03-01-2009 12:30 PM - edited 03-11-2019 07:59 AM
Hi, I'm on the way to change from pix to asa.
I've a little problem to connect from Internet to the Mailserver in the dmz.
What do I wrong ?
The config:
ASA Version 7.0(8)
!
hostname gateway
domain-name test.de
enable password xxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 8.26.247.170 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
access-list outside_access_in extended permit tcp any host 8.26.247.171 eq smtp
access-list outside_access_in extended deny ip any any
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (dmz,outside) 8.26.247.171 192.168.0.11 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 8.26.247.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username radke password xxxxxxxxx encrypted privilege 15
http server enable
http 192.168.1.66 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
03-01-2009 01:20 PM
Hey,
Your config looks perfect and simple to me. I am suprised why is it not working.
Is it working from Inside?
03-01-2009 01:35 PM
ASA config looks good.
Check the IP details on your server including default gateway settings and check that the servers Mail app hasn't crashed and is listening on TCP port 25.
Also try clearing the translation table with the clear xlate command.
03-01-2009 06:04 PM
If you cannot telnet to the mail server address from the outside on port 25 check and see if your outside ACE's are getting any hits, if not you may need to reset any routing device in front of the ASA if you have control over it. That way it can build a proper arp table. That was my issue when I upgraded from a pix to asa. Check the "Outside access in through asa 5510" post. Exact problem with smtp traffic.
03-01-2009 11:41 PM
Configuration is OK, you maybe re-check the IPs and then run the packet-tracer command (available on ASA 7.2 and later only). Or a simple telnet as others suggested. Also make sure the SMTP server has a default route and the service is working properly
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide