Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
433
Views
0
Helpful
8
Replies

Is this a firewall issue?

darkbeatzz
Level 1
Level 1

‎11-05-2008 07:25 AM - edited ‎03-11-2019 07:08 AM

Hi All,

I have an ASA 5540 with 3 interfaces

Outside

DMZ

Inside

I have a windows server in the dmz that has outlook client installed that connects to my exchange server on the inside and I am allowing the following protocols between the two machines:

tcp 135

dns 53

high port 1024 - 1500

everything works however maybe every third the time the client opens the client says is can not contact the server and to click retry, when I click retry it connects fine.

I have opened up the rule for IP but still the same problem. I have done a packet capture between the 2 hosts which I have attached and have broken down the capture to a succesfull connection and an interputed connection.

when they connect the server directly to the inside of the network and connect to exchange they never get prompted to retry.

there is no inspect configured on the firewall.

anyone got any ideas?

Labels:
Preview file
71 KB
0 Helpful
8 Replies 8

risenshine4th
Level 1
Level 1

‎11-05-2008 07:36 AM

Beyond the packet capture, I would post a clean config (fake ip's) of the firewall/nat rules.

0 Helpful

francisco_1
Level 7
Level 7
In response to risenshine4th

‎11-05-2008 07:45 AM

sounds like you are getting a timeout for smtp traffic. try removing the fixup ESMTP command. Also look for interface errors /duplex and speed issues on the firewall.

Francisco.

0 Helpful

darkbeatzz
Level 1
Level 1
In response to francisco_1

‎11-05-2008 07:50 AM

have checked interface on machine/switch for interface errors and there are none. also no inspect configured

0 Helpful

francisco_1
Level 7
Level 7
In response to darkbeatzz

‎11-05-2008 08:02 AM

Is just your oulook application affected? what is the software vesion on ASA?

I think you should post a network diagram and port your fw config.

Francisco.

0 Helpful

darkbeatzz
Level 1
Level 1
In response to francisco_1

‎11-05-2008 08:40 AM

yeah just the outlook and its version 7.0(6)

the config is a bit of a nightmare as its all objects and groups. but its a basic ACL between the 2 with a no nat rule.

0 Helpful

francisco_1
Level 7
Level 7
In response to darkbeatzz

‎11-05-2008 08:46 AM

version is old. upgrading might fix your problem.

0 Helpful

darkbeatzz
Level 1
Level 1
In response to francisco_1

‎11-05-2008 08:47 AM

yeah will probably do so just seeing what cisco tac come back with

0 Helpful

francisco_1
Level 7
Level 7
In response to darkbeatzz

‎11-05-2008 08:49 AM

let us know the outome and if you need help with something else.

Francisco.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card