Unanswered Question
Sep 22nd, 2010

Dear all

i am a network administrator of a small comp.Today we have faced a strange Problem

                         Internet leased line------------  Router---- catalystswitch -----External Servers and IP devices

                                                                          |         |                                                  

                                                                          |         |                                                   

                                                                          |         |

                                                      Cyberoam UTM       |

                                                                          |         |

                                                                          |         |

                                        Lan internet and mail users     |


                                                                                ASA 5510



                                                                 Lan high end users and servers internet access

Every thing was working fine.But today I fond that our mail users are unable to send mail.They can receive mail, but unable to send.I checked that telnet 25 was not connecting from any of the lan users who have gateway as asa 55510 Ip or cyberoam IP.But when I telnet from a external server, it was working.No conf change was done recently.Some how both of my firewalls deny the smtp traffic.Can any body help me regarding that.

Please help me .If you want any more feedback plz let me know.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mirober2 Wed, 09/22/2010 - 09:49


If the ASA is blocking the traffic, you can check the syslogs to find out the reason. You can also use the packet-tracer command to see why the traffic would be dropped:

packet-tracer in inside tcp 12345 25

Interface and ASP drop captures on the ASA may also help you see why the connection is failing. Here is a guide that describes how to setup captures on the ASA:

Hope that helps.


nseshan Thu, 09/23/2010 - 10:07

As Mike has rightly pointed out, that you need to apply packet captures to actually check whether the traffic for port 25 is reaching the firewall itself from the internal LAN. If it is, the you need to apply captures on the external interface to check if it is leaving the firewall. Also, we could check if you firewall is inspecting smtp traffic and whether the inspection is causing issues. To check this, you can issue the command "sh run policy-map" and "sh service-policy". It would be good if you could attach those outputs to this string.


This Discussion