02-21-2010 06:45 PM - edited 03-11-2019 10:13 AM
Hello all, need some help.
Shouldn't the below config work for SMTP access to the internal server?
When I do a show xlate, I see the Global PAT xlate on for both ext and int IP addresses on port 25.
When I do a show access-list I never see any hits on the outside_access_in access list entry.
Cisco ASA 5505, version 7.2(2)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.###.### 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.9.###.### 255.255.255.0
access-list outside_access_in extended permit tcp any host 72.9.###.### eq smtp
access-list inside_access_out extended permit ip any any
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 72.9.###.### smtp 192.168.###.### smtp netmask 255.255.255.255
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
Solved! Go to Solution.
02-23-2010 11:13 AM
If 72.9.###.### ip is the same as the vlan 2 interface IP address then you need to change the static
static (inside,outside) tcp 72.9.###.### smtp 192.168.###.### smtp netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.###.### smtp netmask 255.255.255.255
change it to the keyword interface instead.
-KS
02-21-2010 06:53 PM
Also, I forgot to add. When I look at the log, I see the attempt at the connection on port 25, from the public IP, but it always gets discarded.
02-22-2010 08:39 PM
I've added my complete config. I still cannot get outside public hosts to access the internal IP address on port 25.
Any suggestions would be appreciated.
ASA# sho run
: Saved
:
ASA Version 7.2(2)
!
hostname ASA
domain-name default.domain.invalid
enable password ###################### encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.###.### 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.9.###.### 255.255.255.0
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.###.### 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd ################ encrypted
banner login ALL UNAUTHORIZED ACCESS IS PROHIBITED BY LAW
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host 72.9.###.### eq smtp
access-list inside_access_out extended permit ip any any
access-list asa-vpn_splitTunnelAcl standard permit 192.168.###.### 255.255.255.0
access-list dmz_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn-pool 192.168.###.###-192.168.###.### mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 72.9.###.### smtp 192.168.###.### smtp netmask 255.255.255.255
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.9.###.### 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy asa-vpn internal
group-policy asa-vpn attributes
dns-server value ###.###.###.###
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value asa-vpn_splitTunnelAcl
vpn-group-policy asa-vpn
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group asa-vpn type ipsec-ra
tunnel-group asa-vpn general-attributes
address-pool vpn-pool
default-group-policy asa-vpn
tunnel-group asa-vpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:af151ea5d8a16d08a9bce5c30579f440
: end
ASA# sho nat
NAT policies on Interface inside:
match tcp inside host 192.168.###.### eq 25 outside any
static translation to 72.9.###.###/25
translate_hits = 0, untranslate_hits = 870
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 19, untranslate_hits = 0
match ip inside any outside any
dynamic translation to pool 1 (72.9.117.191 [Interface PAT])
translate_hits = 1427, untranslate_hits = 93
match ip inside any dmz any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
02-22-2010 10:43 PM
Can't see a lot wrong with your config. I did a quick test and telnetted to port 25 on your public IP and i was allowed straight in to your mail server. I logged straight back out but in future good idea not to post full public IP details. So you should see at least one hit in your acl now.
Could you give a few more details as to what you are trying to do ie. is it to allow other mail servers on the internet to connect to your mail server and vice-versa ?
Jon
02-23-2010 06:38 AM
Yes, its open right now as the ASA is not plugged in, so port 25
is open right now.
02-23-2010 06:43 AM
Yes we just want to be able to send mail from Internet to our internal mail server. I've done this several times before with ASA with no problems. I was curious about the code version 7.2(2) and only having a single Public IP address, which is the outside interface, and then using the Global (outside) 1 interface statement. Any limitations by only having the single public IP? We have the DNS MX record pointed to the public IP address. When I put the ASA back inline, no hits on access list and in the log, I see attempts on port 25 to the public IP, but all packets are "discarded".
02-23-2010 06:34 AM
If I understand correctly the following is your scenario:
incoming mails to ur internal mail server:
mail originated from internet to ur domain------>ur service provider mail-relay server-------->72.9.X.X int on ur ASA------->NAT/PAT------>ur internal Mail Server
1.does the problem is one way or both ways?
2. if problem in recieving mails need to troubleshoot each leg of above diagram from left to right.
02-23-2010 11:13 AM
If 72.9.###.### ip is the same as the vlan 2 interface IP address then you need to change the static
static (inside,outside) tcp 72.9.###.### smtp 192.168.###.### smtp netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.###.### smtp netmask 255.255.255.255
change it to the keyword interface instead.
-KS
02-25-2010 06:21 AM
Changing the static NAT statement to "interface" instead of the actual IP address did it.
Thanks for the insight and help.
This forum is a great medium for exchanging information.
Jay
02-25-2010 06:52 AM
Glad to hear. Thanks for rating.
Specifying the keyword interface is clearly documented in the command ref.if you need to read on that.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1512466
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: