ASA 5510 - Email not reaching Exchange Server

Unanswered Question

Hello there,

I pulled almost all my hair out and still cannot figure out what I am doing wrong.

Here is the scoop:

I currently have an ISA 2004 firewall in place that is working fine taking all email for my .com domain.

We purchased a ASA 5510 and I am configuring it to become the new firewall and use its CSM capabilities. For configuration and testing, I modified my .net mx record to resolve to the ASA.

I configured my exchange server to receive .net email as well and added the smtp address to my mailbox. Email sent internally to the .net works fine.

The problem is outside email. Something is wrong on the ASA that is blocking email from reaching the exchange server. Testing via telnet does not respond. Testing via email validation using 3rd party network-tools website shows connected, but recipient cannot be verified.

I am attaching a diagram of my layout. Here is the configuration of my device:

Thanks in advance for your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
suschoud Tue, 10/14/2008 - 12:50

Issue :

no access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq ftp

no access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq 222

no access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq smtp

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq 222

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-g outside_access_in in interface outside

Do rate if this works.

Regards,

Sushil

Hello suschout,

Thank you for your quick reply. Seems like changes did not quite help. Below is how access lists look like now.

Any other thoughts?

Thank you.

object-group service SMTP tcp

port-object eq smtp

access-list IPS extended permit ip any any

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.1

68.200.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19

2.168.200.0 255.255.255.224

access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq ftp

access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq 222

access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq smtp

access-list inside_access_out remark SMTP for Tahiti

access-list inside_access_out extended permit tcp any host Tahiti eq smtp

access-list inside_access_out extended permit tcp host 172.16.1.249 any

access-list inside_access_out extended permit tcp host 172.16.1.249 any eq 563

access-list inside_access_out extended permit udp host 172.16.1.249 any eq www

access-list inside_access_out extended permit tcp any any eq ftp

access-list inside_access_out remark Allow WWW traffic from Server Admin Subnet

to Any

access-list inside_access_out extended permit tcp 172.16.1.0 255.255.255.0 any e

q www

access-list inside_access_out remark Allow Internal TCP to VPN Clients

access-list inside_access_out extended permit tcp 192.168.1.0 255.255.255.0 192.

168.200.0 255.255.255.0

access-list inside_access_out remark Allow Internal UDP to VPN clients

access-list inside_access_out extended permit udp 192.168.1.0 255.255.255.0 192.

168.200.0 255.255.255.0

access-list inside_access_out remark Allow Internal ICMP to VPN Clients

access-list inside_access_out extended permit icmp 192.168.1.0 255.255.255.0 192

.168.200.0 255.255.255.0

access-list inside_access_out remark FTP traffic for TESTFTP system

access-list inside_access_out extended permit tcp host 172.16.1.251 any eq ftp

access-list inside_access_out extended permit tcp host 172.16.1.252 host 192.168

.1.20

pager lines 24

logging enable

logging asdm warnings

logging mail debugging

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool bdmpool 192.168.200.1-192.168.200.30 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any outside

asdm image disk0:/asdm-524.bin

asdm location xx.xx.151.123 255.255.255.255 outside

asdm location 192.168.200.0 255.255.255.0 outside

asdm location xx.xx.97.38 255.255.255.255 inside

asdm location Tahiti 255.255.255.255 inside

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 172.16.0.0 255.255.0.0

suschoud Tue, 10/14/2008 - 13:32

I still do not see the recommended changes.Did you run the suggested commands ?

