ASA5510 how to open port 25

Unanswered Question
Feb 15th, 2012

Hello

We have an ASA5510 that we need to open port 25 to allow mail traffic to our internal Exchange server.

We have 2 interfaces defined... one named Internal on eth0/3 ip 10.1.x.x and one named Internet on eth 0/0 ip 96.56.x.x

We followed the instructions in ASDM for allowing access to a public server but confusion over definitions have stopped us.

ASDM asks for the internal interface and the internal server IP... no problem there because the internal interface and server have two different IP addresses.  The Internal interface is eth 0/3 (10.1.1.1) and the server is 10.1.1.2.

However, when we get to the External interface (eth 0/1) there is only a single IP address 96.56.x.x but the ASDM asks for an Interface IP and the IP people would use to get to the mail server from the outside.  Inasmuch as we have only 1 external IP address (which connects to our upstream Cisco router which in turn connects to the ISP modem) we used the same IP for both but the ASDM returns an error indicating they must be different.

Apparently we do not have a clear understanding of what the ASDM is actually asking for.  When the ASDM asks for the external interface we assumed it was asking for the named value we gave the interface (which is Internet).  The named value "Internet" has an ip associated with it 96.56.x.x.  But when the ASDM asks for the ip people on the outside would use to get to the mail server (we created a named value called "mail server" and gave it the same ip address as the external named value.  This duplication of ip address causes the ASDM to return the error stating that external Interface to be used and the external ip to be used cannot be the same.

Have we made an error when we assumed that when the ASDM asked for the external interface it meant the ip of the external interface or was it asking for the eth number (as in eth 0/0) for the interface? 

Thanks  

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
JohnTylerPearce Wed, 02/15/2012 - 04:49

Personally, I don't use the ASDM because IMO I think its sucks donkey. Don't take that the wrong way by any means, I started learning about ASA's via the ASDM, but switched to command line only, unless something is just way easier to configure via ASDM.

It sounds like you just want access from the outside to your internal Exchange Server.

Configure the ACE entry on the ACL that is assigned to your outside interface in this case.

access-list outside_access_in extended permit tcp any host x.x.x.x 25

This will allow anything from the outside, to access your exchange server via port 25. You can also change this, so your're only allowing specific users or everyone from the outside.

The_guroo_2 Wed, 02/15/2012 - 04:55

You have to define NAT ....if its latest version check the real ip concept on Cisco website

smsbconsulting Wed, 02/15/2012 - 14:28

Hello guys

Sorry... but I am totally lost.  I have read everything I can find... and I've watched the video but I'm no closer to opening the ports I need to open.  The ASDM is very confusing in that it appears to function backwards from what I need to do. It looks like you define NAT for the internal to external but I need to forward any data received on the external (port 25) to my Exchange server on my internal network. 

The CLI instructions in the video apply to version 8.3 which is very different from my version which is 8.2.

I have no preference one way or the other... I am equally unfamiliar with ASDM and CLI so either will work for me but I need painfully specific step by step instructions.  Please don't assume that I know anything about the Cisco Appliance or the configuration utilities because I don't.

Thanks in advance.

Ed

manisharora111 Wed, 02/15/2012 - 15:43

Hi Ed,

If you can log on to the CLI and do "sh run" and than Paste that configuration over here. Mention private IP on the server and external IP for NAT.

someone will type in the rest of the configuration you need for it to work over here and than you can copy paste it in.

Manish ;-)

smsbconsulting Thu, 02/16/2012 - 14:30

Thank you so much... that will be very helpful.

Private ip of server is 10.1.1.2

Exteral ip is 96.56.127.171

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name smsbconsulting
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 96.56.127.169 Gateway description Default gateway
!
interface Ethernet0/0
description Static IP external interface
nameif Internet
security-level 0
ip address 96.56.127.171 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif Internal
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name smsbconsulting
same-security-traffic permit intra-interface
object-group network inside-net
access-list Internal_access_out remark Outgoing
access-list Internal_access_out extended permit ip any any
access-list Internet_access_in extended permit tcp any interface Internal eq smtp
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu Internal 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Internet) 101 interface
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255
access-group Internet_access_in in interface Internet
access-group Internal_access_out out interface Internal
route Internet 0.0.0.0 0.0.0.0 Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.5-10.1.1.199 Internal
dhcpd dns 167.206.254.2 167.206.254.1 interface Internal
dhcpd domain smsbconsulting.local interface Internal
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:65f39ed3a92a8f8f3f11e9e9bef72dc9
: end

manisharora111 Thu, 02/16/2012 - 16:58

asa#conf t

asa(config)# no access-list Internet_access_in extended permit tcp any interface Internal eq smtp

asa(config)#access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq smtp

asa(config)#exit

asa#exit

Manish

smsbconsulting Thu, 02/16/2012 - 18:25

Thanks a million.

