list PO_access_in permit tcy host SGPCRS02-INT eq 25 any"

What would really help you in understanding in what is happening is syslogs.

logging on

logging host

logging mon 7 (to troubleshoot this issue)

Or you can collect the logs from console too,

logging on

logging con 7

And then try to do what you are doing and share the logs.

turning logging off,

no logg on

no logg con 7

Regards,

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: