ASA 5505 Cannot send/receive email from inside vlan

Answered Question
Jan 25th, 2009

Hello all,

When I try to send or receive e-mail from inside vpn I get:

6 Jan 25 2009 07:54:16 106015 75.180.132.77 xx.yyy.121.101 Deny TCP (no connection) from 75.180.132.77/110 to xx.yyy.121.101/1805 flags RST ACK on interface outside.

xx.yyy.121.101 is my outside vlan.

75.180.132.77 is RoadRunner cable my isp provider.

E-Mail server is in the dmz vlan.

I can send receive from a pc on the internet......

Configuration follows:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name my.domain.com

enable password *** Removed Intentionally *** encrypted

passwd *** Removed Intentionally *** encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.8.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name my.domain.com

access-list outside_access_in extended permit tcp any host xx.yyy.121.101

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface www 192.168.8.2 www netmask 255.255.255.255

static (dmz,outside) tcp interface smtp 192.168.8.2 smtp netmask 255.255.255.255

static (dmz,outside) tcp interface pop3 192.168.8.2 pop3 netmask 255.255.255.255

static (dmz,inside) tcp interface 3389 xx.yyy.121.101 3389 netmask 255.255.255.2

55

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.yyy.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:*** Removed Intentionally ***

: end

Regards

Correct Answer by Richard Burts about 8 years 3 weeks ago

Jose

If my analysis is correct then the host at xx.yyy.121.101 sent at request for POP3 (port 110) to 75.180.132.77. So my first question would be whether 75.180.132.77 is functioning as a POP3 server? If it is not, then that would certainly explain why it rejects the attempted connection.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Sun, 01/25/2009 - 17:29

Jose

I am a bit confused about your post and what the problem is. In some parts of the post you talk about internal vlan and in some parts you talk about internal vpn. I am not clear whether there is an internal vlan and an internal vpn or whether you are confusing terms.

I think that we can tell a little bit if we look carefully at the error message. The first thing that I notice is that a packet is denied because there is no connection and it appears to be a packet from outside to inside. But when we look further we see that the port associated with the source address is 110 (which is pop mail) and the port associated with the destination is 1805 (which is an ephemeral port usually associated with the client in a client/server communication). From this we can deduce that the client which got translated to the outside interface address attempted to initiate pop3 and that 75.180.132.77 rejected it. We know it was a rejection because the TCP flag in the packet was RST which is used when a host rejects a TCP connection.

HTH

Rick

vbdotnetman Mon, 01/26/2009 - 02:58

Sorry about that Rick...

It should read as:

When I try to send or receive e-mail from inside vlan I get:

6 Jan 25 2009 07:54:16 106015 75.180.132.77 xx.yyy.121.101 Deny TCP (no connection) from 75.180.132.77/110 to xx.yyy.121.101/1805 flags RST ACK on interface outside.

xx.yyy.121.101 is my outside vlan.

75.180.132.77 is RoadRunner cable my isp provider.

E-Mail server is in the dmz vlan.

I can send receive from a pc on the internet......

How can I tell why 75.180.132.77 rejected it?

Jose

Correct Answer
Richard Burts Mon, 01/26/2009 - 04:16

Jose

If my analysis is correct then the host at xx.yyy.121.101 sent at request for POP3 (port 110) to 75.180.132.77. So my first question would be whether 75.180.132.77 is functioning as a POP3 server? If it is not, then that would certainly explain why it rejects the attempted connection.

HTH

Rick

vbdotnetman Mon, 01/26/2009 - 05:20

Hi Rick,

I really have no way of telling if it's a mail server unless I contact the ISP.

My guess is it must be a mail server... I'm using the same Outlook settings as

my laptop which connects fine from the internet.

Below are my outlook settings from my inside clients Outlook session:

Incomming Mail Server- Mail.systems-programmer.com) "This server resides in my DMZ vlan"

Outgoing Mail Server(SMTP)- smtp-server.sc.rr.com

When I send a test message from Outlook I get the following error messages returned:

"Log into incomming mail server(POP3): Outlook cannot connect to your incomming(POP3) E-Mail server.

"Send test E-Mail message: None of the authentication methods supported by this client are supported

by your server."

Based on this information I should at least be able to connect to my

Incomming mail server(mail.systems-programmer.com is pointed to by DynDns points to xx.yyy.121.101)

in the DMZ vlan.

I guess I don't understand why it's goint to port 110 at 75.180.132.77 and not port 110 at xx.yyy.121.101?

I hope all this makes sense?

Regards

Jose

vbdotnetman Mon, 01/26/2009 - 08:10

Rick,

I contacted my ISP provider and they said that port 110 was blocked. They suggested I wait for 24 hours for the unblocking to take effect.

As you can tell I'm not well versed in network issues and do appreciate your assistance.

I you lived near by, I'd buy you lunch... LOL :-)

Best Regards

Jose

PS. If it turns out this is not the problem I open another Conversation.

Once again thanks for your help.....

Richard Burts Mon, 01/26/2009 - 08:53

Jose

I am glad that you got your problem resolved and that my responses were helpful in that. Thank you for using the rating system to indicate that your problem was resolved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that responses received did lead to a resolution of the problem.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

vbdotnetman Mon, 01/26/2009 - 11:26

Hi Rick,

It turns out my port is not being blocked. I can telnet into it on port 110. The ISP technical support is of no use. They won't even look at it.

If I contact Cisco they want a service contract number which cost a few thousand.

I am so disappointed in Cisco. For the money I paid I would have liked some type of support?

Can you recoomend another router I can purchase that is reputable and is somewhat easier to configure that has simmilar functions. Anything but Cisco or Linksys.

Best Regards

Jose

Actions

This Discussion