I'll try it as soon as I get to the office in the morning.

Thanks again.

Ed

smsbconsulting Fri, 02/17/2012 - 11:57

I tried the commands above but I still don't have access.

I can ping the mail server ip (which is the external ip of the asa but that's all.

I tried adding a second access list entry for telnet but I can't connect with telnet either.

Do I need to addd access rules in addition to access lists?

Any suggestions would be greatly appreciated.

Ed

Cadet Alain Fri, 02/17/2012 - 12:16

Hi,

you must change this also:

no static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

static (Internal,Internet) tcp interface Internet smtp 10.1.1.2 netmask 255.255.255.255

Regards.

Alain

smsbconsulting Fri, 02/17/2012 - 13:03

I changed the static command

from.... static (Internal,Internet) tcp interface Internet smtp 10.1.1.2 netmask 255.255.255.255

To......  static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

Now the command doesn't result in an error... but I don't know if it is working yet.

I'll post the results shortly.

Cadet Alain Fri, 02/17/2012 - 13:03

Hi, 

my bad I did this by mind but my mind seems rusted 

static (Internal,Internet) tcp interface  smtp 10.1.1.2 smtp netmask 255.255.255.255

Regards.

Alain

smsbconsulting Fri, 02/17/2012 - 13:25

Well... no joy... I still can't get through the Cisco asa5510 from the outside.

All mail functions are normal from inside the network and I can even send emails out.  I just can't connect to the mail server from the outside.

I tried to telnet into port 25 from the external interface but no good.

Is there anyway I can see why the ASA is blocking the connection?  An error log anyplace?

Thanks

manisharora111 Fri, 02/17/2012 - 13:47

Hi Ed,

Your configuration is fine , Can you please double check on The mail server , any windows Firewall or Linux iptables/selinux ? try connecting to the private ip of the server from behind the Firewall.

I can see that a hole is already created in the firewall but the server isn't listening on 25 :-

[root@av-mongo01 ~]# nmap -sS -P0 96.56.127.171

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-02-17 09:41 EST

Interesting ports on ool-60387fab.static.optonline.net (96.56.127.171):

Not shown: 1679 filtered ports

PORT   STATE  SERVICE

25/tcp closed smtp

Nmap finished: 1 IP address (1 host up) scanned in 24.708 seconds

Manish

smsbconsulting Fri, 02/17/2012 - 14:21

Yes I can get to the mail server from inside the firewall on the private network just fine.

I hadn't remembered to check the Windows firewall and when I checked (per your suggestion) I found it was running, but I disabled it and shut it down but it didn't make any difference.  I still can't access the mail server from outside the asa.

I can't telnet into it from the outside either, but I can from inside.  It is clear that something is blocking the port or the protocol but I don't know what.

manisharora111 Fri, 02/17/2012 - 14:31

ummm , strange ... Post the following :-

1> asa# packet-tracer input  Internet tcp 4.2.2.2  23453 96.56.127.171  25 detailed

Manish

manisharora111 Fri, 02/17/2012 - 14:35

Also change the following :-

asa(config)#no access-group Internal_access_out out interface Internal

asa(config)#access-group Internal_access_out in interface Internal

Then run that packet-tracer

Manish

smsbconsulting Fri, 02/17/2012 - 15:04

Just in case it makes a difference... I have only one NIC card in the mail server and therefore only one ip address.  When I access the mail server from inside the private everything works fine... when I try to get to the mail server from outside the ASA I can't connect.  Inasmuch as no matter which method I use... from inside or from outside... it always uses the same interface on the mail server... doesn't that eliminate the mail server as the source of the problem? 

manisharora111 Fri, 02/17/2012 - 15:20

Yes, it does ..thats why I requested another change :-

asa(config)#no access-group Internal_access_out out interface Internal

asa(config)#access-group Internal_access_out in interface Internal

and then run that Packet-tracer to see where are the packets being dropped :-

asa# packet-tracer input  Internet tcp 4.2.2.2  23453 96.56.127.171  25 detailed

Manish

smsbconsulting Fri, 02/17/2012 - 15:26

Here it is...


