ASA5510 how to open port 25 - Page 2

Edward Luna · ‎02-15-2012

Hello

We have an ASA5510 that we need to open port 25 to allow mail traffic to our internal Exchange server.

We have 2 interfaces defined... one named Internal on eth0/3 ip 10.1.x.x and one named Internet on eth 0/0 ip 96.56.x.x

We followed the instructions in ASDM for allowing access to a public server but confusion over definitions have stopped us.

ASDM asks for the internal interface and the internal server IP... no problem there because the internal interface and server have two different IP addresses. The Internal interface is eth 0/3 (10.1.1.1) and the server is 10.1.1.2.

However, when we get to the External interface (eth 0/1) there is only a single IP address 96.56.x.x but the ASDM asks for an Interface IP and the IP people would use to get to the mail server from the outside. Inasmuch as we have only 1 external IP address (which connects to our upstream Cisco router which in turn connects to the ISP modem) we used the same IP for both but the ASDM returns an error indicating they must be different.

Apparently we do not have a clear understanding of what the ASDM is actually asking for. When the ASDM asks for the external interface we assumed it was asking for the named value we gave the interface (which is Internet). The named value "Internet" has an ip associated with it 96.56.x.x. But when the ASDM asks for the ip people on the outside would use to get to the mail server (we created a named value called "mail server" and gave it the same ip address as the external named value. This duplication of ip address causes the ASDM to return the error stating that external Interface to be used and the external ip to be used cannot be the same.

Have we made an error when we assumed that when the ASDM asked for the external interface it meant the ip of the external interface or was it asking for the eth number (as in eth 0/0) for the interface?

Thanks

manish arora · ‎02-17-2012

Hi Ed,

Your configuration is fine , Can you please double check on The mail server , any windows Firewall or Linux iptables/selinux ? try connecting to the private ip of the server from behind the Firewall.

I can see that a hole is already created in the firewall but the server isn't listening on 25 :-

[root@av-mongo01 ~]# nmap -sS -P0 96.56.127.171

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-02-17 09:41 EST

Interesting ports on ool-60387fab.static.optonline.net (96.56.127.171):

Not shown: 1679 filtered ports

PORT STATE SERVICE

25/tcp closed smtp

Nmap finished: 1 IP address (1 host up) scanned in 24.708 seconds

Manish

Edward Luna · ‎02-17-2012

Yes I can get to the mail server from inside the firewall on the private network just fine.

I hadn't remembered to check the Windows firewall and when I checked (per your suggestion) I found it was running, but I disabled it and shut it down but it didn't make any difference. I still can't access the mail server from outside the asa.

I can't telnet into it from the outside either, but I can from inside. It is clear that something is blocking the port or the protocol but I don't know what.

manish arora · ‎02-17-2012

ummm , strange ... Post the following :-

1> asa# packet-tracer input Internet tcp 4.2.2.2 23453 96.56.127.171 25 detailed

Manish

manish arora · ‎02-17-2012

Also change the following :-

asa(config)#no access-group Internal_access_out out interface Internal

asa(config)#access-group Internal_access_out in interface Internal

Then run that packet-tracer

Manish

Edward Luna · ‎02-17-2012

Just in case it makes a difference... I have only one NIC card in the mail server and therefore only one ip address. When I access the mail server from inside the private everything works fine... when I try to get to the mail server from outside the ASA I can't connect. Inasmuch as no matter which method I use... from inside or from outside... it always uses the same interface on the mail server... doesn't that eliminate the mail server as the source of the problem?

manish arora · ‎02-17-2012

Yes, it does ..thats why I requested another change :-

asa(config)#no access-group Internal_access_out out interface Internal

asa(config)#access-group Internal_access_out in interface Internal

and then run that Packet-tracer to see where are the packets being dropped :-

asa# packet-tracer input Internet tcp 4.2.2.2 23453 96.56.127.171 25 detailed

Manish

Edward Luna · ‎02-17-2012

Here it is...

Result of the command: "packet-tracer input Internet tcp 4.2.2.2 23453 96.56.127.171 25 detailed"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7fd130, priority=1, domain=permit, deny=false
hits=1578084, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255
nat-control
match tcp Internal host 10.1.1.2 eq 25 Internet any
static translation to 96.56.127.171/25
translate_hits = 0, untranslate_hits = 7
Additional Information:
NAT divert to egress interface Internal
Untranslate 96.56.127.171/25 to 10.1.1.2/25 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7fd950, priority=0, domain=permit, deny=true
hits=11093, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Internet
input-status: up
input-line-status: up
output-interface: Internal
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

manish arora · ‎02-17-2012

Please paste output of :-

1> show access-list

2> show run | inc access-group

Manish

Edward Luna · ‎02-17-2012

Result of the command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list Internal_access_out; 1 elements; name hash: 0x9e8020ff

access-list Internal_access_out line 1 remark Outgoing

access-list Internal_access_out line 2 extended permit ip any any (hitcnt=14) 0x7fdd7e55

access-list Internet_access_in; 2 elements; name hash: 0xe4839312

access-list Internet_access_in line 1 extended permit tcp any host 96.56.127.171 eq smtp (hitcnt=0) 0x4033ed94

access-list Internet_access_in line 2 extended permit tcp any host 96.56.127.171 eq telnet (hitcnt=0) 0x838c576c

Result of the command: "show run | inc access-group"

access-group Internal_access_out in interface Internal

manish arora · ‎02-17-2012

ok , you are missing access group for ACL on outside interface ---- which was there in the configuration you posted above .......

Please add :-

asa(config)# access-group Internet_access_in in interface Internet

Then run the Packet Tracer command again.

Manish

Edward Luna · ‎02-17-2012

Result of the command: "packet-tracer input Internet tcp 4.2.2.2 23453 96.56.127.171 25 detailed"

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

nat-control

match tcp Internal host 10.1.1.2 eq 25 Internet any

static translation to 96.56.127.171/25

translate_hits = 0, untranslate_hits = 8

Additional Information:

NAT divert to egress interface Internal

Untranslate 96.56.127.171/25 to 10.1.1.2/25 using netmask 255.255.255.255

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Internet_access_in in interface Internet

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq smtp

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac3842e0, priority=12, domain=permit, deny=false

hits=0, user_data=0xa8a781c0, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=96.56.127.171, mask=255.255.255.255, port=25, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7ff868, priority=0, domain=inspect-ip-options, deny=true

hits=4625, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: INSPECT

Subtype: inspect-smtp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect esmtp _default_esmtp_map

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac19f2f0, priority=70, domain=inspect-smtp, deny=false

hits=1, user_data=0xac19f140, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=25, dscp=0x0

Phase: 5

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

nat-control

match tcp Internal host 10.1.1.2 eq 25 Internet any

static translation to 96.56.127.171/25

translate_hits = 0, untranslate_hits = 8

Additional Information:

Forward Flow based lookup yields rule:

out id=0xac3c9e20, priority=5, domain=nat-reverse, deny=false

hits=1, user_data=0xac3c98b8, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.1.1.2, mask=255.255.255.255, port=25, dscp=0x0

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

nat-control

match tcp Internal host 10.1.1.2 eq 25 Internet any

static translation to 96.56.127.171/25

translate_hits = 0, untranslate_hits = 8

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xac3cd548, priority=5, domain=host, deny=false

hits=143, user_data=0xac3c98b8, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.1.1.2, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0xab84df20, priority=0, domain=inspect-ip-options, deny=true

hits=4597, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5436, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_punt

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_punt

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: Internet

input-status: up

input-line-status: up

output-interface: Internal

output-status: up

output-line-status: up

Action: allow

manish arora · ‎02-17-2012

Ok This looks good , atleast we can see that the NAT/ACL's are working fine but we still cant connect to the server from outside on port 25.

I think you should setup some Captures and see if the server is responding to the connections or not. I am not saying that windows is the Problem ( but it could be ).

Here's how you can set up Captures :-

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c1.html#wp2129312

Manish

Edward Luna · ‎02-17-2012

I am seeing messages in the ASDM syslog about port 443. I think 443 is used for ssl and access to the mail server from the outside uses ssl. Do you think we need to open port 443 as well?

Edward Luna · ‎02-17-2012

Manish

I must leave the office now... I greatly appreciate all your help. I'll will work with the captures tomorrow and let you know the results.

bTw... I can telnet into the server from the outside now but I only get a partial response. I get a 220 and a bunch of * * * * but at least I know I'm finally getting to the server.

manish arora · ‎02-17-2012

K, if you are able to telnet at port 25 than you don't need any captures as it means you are now able to communicate with the server from outside.

Manish

Sent from Cisco Technical Support iPhone App