Solved: Cisco ASA 8.2 internal mail server

Georgi Kostov · ‎10-30-2013

Hello there,

First time i cofigure ASA. the mail server is inside, after the asa there is provider router. Before the ASA there is no other device. The problem is that i can recieve mails from outside, but we can exchange mails between users in our mail server in the LAN and also to outside mails servers. If somebody have the time and the willingnes please take a look.

This is what i configured:

: Saved

:

ASA Version 8.2(5)

!

hostname GARB-ASA

domain-name garb.bg

enable password pYtobVBXncmWbi3S encrypted

passwd pYtobVBXncmWbi3S encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.20.53.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.202 255.255.255.248

!

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS

domain-name garb.bg

object-group service TCP-Ports tcp

port-object eq www

port-object eq ftp-data

port-object eq https

port-object eq ftp

port-object eq smtp

port-object eq pop3

object-group service UDP-Ports udp

port-object eq domain

port-object eq ntp

port-object range 20000 20000

port-object range sip sip

access-list inside_access_in extended permit tcp host 172.20.53.10 any

access-list inside_access_in extended permit tcp 172.20.53.0 255.255.255.0 any object-group TCP-Ports

access-list inside_access_in extended permit udp 172.20.53.0 255.255.255.0 any object-group UDP-Ports

access-list inside_access_in extended permit icmp 172.20.53.0 255.255.255.0 any

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.203 eq smtp

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.202 eq ssh

access-list outside_access_in extended permit udp any host xxx.xxx.xxx.202 eq ntp

access-list acl_vpn extended permit ip 172.20.54.0 255.255.255.0 host 172.20.53.14

pager lines 24

logging enable

logging asdm informational

logging mail informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPOOL 172.20.54.1-172.20.54.254

icmp unreachable rate-limit 1 burst-size 1

icmp permit 172.20.53.0 255.255.255.0 inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ssh 172.20.53.175 ssh netmask 255.255.255.255

static (inside,outside) udp interface ntp 172.20.53.175 ntp netmask 255.255.255.255

static (inside,outside) tcp xxx.xxx.xxx.203 smtp 172.20.53.10 smtp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.201 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 172.20.53.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

telnet 172.20.53.0 255.255.255.0 inside

telnet timeout 180

ssh 172.20.53.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd ping_timeout 750

dhcpd auto_config outside

!

dhcpd address 172.20.53.2-172.20.53.33 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp authenticate

ntp server 172.20.53.10 source inside prefer

webvpn

group-policy monitoring_vpn_policy internal

group-policy monitoring_vpn_policy attributes

banner value UNAUTHORIZED ACCESS IS STRICTLY PROHIBITTED

wins-server value 172.20.53.10

dns-server value 172.20.53.10

dhcp-network-scope 172.20.54.0

vpn-simultaneous-logins 4

vpn-idle-timeout 30

vpn-filter value acl_vpn

vpn-tunnel-protocol IPSec

username admin password TY/U/ryHm5cpyBYw encrypted privilege 15

tunnel-group monitoring_vpn_group type remote-access

tunnel-group monitoring_vpn_group general-attributes

address-pool VPNPOOL

default-group-policy monitoring_vpn_policy

tunnel-group monitoring_vpn_group ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect esmtp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:cdd080d4f825b19316de448f9e6c6c74

: end

Jouni Forss · ‎10-30-2013

Hi,

I have very little knowledge of SMTP and Mail servers myself as its not something I handle.

However one common problem I have seen here related to ASA NAT configurations is that the server should both be visible to the Internet (when it opens a connection) with the same public IP address with which the connections are coming to the server from the Internet.

You seem to have configured Static PAT (Port Forward) with a separate public IP address for the server

static (inside,outside) tcp xxx.xxx.xxx.203 smtp 172.20.53.10 smtp netmask 255.255.255.255

This means that external users are connecting to the IP address x.x.x.203 but if the server opens a connection to the Internet then it will be visible with the x.x.x.202 IP address which is configured as the Dynamic PAT address.