Result of the command: "packet-tracer input Internet tcp 4.2.2.2 23453 96.56.127.171 25 detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7fd130, priority=1, domain=permit, deny=false
hits=1578084, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255
nat-control
  match tcp Internal host 10.1.1.2 eq 25 Internet any
    static translation to 96.56.127.171/25
    translate_hits = 0, untranslate_hits = 7
Additional Information:
NAT divert to egress interface Internal
Untranslate 96.56.127.171/25 to 10.1.1.2/25 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xab7fd950, priority=0, domain=permit, deny=true
hits=11093, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Internet
input-status: up
input-line-status: up
output-interface: Internal
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

manisharora111 Fri, 02/17/2012 - 15:29

Please paste output of :-

1> show access-list

2> show run | inc access-group

Manish

smsbconsulting Fri, 02/17/2012 - 15:49

Result of the command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

           alert-interval 300

access-list Internal_access_out; 1 elements; name hash: 0x9e8020ff

access-list Internal_access_out line 1 remark Outgoing

access-list Internal_access_out line 2 extended permit ip any any (hitcnt=14) 0x7fdd7e55

access-list Internet_access_in; 2 elements; name hash: 0xe4839312

access-list Internet_access_in line 1 extended permit tcp any host 96.56.127.171 eq smtp (hitcnt=0) 0x4033ed94

access-list Internet_access_in line 2 extended permit tcp any host 96.56.127.171 eq telnet (hitcnt=0) 0x838c576c

Result of the command: "show run | inc access-group"

access-group Internal_access_out in interface Internal

manisharora111 Fri, 02/17/2012 - 15:58

ok , you are missing access group for ACL on outside interface ---- which was there in the configuration you posted above .......

Please add :-

asa(config)# access-group Internet_access_in in interface  Internet

Then run the Packet Tracer command again.

Manish

smsbconsulting Fri, 02/17/2012 - 16:10

Result of the command: "packet-tracer input Internet tcp 4.2.2.2 23453 96.56.127.171 25 detailed"

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

nat-control

match tcp Internal host 10.1.1.2 eq 25 Internet any

   static translation to 96.56.127.171/25

   translate_hits = 0, untranslate_hits = 8

Additional Information:

NAT divert to egress interface Internal

Untranslate 96.56.127.171/25 to 10.1.1.2/25 using netmask 255.255.255.255

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Internet_access_in in interface Internet

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq smtp

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac3842e0, priority=12, domain=permit, deny=false

            hits=0, user_data=0xa8a781c0, cs_id=0x0, flags=0x0, protocol=6

            src ip=0.0.0.0, mask=0.0.0.0, port=0

            dst ip=96.56.127.171, mask=255.255.255.255, port=25, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7ff868, priority=0, domain=inspect-ip-options, deny=true

            hits=4625, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

            src ip=0.0.0.0, mask=0.0.0.0, port=0

            dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: INSPECT

Subtype: inspect-smtp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect esmtp _default_esmtp_map

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac19f2f0, priority=70, domain=inspect-smtp, deny=false

            hits=1, user_data=0xac19f140, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

            src ip=0.0.0.0, mask=0.0.0.0, port=0

            dst ip=0.0.0.0, mask=0.0.0.0, port=25, dscp=0x0

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

nat-control

match tcp Internal host 10.1.1.2 eq 25 Internet any

   static translation to 96.56.127.171/25

   translate_hits = 0, untranslate_hits = 8

Additional Information:

Forward Flow based lookup yields rule:

out id=0xac3c9e20, priority=5, domain=nat-reverse, deny=false

            hits=1, user_data=0xac3c98b8, cs_id=0x0, flags=0x0, protocol=6

            src ip=0.0.0.0, mask=0.0.0.0, port=0

            dst ip=10.1.1.2, mask=255.255.255.255, port=25, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

nat-control

match tcp Internal host 10.1.1.2 eq 25 Internet any

   static translation to 96.56.127.171/25

   translate_hits = 0, untranslate_hits = 8

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xac3cd548, priority=5, domain=host, deny=false

            hits=143, user_data=0xac3c98b8, cs_id=0x0, reverse, flags=0x0, protocol=0

            src ip=10.1.1.2, mask=255.255.255.255, port=0

            dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xab84df20, priority=0, domain=inspect-ip-options, deny=true

            hits=4597, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

            src ip=0.0.0.0, mask=0.0.0.0, port=0

            dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5436, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_punt

