10-30-2013 01:58 AM - edited 03-11-2019 07:57 PM
Hello there,
First time i cofigure ASA. the mail server is inside, after the asa there is provider router. Before the ASA there is no other device. The problem is that i can recieve mails from outside, but we can exchange mails between users in our mail server in the LAN and also to outside mails servers. If somebody have the time and the willingnes please take a look.
This is what i configured:
: Saved
:
ASA Version 8.2(5)
!
hostname GARB-ASA
domain-name garb.bg
enable password pYtobVBXncmWbi3S encrypted
passwd pYtobVBXncmWbi3S encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.53.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.202 255.255.255.248
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name garb.bg
object-group service TCP-Ports tcp
port-object eq www
port-object eq ftp-data
port-object eq https
port-object eq ftp
port-object eq smtp
port-object eq pop3
object-group service UDP-Ports udp
port-object eq domain
port-object eq ntp
port-object range 20000 20000
port-object range sip sip
access-list inside_access_in extended permit tcp host 172.20.53.10 any
access-list inside_access_in extended permit tcp 172.20.53.0 255.255.255.0 any object-group TCP-Ports
access-list inside_access_in extended permit udp 172.20.53.0 255.255.255.0 any object-group UDP-Ports
access-list inside_access_in extended permit icmp 172.20.53.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.203 eq smtp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.202 eq ssh
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.202 eq ntp
access-list acl_vpn extended permit ip 172.20.54.0 255.255.255.0 host 172.20.53.14
pager lines 24
logging enable
logging asdm informational
logging mail informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 172.20.54.1-172.20.54.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit 172.20.53.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ssh 172.20.53.175 ssh netmask 255.255.255.255
static (inside,outside) udp interface ntp 172.20.53.175 ntp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.203 smtp 172.20.53.10 smtp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.20.53.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
telnet 172.20.53.0 255.255.255.0 inside
telnet timeout 180
ssh 172.20.53.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcpd address 172.20.53.2-172.20.53.33 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 172.20.53.10 source inside prefer
webvpn
group-policy monitoring_vpn_policy internal
group-policy monitoring_vpn_policy attributes
banner value UNAUTHORIZED ACCESS IS STRICTLY PROHIBITTED
wins-server value 172.20.53.10
dns-server value 172.20.53.10
dhcp-network-scope 172.20.54.0
vpn-simultaneous-logins 4
vpn-idle-timeout 30
vpn-filter value acl_vpn
vpn-tunnel-protocol IPSec
username admin password TY/U/ryHm5cpyBYw encrypted privilege 15
tunnel-group monitoring_vpn_group type remote-access
tunnel-group monitoring_vpn_group general-attributes
address-pool VPNPOOL
default-group-policy monitoring_vpn_policy
tunnel-group monitoring_vpn_group ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect esmtp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cdd080d4f825b19316de448f9e6c6c74
: end
Solved! Go to Solution.
10-30-2013 02:53 AM
Hi,
I have very little knowledge of SMTP and Mail servers myself as its not something I handle.
However one common problem I have seen here related to ASA NAT configurations is that the server should both be visible to the Internet (when it opens a connection) with the same public IP address with which the connections are coming to the server from the Internet.
You seem to have configured Static PAT (Port Forward) with a separate public IP address for the server
static (inside,outside) tcp xxx.xxx.xxx.203 smtp 172.20.53.10 smtp netmask 255.255.255.255
This means that external users are connecting to the IP address x.x.x.203 but if the server opens a connection to the Internet then it will be visible with the x.x.x.202 IP address which is configured as the Dynamic PAT address.
Since you have extra IP addresses available I would suggest configuring Static NAT for the internal server so if the server connects to the Internet it will be visible with the x.x.x.203 IP rather than the "outside" interface IP address x.x.x.202 (which it is at the moment)
You would need to have
static (inside,outside) xxx.xxx.xxx.203 smtp 172.20.53.10 netmask 255.255.255.255 dns
I dont know if this will solve your problem.
I think you also mentioned some problem related to LAN users connecting to the server? If you were to replace the above Static NAT command then it uses the "dns" parameter. If the ASA sees the users DNS query for the mail servers IP address then the ASA would modify that reply to actually point to the local IP address of 172.20.53.10. Whether this is a desirable situation for you I dont know.
- Jouni
10-30-2013 02:53 AM
Hi,
I have very little knowledge of SMTP and Mail servers myself as its not something I handle.
However one common problem I have seen here related to ASA NAT configurations is that the server should both be visible to the Internet (when it opens a connection) with the same public IP address with which the connections are coming to the server from the Internet.
