ASA 5510 Mailserver DMZ

Unanswered Question
Mar 1st, 2009

Hi, I'm on the way to change from pix to asa.

I've a little problem to connect from Internet to the Mailserver in the dmz.

What do I wrong ?

The config:

ASA Version 7.0(8)


hostname gateway


enable password xxxxxxx encrypted

passwd xxxxxxxxxx encrypted




interface Ethernet0/0

nameif outside

security-level 0

ip address


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2

nameif dmz

security-level 50

ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0


no nameif

no security-level

no ip address


ftp mode passive

access-list outside_access_in extended permit tcp any host eq smtp

access-list outside_access_in extended deny ip any any

pager lines 24

logging enable

logging buffered warnings

logging asdm informational

mtu inside 1500

mtu dmz 1500

mtu outside 1500

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 1

static (dmz,outside) netmask

access-group outside_access_in in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username radke password xxxxxxxxx encrypted privilege 15

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
arvind.thevendr... Sun, 03/01/2009 - 13:20


Your config looks perfect and simple to me. I am suprised why is it not working.

Is it working from Inside?

adamclarkuk_2 Sun, 03/01/2009 - 13:35

ASA config looks good.

Check the IP details on your server including default gateway settings and check that the servers Mail app hasn't crashed and is listening on TCP port 25.

Also try clearing the translation table with the clear xlate command.

rickeyrobertson Sun, 03/01/2009 - 18:04

If you cannot telnet to the mail server address from the outside on port 25 check and see if your outside ACE's are getting any hits, if not you may need to reset any routing device in front of the ASA if you have control over it. That way it can build a proper arp table. That was my issue when I upgraded from a pix to asa. Check the "Outside access in through asa 5510" post. Exact problem with smtp traffic.

Farrukh Haroon Sun, 03/01/2009 - 23:41

Configuration is OK, you maybe re-check the IPs and then run the packet-tracer command (available on ASA 7.2 and later only). Or a simple telnet as others suggested. Also make sure the SMTP server has a default route and the service is working properly




This Discussion