Since you have extra IP addresses available I would suggest configuring Static NAT for the internal server so if the server connects to the Internet it will be visible with the x.x.x.203 IP rather than the "outside" interface IP address x.x.x.202 (which it is at the moment)

You would need to have

static (inside,outside) xxx.xxx.xxx.203 smtp 172.20.53.10 netmask 255.255.255.255 dns

I dont know if this will solve your problem.

I think you also mentioned some problem related to LAN users connecting to the server? If you were to replace the above Static NAT command then it uses the "dns" parameter. If the ASA sees the users DNS query for the mail servers IP address then the ASA would modify that reply to actually point to the local IP address of 172.20.53.10. Whether this is a desirable situation for you I dont know.

- Jouni

View solution in original post

Jouni Forss · ‎10-30-2013

Hi,

I have very little knowledge of SMTP and Mail servers myself as its not something I handle.

However one common problem I have seen here related to ASA NAT configurations is that the server should both be visible to the Internet (when it opens a connection) with the same public IP address with which the connections are coming to the server from the Internet.

You seem to have configured Static PAT (Port Forward) with a separate public IP address for the server

static (inside,outside) tcp xxx.xxx.xxx.203 smtp 172.20.53.10 smtp netmask 255.255.255.255

This means that external users are connecting to the IP address x.x.x.203 but if the server opens a connection to the Internet then it will be visible with the x.x.x.202 IP address which is configured as the Dynamic PAT address.

Since you have extra IP addresses available I would suggest configuring Static NAT for the internal server so if the server connects to the Internet it will be visible with the x.x.x.203 IP rather than the "outside" interface IP address x.x.x.202 (which it is at the moment)

You would need to have

static (inside,outside) xxx.xxx.xxx.203 smtp 172.20.53.10 netmask 255.255.255.255 dns

I dont know if this will solve your problem.

I think you also mentioned some problem related to LAN users connecting to the server? If you were to replace the above Static NAT command then it uses the "dns" parameter. If the ASA sees the users DNS query for the mail servers IP address then the ASA would modify that reply to actually point to the local IP address of 172.20.53.10. Whether this is a desirable situation for you I dont know.

- Jouni

Georgi Kostov · ‎10-30-2013

I tried changing the Static (PAT) with this:

static (inside,outside) tcp xxx.xxx.xxx.203 smtp 172.20.53.10 smtp netmask 255.255.255.255 dns

but without resul.

Still cant resieve mails from outside. Inside the company network we can exchange mails (but using our company inbox) without problems. Also we can send mails using company inbox to outer mails servers (yahoo, gmail) also no problem.

Jouni Forss · ‎10-30-2013

Hi,

With the NAT change I mean the fact that you have multiple public IP addresses so you could simply configure Static NAT for the mail server rather than configure Static PAT for a single port. Static NAT would bind the public IP address to the internal server for all its connections between "inside" and "outside" while your current Static PAT only serves incoming connections on port TCP/25

Do you see any hitcount on the "outside" interface ACL for the SMTP rule?

- Jouni

Georgi Kostov · ‎10-30-2013

No i can't see any hitcount on the outside interface. I can see this in the ASDM. there is a tool and there there is noting on the outside but many on the inside.

Julio Carvajal · ‎10-30-2013

Hello Georgi,

Agree with Jouni, that is a commom problem (when the outbound IP address used is different than the one used to receive incoming mail).

That being said the configuration is wrong

Change this:

static (inside,outside) xxx.xxx.xxx.203 smtp 172.20.53.10 netmask 255.255.255.255 dns

To this:

static (inside,outside) xxx.xxx.xxx.202 smtp 172.20.53.10 netmask 255.255.255.255 dns

and add

access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.202 eq smtp

just a problem with the IP address, u should use the outside interface IP address. Make sure outside users now redirect email to the .202 IP address.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

JohnTylerPearce · ‎10-30-2013

Are you using Microsoft Exchange? If so, communication is done via RPCoIP, and not SMTP or POP1.

As the above poster mentioned, it's possible that your external DNS, suchas mail.blah.com, goes to 60.60.60.2 and your internal mail.in.blah.com goes to 192.168.100.2.

Can you run a packet capture for all packets going to the mail server from the outside interface, and then the return traffic, and post the results possibly?