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_punt

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Internet

input-status: up

input-line-status: up

output-interface: Internal

output-status: up

output-line-status: up

Action: allow

manisharora111 Fri, 02/17/2012 - 16:18

Ok This looks good , atleast we can see that the NAT/ACL's are working fine but we still cant connect to the server from outside on port 25.

I think you should setup some Captures and see if the server is responding to the connections or not. I am not saying that windows is the Problem ( but it could be ).

Here's how you can set up Captures :-

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312

Manish

smsbconsulting Fri, 02/17/2012 - 16:20

I am seeing messages in the ASDM syslog about port 443.  I think 443 is used for ssl and access to the mail server from the outside uses ssl.  Do you think we need to open port 443 as well?

smsbconsulting Fri, 02/17/2012 - 16:34

Manish

I must leave the office now... I greatly appreciate all your help.  I'll will work with the captures tomorrow and let you know the results.

bTw... I can telnet into the server from the outside now but I only get a partial response.  I get a 220 and a bunch of * * * * but at least I know I'm finally getting to the server.

manisharora111 Fri, 02/17/2012 - 16:50

K, if you are able to telnet at port 25 than you don't need any captures as it means you are now able to communicate with the server from outside.

Manish

Sent from Cisco Technical Support iPhone App

smsbconsulting Sun, 02/19/2012 - 15:30

Well... I've tried just about everything I can think of and nothing I do will allow me to access my mail server from the outside.

When I telnet in from the inside network I get a response of  220 followed by the name of the server and the domain, also the date and time are displayed.

When I telnet in from the outside (with a PC on the same subnet as the external adapter of the asa) I get the same 220 response but instead of being followed by the server name and domain... I get two lines of asterisks.  *******************

Three days down and I still don't know if the problem is in the asa5510 or the server itself.  Tomorrow morning I am going to remove the asa5510 and replace it with a known good Linksys router.  If I can access the server through the Linksys then I'll know the problem is in the asa, but if I still can't access the server from the outside then I'll know it is something in the server configuration.

I'll post my results.

Thanks for all the help.

Ed

smsbconsulting Mon, 02/20/2012 - 09:38

I removed the ASA5510 and substituted a Linksys router... with that the external email began to work fine, so we can assume the problem is in the configuration of the ASA5510.

With the ASA5510 connected... when I telnet into the mail server I get a 220 response followed by 2 lines of asterisks.

With the Linksys connected in place of the ASA5510... when I telnet into the mail server I get the same 220 response but with two lines of readable text that identifies the server by name and URL.

I don't know if that is significant but it is the only difference I have noticed other than the fact that external access to the mail server works thru the Linksys router but doesn't work thru the ASA.

What else should I look for in the ASA configuration?  Do you need me to post the run config again

Thanks

Ed

smsbconsulting Mon, 02/20/2012 - 12:25

I got it working.

I'm not certain exactly what did it because I added several changes all at once.

Note: we had already created the smtp access-list and static route entries.

I added the following to the access-lists.

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq smtp

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq telnet

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq https

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq www

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq 987

I added the following static routes.

static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

static (Internal,Internet) tcp interface telnet 10.1.1.2 telnet netmask 255.255.255.255

static (Internal,Internet) tcp interface www 10.1.1.2 www netmask 255.255.255.255

static (Internal,Internet) tcp interface https 10.1.1.2 https netmask 255.255.255.255

After the additions above, the external email started working.

Thanks to everyone for all the help.

Ed

manisharora111 Tue, 02/21/2012 - 09:39

Hi Ed,

Good to hear that you got thinking working for you , looks like you need ports open for connecting to OWA etc.

enjoy !

Manish

Actions

Login or Register to take actions

This Discussion

Posted February 15, 2012 at 3:59 AM
Stats:
Replies:33 Avg. Rating:
Views:2906 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446