10-14-2008 11:16 AM - edited 03-10-2019 04:19 AM
Hello there,
I pulled almost all my hair out and still cannot figure out what I am doing wrong.
Here is the scoop:
I currently have an ISA 2004 firewall in place that is working fine taking all email for my .com domain.
We purchased a ASA 5510 and I am configuring it to become the new firewall and use its CSM capabilities. For configuration and testing, I modified my .net mx record to resolve to the ASA.
I configured my exchange server to receive .net email as well and added the smtp address to my mailbox. Email sent internally to the .net works fine.
The problem is outside email. Something is wrong on the ASA that is blocking email from reaching the exchange server. Testing via telnet does not respond. Testing via email validation using 3rd party network-tools website shows connected, but recipient cannot be verified.
I am attaching a diagram of my layout. Here is the configuration of my device:
Thanks in advance for your help.
10-14-2008 12:50 PM
Issue :
no access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq ftp
no access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq 222
no access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq smtp
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 222
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-g outside_access_in in interface outside
Do rate if this works.
Regards,
Sushil
10-14-2008 01:28 PM
Hello suschout,
Thank you for your quick reply. Seems like changes did not quite help. Below is how access lists look like now.
Any other thoughts?
Thank you.
object-group service SMTP tcp
port-object eq smtp
access-list IPS extended permit ip any any
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.1
68.200.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19
2.168.200.0 255.255.255.224
access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq ftp
access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq 222
access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq smtp
access-list inside_access_out remark SMTP for Tahiti
access-list inside_access_out extended permit tcp any host Tahiti eq smtp
access-list inside_access_out extended permit tcp host 172.16.1.249 any
access-list inside_access_out extended permit tcp host 172.16.1.249 any eq 563
access-list inside_access_out extended permit udp host 172.16.1.249 any eq www
access-list inside_access_out extended permit tcp any any eq ftp
access-list inside_access_out remark Allow WWW traffic from Server Admin Subnet
to Any
access-list inside_access_out extended permit tcp 172.16.1.0 255.255.255.0 any e
q www
access-list inside_access_out remark Allow Internal TCP to VPN Clients
access-list inside_access_out extended permit tcp 192.168.1.0 255.255.255.0 192.
168.200.0 255.255.255.0
access-list inside_access_out remark Allow Internal UDP to VPN clients
access-list inside_access_out extended permit udp 192.168.1.0 255.255.255.0 192.
168.200.0 255.255.255.0
access-list inside_access_out remark Allow Internal ICMP to VPN Clients
access-list inside_access_out extended permit icmp 192.168.1.0 255.255.255.0 192
.168.200.0 255.255.255.0
access-list inside_access_out remark FTP traffic for TESTFTP system
access-list inside_access_out extended permit tcp host 172.16.1.251 any eq ftp
access-list inside_access_out extended permit tcp host 172.16.1.252 host 192.168
.1.20
pager lines 24
logging enable
logging asdm warnings
logging mail debugging
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool bdmpool 192.168.200.1-192.168.200.30 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
asdm image disk0:/asdm-524.bin
asdm location xx.xx.151.123 255.255.255.255 outside
asdm location 192.168.200.0 255.255.255.0 outside
asdm location xx.xx.97.38 255.255.255.255 inside
asdm location Tahiti 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 172.16.0.0 255.255.0.0
10-14-2008 01:32 PM
I still do not see the recommended changes.Did you run the suggested commands ?
10-14-2008 01:43 PM
I forgot to save. sorry... here are the lists:
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name focus360.com
object-group service SMTP tcp
port-object eq smtp
access-list IPS extended permit ip any any
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.1
68.200.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19
2.168.200.0 255.255.255.224
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq 222
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list inside_access_out remark SMTP for Tahiti
access-list inside_access_out extended permit tcp any host Tahiti eq smtp log de
bugging
access-list inside_access_out extended permit tcp host 172.16.1.249 any
access-list inside_access_out extended permit tcp host 172.16.1.249 any eq 563
access-list inside_access_out extended permit udp host 172.16.1.249 any eq www
access-list inside_access_out extended permit tcp any any eq ftp
access-list inside_access_out remark Allow WWW traffic from Server Admin Subnet
to Any
access-list inside_access_out extended permit tcp 172.16.1.0 255.255.255.0 any e
q www
access-list inside_access_out remark Allow Internal TCP to VPN Clients
access-list inside_access_out extended permit tcp 192.168.1.0 255.255.255.0 192.
168.200.0 255.255.255.0
access-list inside_access_out remark Allow Internal UDP to VPN clients
access-list inside_access_out extended permit udp 192.168.1.0 255.255.255.0 192.
168.200.0 255.255.255.0
access-list inside_access_out remark Allow Internal ICMP to VPN Clients
access-list inside_access_out extended permit icmp 192.168.1.0 255.255.255.0 192
.168.200.0 255.255.255.0
access-list inside_access_out remark FTP traffic for TESTFTP system
access-list inside_access_out extended permit tcp host 172.16.1.251 any eq ftp
access-list inside_access_out extended permit tcp host 172.16.1.252 host 192.168
.1.20
pager lines 24
logging enable
logging asdm warnings
logging mail debugging
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool bdmpool 192.168.200.1-192.168.200.30 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp deny any outside
asdm image disk0:/asdm-524.bin
asdm location 66.93.151.123 255.255.255.255 outside
asdm location 192.168.200.0 255.255.255.0 outside
asdm location xx.xx.97.38 255.255.255.255 inside
asdm location Tahiti 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 172.16.0.0 255.255.0.0
static (inside,outside) tcp interface ftp 172.16.1.248 ftp netmask 255.255.255.2
55
static (inside,outside) tcp interface 222 192.168.1.26 ssh netmask 255.255.255.2
55
static (inside,outside) tcp interface smtp Tahiti smtp netmask 255.255.255.255
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
route inside 192.168.1.0 255.255.255.0 172.16.1.254 1
route inside 172.16.0.0 255.255.0.0 172.16.1.254 1
route outside 0.0.0.0 0.0.0.0 207.7.97.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server WindowsDomain protocol nt
aaa-server WindowsDomain (inside) host 192.168.1.1
nt-auth-domain-controller CATALINA
10-14-2008 01:53 PM
you config looks fine.
Try this :
from an comp. on internet,
telnet ip 25
ip --> ip of outside interface of f/w.
see if it's successful.
if it is,ports are open on f/w.
If it's not,check the hitcounts :
sh access-l outside_access_in :
access-list outside_access_in extended permit tcp any interface outside eq smtp ( hitcnt=x)
if there are hitcounts,then traffic did reach the f/w and there is an issue with internal server.
if there are no hitcounts,traffic did not reach f/w and you need to check the upstream router.
Regards,
Sushil
10-15-2008 09:39 AM
Hello Sushil,
Thank you for your post. Here is how the hitcounts look like:
ciscoasa(config)# sh access-l outside_access_in
access-list outside_access_in; 3 elements
access-list outside_access_in line 1 extended permit tcp any interface outside e
q ftp (hitcnt=29) 0xe4fa0d23
access-list outside_access_in line 2 extended permit tcp any interface outside e
q 222 (hitcnt=0) 0xcfbe4f1c
access-list outside_access_in line 3 extended permit tcp any interface outside e
q smtp (hitcnt=272) 0x5a49ed8a
I will go ahead and double check my exchange server.
Please let me know if you can think of anything else.
Thank you.
Oscar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: