Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5510, SMTP Access Isue

Hi,

I'm having an issue trying to open port 25 on our cisco ASA 5510 version 9.1 (2). When a wire tap is placed on the outside port between the ASA and the internet we are getting hits on wireshark, when a port 25 trace from http://www.yougetsignal.com/tools/open-ports is run. No hits or activity is showing up on the debug log using ASDM, even when filtering is applied.

Problem is we cannot open port 25 traffic from the outside network to the inside network so that smtp mail can flow to the Exchange server *.102. Mail can go from the inside network to the ouside network and out to the internet no problems (internal being the most trusted obviously).

Please find attatched the config for the ASA. I have replaced the companyname/domain with "ourcompanyname", our public IP to "ourpublicIP", our ISP to OurISP and our internal IP's with *.*.*.* for sanitisation reasons.

Any help would be greatly appreciated.

Cheers

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Cisco ASA 5510, SMTP Access Isue

You need to do port forwarding on the ASA's outside interface ip for port 25 to be able to achieve the desired objective.

Modify the following statement (remove the redundant "destination eq smtp" from it):

object service smtp

  service tcp source eq smtp

Also, remove this nat config from the ASA:

no nat (inside,outside) after-auto source static mail.ourcompany.com mail.ourcompany.com destination static ourcompany.com ourcompany.com service smtp smtp

& add the following config to the ASA:

nat (inside,outside) source static mail.ourcompany.com interface service smtp smtp

access-list outside_access_in extended permit tcp any eq 25

Check and see if it helps.

5 REPLIES
Hall of Fame Super Silver

Cisco ASA 5510, SMTP Access Isue

You have an incoming rule allowing smtp to the outside interface and a nat after-auto rule for the mail server.

You need instead an object NAT for the mail server and an incoming rule allowing smtp to that static nattted address.

If you use ASDM, you can add this all via the "public servers" dialog box. (Configuration, Firewall, Public servers)

New Member

Cisco ASA 5510, SMTP Access Isue

Thanks for the Speedy reply Marvin it's greatly appreciated. So looking at configuring the public server through ASDM I have tried the following:

Private Interface - Inside

Private IP Address- I have inserted the private IP of the Exchange server

Service- SMTP

Public Interface- Outside

Public IP- I have inserted the static IP that our ISP has provided.

Trouble is that our Outside interface and our public IP are the same. The ASA will not allow these to be these to be the same. What is the best practice for this.

Thanks for your help on this BTW, my ASA experience is very very limited.

Cheers

Cisco Employee

Cisco ASA 5510, SMTP Access Isue

You need to do port forwarding on the ASA's outside interface ip for port 25 to be able to achieve the desired objective.

Modify the following statement (remove the redundant "destination eq smtp" from it):

object service smtp

  service tcp source eq smtp

Also, remove this nat config from the ASA:

no nat (inside,outside) after-auto source static mail.ourcompany.com mail.ourcompany.com destination static ourcompany.com ourcompany.com service smtp smtp

& add the following config to the ASA:

nat (inside,outside) source static mail.ourcompany.com interface service smtp smtp

access-list outside_access_in extended permit tcp any eq 25

Check and see if it helps.

New Member

Cisco ASA 5510, SMTP Access Isue

Hi Amitaaga,

Thankyou so much for your help, you have really saved me on this one. Here is what I did:

Deleted

object service smtp

service tcp source eq smtp destination eq smtp

Added

object service smtp

service tcp source eq smtp

Deleted

access-list outside_access_in extended permit object smtp any interface outside

Added

access-list outside_access_in extended permit object smtp any interface outside

access-list outside_access_in extended permit tcp any object mail.ourcompany.com eq smtp

Deleted

nat (inside,outside) after-auto source static mail.ourcompany.com mail.ourcompany.com destination static ourcompany.com ourcompany.com service smtp smtp

Added

nat (inside,outside) source static mail.ourcompany.com interface service smtp smtp

Changed Destination ports on SMTP Service Object

From 25

To default (1-65535)

New Member

Cisco ASA 5510, SMTP Access Isue

OK so now that I have mail routing in through port 25, how can I configure OWA access through https?

We are using a 2013 Exchange server and I wish for users to connect to the server without having to turn on the VPN.

Cheers

Nick

2052
Views
0
Helpful
5
Replies