Georgi Kostov · ‎10-30-2013

First best regards for all responses. I tried the suggestion with the dns statement in the end of the Static PAT. I also did a Static NAT for the host 172.20.53.10 translated with x.x.x.203 but with out result.

Yes we use Windows Exchange Server, and we have internal DNS again on the 172.20.53.10.

I can give you the config from the PIX firewall we have now and we want to change it with the ASA

IT's very much the same as i do on the ASA.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password pYtobVBXncmWbi3S encrypted

passwd pYtobVBXncmWbi3S encrypted

hostname TEST

domain-name garb.bg

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name

object-group service TCP-Ports tcp

port-object eq www

port-object eq ftp-data

port-object eq https

port-object eq ftp

port-object eq smtp

port-object eq pop3

object-group service UDP-Ports udp

port-object eq domain

port-object eq ntp

port-object range 20000 20200

port-object range 5060 5060

access-list inside_outbound_nat0_acl permit ip 172.20.53.0 255.255.255.0 xxxxxx 255.255.248.0

access-list inside_outbound_nat0_acl permit ip 172.20.53.0 255.255.255.0 xxxxxx 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 172.20.53.0 255.255.255.0 xxxxxxxxx 255.255.0.0

access-list outside_cryptomap_20 permit ip 172.20.53.0 255.255.255.0 xxxxxxxx 255.255.248.0

access-list outside_cryptomap_20 permit ip 172.20.53.0 255.255.255.0 xxxxxxxr 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.20.53.0 255.255.255.0 xxxxxxxx 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.20.53.0 255.255.255.0 Montana 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.20.53.0 255.255.255.0 xxxxxxxxx 255.255.0.0

access-list inside_access_in permit tcp host 172.20.53.10 any

access-list inside_access_in permit tcp 172.20.53.0 255.255.255.0 any object-group TCP-Ports

access-list inside_access_in permit udp 172.20.53.0 255.255.255.0 any object-group UDP-Ports

access-list inside_access_in permit icmp 172.20.53.0 255.255.255.0 any

access-list outside_access_in permit tcp any host x.x.x.203 eq smtp

access-list outside_access_in permit tcp any host x.x.x.202 eq ssh

access-list outside_access_in permit udp any host x.x.x.202 eq ntp

ip address outside x.x.x.202 255.255.255.248

ip address inside 172.20.53.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location xxxx 255.255.248.0 outside

pdm location xxxxx 255.255.255.0 outside

pdm location xxxxxr 255.255.255.0 outside

pdm location x.x.252.0 255.255.255.0 outside

pdm location x.x.138.0 255.255.255.240 outside

pdm location 172.20.0.0 255.255.0.0 inside

pdm location 172.20.53.10 255.255.255.255 inside

pdm location x.x.x.203 255.255.255.255 outside

pdm location xxxx 255.255.255.0 outside

pdm location xxxxxx 255.255.0.0 outside

pdm location xxxxx 255.255.255.240 outside

pdm location x.x.x.16 255.255.255.240 inside

pdm location x.x.x.0 255.255.255.0 outside

pdm location x.x.x.0 255.255.255.255 outside

pdm location 172.20.53.175 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp x.x.x.203 smtp 172.20.53.10 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ssh 172.20.53.175 ssh netmask 255.255.255.255 0 0

static (inside,outside) udp interface ntp 172.20.53.175 ntp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 x.x.x.201 1

ntp authenticate

ntp server 172.20.53.10 source inside prefer

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 20 set security-association lifetime seconds 43200 kilobytes 10000

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 172.20.53.0 255.255.255.0 inside

telnet 172.20.0.0 255.255.0.0 inside

telnet timeout 5

ssh x.x.x.x 255.255.255.240 outside

ssh x.x.x.x 255.255.255.0 outside

ssh x.x.x.x 255.255.255.240 inside

ssh timeout 5

console timeout 0

dhcpd address 172.20.53.2-172.20.53.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username adminpix password n689NHfZVCbxNgje encrypted privilege 15

terminal width 80

Cryptochecksum:6c1e269e740397967284c83d240eebe8

: end0

Georgi Kostov · ‎11-05-2013

Hi everybody, i solved the problem. I used the first configuration i posted in the begaining. The problem was solved when i restart the provider router. I think is something with the arp tables.

Thanks.