Is this a firewall issue?

Unanswered Question
Nov 5th, 2008
User Badges:

Hi All,

I have an ASA 5540 with 3 interfaces




I have a windows server in the dmz that has outlook client installed that connects to my exchange server on the inside and I am allowing the following protocols between the two machines:

tcp 135

dns 53

high port 1024 - 1500

everything works however maybe every third the time the client opens the client says is can not contact the server and to click retry, when I click retry it connects fine.

I have opened up the rule for IP but still the same problem. I have done a packet capture between the 2 hosts which I have attached and have broken down the capture to a succesfull connection and an interputed connection.

when they connect the server directly to the inside of the network and connect to exchange they never get prompted to retry.

there is no inspect configured on the firewall.

anyone got any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
risenshine4th Wed, 11/05/2008 - 07:36
User Badges:

Beyond the packet capture, I would post a clean config (fake ip's) of the firewall/nat rules.

francisco_1 Wed, 11/05/2008 - 07:45
User Badges:
  • Gold, 750 points or more

sounds like you are getting a timeout for smtp traffic. try removing the fixup ESMTP command. Also look for interface errors /duplex and speed issues on the firewall.


darkbeatzz Wed, 11/05/2008 - 07:50
User Badges:

have checked interface on machine/switch for interface errors and there are none. also no inspect configured

francisco_1 Wed, 11/05/2008 - 08:02
User Badges:
  • Gold, 750 points or more

Is just your oulook application affected? what is the software vesion on ASA?

I think you should post a network diagram and port your fw config.


darkbeatzz Wed, 11/05/2008 - 08:40
User Badges:

yeah just the outlook and its version 7.0(6)

the config is a bit of a nightmare as its all objects and groups. but its a basic ACL between the 2 with a no nat rule.

francisco_1 Wed, 11/05/2008 - 08:46
User Badges:
  • Gold, 750 points or more

version is old. upgrading might fix your problem.

darkbeatzz Wed, 11/05/2008 - 08:47
User Badges:

yeah will probably do so just seeing what cisco tac come back with

francisco_1 Wed, 11/05/2008 - 08:49
User Badges:
  • Gold, 750 points or more

let us know the outome and if you need help with something else.



This Discussion