I forgot to save. sorry... here are the lists:

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name focus360.com

object-group service SMTP tcp

port-object eq smtp

access-list IPS extended permit ip any any

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.1

68.200.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19

2.168.200.0 255.255.255.224

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq 222

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list inside_access_out remark SMTP for Tahiti

access-list inside_access_out extended permit tcp any host Tahiti eq smtp log de

bugging

access-list inside_access_out extended permit tcp host 172.16.1.249 any

access-list inside_access_out extended permit tcp host 172.16.1.249 any eq 563

access-list inside_access_out extended permit udp host 172.16.1.249 any eq www

access-list inside_access_out extended permit tcp any any eq ftp

access-list inside_access_out remark Allow WWW traffic from Server Admin Subnet

to Any

access-list inside_access_out extended permit tcp 172.16.1.0 255.255.255.0 any e

q www

access-list inside_access_out remark Allow Internal TCP to VPN Clients

access-list inside_access_out extended permit tcp 192.168.1.0 255.255.255.0 192.

168.200.0 255.255.255.0

access-list inside_access_out remark Allow Internal UDP to VPN clients

access-list inside_access_out extended permit udp 192.168.1.0 255.255.255.0 192.

168.200.0 255.255.255.0

access-list inside_access_out remark Allow Internal ICMP to VPN Clients

access-list inside_access_out extended permit icmp 192.168.1.0 255.255.255.0 192

.168.200.0 255.255.255.0

access-list inside_access_out remark FTP traffic for TESTFTP system

access-list inside_access_out extended permit tcp host 172.16.1.251 any eq ftp

access-list inside_access_out extended permit tcp host 172.16.1.252 host 192.168

.1.20

pager lines 24

logging enable

logging asdm warnings

logging mail debugging

mtu inside 1500

mtu outside 1500

mtu management 1500

ip local pool bdmpool 192.168.200.1-192.168.200.30 mask 255.255.255.0

ip verify reverse-path interface inside

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any outside

asdm image disk0:/asdm-524.bin

asdm location 66.93.151.123 255.255.255.255 outside

asdm location 192.168.200.0 255.255.255.0 outside

asdm location xx.xx.97.38 255.255.255.255 inside

asdm location Tahiti 255.255.255.255 inside

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 172.16.0.0 255.255.0.0

static (inside,outside) tcp interface ftp 172.16.1.248 ftp netmask 255.255.255.2

55

static (inside,outside) tcp interface 222 192.168.1.26 ssh netmask 255.255.255.2

55

static (inside,outside) tcp interface smtp Tahiti smtp netmask 255.255.255.255

access-group inside_access_out in interface inside

access-group outside_access_in in interface outside

route inside 192.168.1.0 255.255.255.0 172.16.1.254 1

route inside 172.16.0.0 255.255.0.0 172.16.1.254 1

route outside 0.0.0.0 0.0.0.0 207.7.97.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server WindowsDomain protocol nt

aaa-server WindowsDomain (inside) host 192.168.1.1

nt-auth-domain-controller CATALINA

suschoud Tue, 10/14/2008 - 13:53

you config looks fine.

Try this :

from an comp. on internet,

telnet ip 25

ip --> ip of outside interface of f/w.

see if it's successful.

if it is,ports are open on f/w.

If it's not,check the hitcounts :

sh access-l outside_access_in :

access-list outside_access_in extended permit tcp any interface outside eq smtp ( hitcnt=x)

if there are hitcounts,then traffic did reach the f/w and there is an issue with internal server.

if there are no hitcounts,traffic did not reach f/w and you need to check the upstream router.

Regards,

Sushil

Hello Sushil,

Thank you for your post. Here is how the hitcounts look like:

ciscoasa(config)# sh access-l outside_access_in

access-list outside_access_in; 3 elements

access-list outside_access_in line 1 extended permit tcp any interface outside e

q ftp (hitcnt=29) 0xe4fa0d23

access-list outside_access_in line 2 extended permit tcp any interface outside e

q 222 (hitcnt=0) 0xcfbe4f1c

access-list outside_access_in line 3 extended permit tcp any interface outside e

q smtp (hitcnt=272) 0x5a49ed8a

I will go ahead and double check my exchange server.

Please let me know if you can think of anything else.

Thank you.

Oscar

Actions

This Discussion