×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM

Unanswered Question
Jan 18th, 2012
User Badges:

We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM.  We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config:  Any Help would be appreciated.


show config

: Saved

: Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012

!

ASA Version 8.4(3)

!

names

!

interface Ethernet0/0


nameif outside

security-level 0

ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.5 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

<--- More --->


  no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

object network obj-192.168.5.0

subnet 192.168.5.0 255.255.255.0

object network obj-192.168.0.0

subnet 192.168.0.0 255.255.255.0

<--- More --->


object network obj-192.168.9.2

host 192.168.9.2

object network obj-192.168.1.65

host 192.168.1.65

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj-192.168.3.0

subnet 192.168.3.0 255.255.255.0

object network obj-192.168.6.0

subnet 192.168.6.0 255.255.255.0

object network obj-192.168.8.0

subnet 192.168.8.0 255.255.255.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

port-object eq pop3

port-object eq smtp

object-group network Red-Condor

description Email Filtering

network-object host 66.234.112.69

network-object host 66.234.112.89

object-group service NetLink tcp

<--- More --->


  port-object eq 36001

object-group network AECSouth

network-object 192.168.11.0 255.255.255.0

object-group service Email_Filter tcp-udp

port-object eq 389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_0 tcp

group-object Email_Filter

port-object eq pop3

port-object eq smtp

object-group network Exchange-Server

description Exchange Server

network-object host 192.168.1.65

access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1

access-list outside_access extended permit tcp any object obj-192.168.9.2

access-list outside_access extended permit icmp any any

access-list outside_access extended permit tcp any object-group Exchange-Server eq https

access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp

access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3

access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

<--- More --->


pager lines 24

logging enable

logging console debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

!

object network obj-192.168.9.2

nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp

object network obj-192.168.1.65

nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp

object network obj-192.168.1.0

nat (inside,outside) dynamic interface

object network obj-192.168.2.0

nat (inside,outside) dynamic interface

object network obj-192.168.3.0

<--- More --->


  nat (inside,outside) dynamic interface

object network obj-192.168.6.0

nat (inside,outside) dynamic interface

object network obj-192.168.8.0

nat (inside,outside) dynamic interface

access-group outside_access in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1

route inside 192.168.0.0 255.255.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server isaconn protocol radius

aaa-server isaconn (inside) host 192.168.1.9

timeout 5

key XXXXXXX

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

<--- More --->


http server enable

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca server

shutdown

<--- More --->


  smtp from-address [email protected]

crypto ca certificate chain _SmartCallHome_ServerCA

certificate

  quit

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 208.66.175.36 source outside prefer

webvpn

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

!

<--- More --->


class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

<--- More --->


   inspect netbios

  inspect tftp

  inspect ip-options

class global-class

  csc fail-close

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Julio Carvajal Wed, 01/18/2012 - 10:48
User Badges:
  • Purple, 4500 points or more

Hello Scott,


So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x

object network obj-192.168.1.65

"nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"


The ACL says

access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp

access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3


From witch ip addresses are you trying to send traffic to the exchange server?


Please do a packet-tracer and give us the output

packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25


Regards,


Julio


Rate helpful posts!!!

Actions

This Discussion