You seem to have configured Static PAT (Port Forward) with a separate public IP address for the server
static (inside,outside) tcp xxx.xxx.xxx.203 smtp 172.20.53.10 smtp netmask 255.255.255.255
This means that external users are connecting to the IP address x.x.x.203 but if the server opens a connection to the Internet then it will be visible with the x.x.x.202 IP address which is configured as the Dynamic PAT address.
Since you have extra IP addresses available I would suggest configuring Static NAT for the internal server so if the server connects to the Internet it will be visible with the x.x.x.203 IP rather than the "outside" interface IP address x.x.x.202 (which it is at the moment)
You would need to have
static (inside,outside) xxx.xxx.xxx.203 smtp 172.20.53.10 netmask 255.255.255.255 dns
I dont know if this will solve your problem.
I think you also mentioned some problem related to LAN users connecting to the server? If you were to replace the above Static NAT command then it uses the "dns" parameter. If the ASA sees the users DNS query for the mail servers IP address then the ASA would modify that reply to actually point to the local IP address of 172.20.53.10. Whether this is a desirable situation for you I dont know.
- Jouni
10-30-2013 04:01 AM
I tried changing the Static (PAT) with this:
static (inside,outside) tcp xxx.xxx.xxx.203 smtp 172.20.53.10 smtp netmask 255.255.255.255 dns
but without resul.
Still cant resieve mails from outside. Inside the company network we can exchange mails (but using our company inbox) without problems. Also we can send mails using company inbox to outer mails servers (yahoo, gmail) also no problem.
10-30-2013 04:27 AM
Hi,
With the NAT change I mean the fact that you have multiple public IP addresses so you could simply configure Static NAT for the mail server rather than configure Static PAT for a single port. Static NAT would bind the public IP address to the internal server for all its connections between "inside" and "outside" while your current Static PAT only serves incoming connections on port TCP/25
Do you see any hitcount on the "outside" interface ACL for the SMTP rule?
- Jouni
10-30-2013 05:32 AM
No i can't see any hitcount on the outside interface. I can see this in the ASDM. there is a tool and there there is noting on the outside but many on the inside.
10-30-2013 07:25 AM
Hello Georgi,
Agree with Jouni, that is a commom problem (when the outbound IP address used is different than the one used to receive incoming mail).
That being said the configuration is wrong
Change this:
static (inside,outside) xxx.xxx.xxx.203 smtp 172.20.53.10 netmask 255.255.255.255 dns
To this:
static (inside,outside) xxx.xxx.xxx.202 smtp 172.20.53.10 netmask 255.255.255.255 dns
and add
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.202 eq smtp
just a problem with the IP address, u should use the outside interface IP address. Make sure outside users now redirect email to the .202 IP address.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
10-30-2013 11:44 AM
Are you using Microsoft Exchange? If so, communication is done via RPCoIP, and not SMTP or POP1.
As the above poster mentioned, it's possible that your external DNS, suchas mail.blah.com, goes to 60.60.60.2 and your internal mail.in.blah.com goes to 192.168.100.2.
Can you run a packet capture for all packets going to the mail server from the outside interface, and then the return traffic, and post the results possibly?
10-30-2013 02:12 PM
First best regards for all responses. I tried the suggestion with the dns statement in the end of the Static PAT. I also did a Static NAT for the host 172.20.53.10 translated with x.x.x.203 but with out result.
Yes we use Windows Exchange Server, and we have internal DNS again on the 172.20.53.10.
I can give you the config from the PIX firewall we have now and we want to change it with the ASA
IT's very much the same as i do on the ASA.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password pYtobVBXncmWbi3S encrypted
passwd pYtobVBXncmWbi3S encrypted
hostname TEST
domain-name garb.bg
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name
name
name
name
name
object-group service TCP-Ports tcp
port-object eq www
port-object eq ftp-data
port-object eq https
port-object eq ftp
port-object eq smtp
port-object eq pop3
object-group service UDP-Ports udp
port-object eq domain
port-object eq ntp
port-object range 20000 20200
port-object range 5060 5060
access-list inside_outbound_nat0_acl permit ip 172.20.53.0 255.255.255.0 xxxxxx 255.255.248.0
access-list inside_outbound_nat0_acl permit ip 172.20.53.0 255.255.255.0 xxxxxx 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.20.53.0 255.255.255.0 xxxxxx 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.20.53.0 255.255.255.0 xxxxxx 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.20.53.0 255.255.255.0 xxxxxxxxx 255.255.0.0
access-list outside_cryptomap_20 permit ip 172.20.53.0 255.255.255.0 xxxxxxxx 255.255.248.0
access-list outside_cryptomap_20 permit ip 172.20.53.0 255.255.255.0 xxxxxxxr 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.20.53.0 255.255.255.0 xxxxxxxx 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.20.53.0 255.255.255.0 Montana 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.20.53.0 255.255.255.0 xxxxxxxxx 255.255.0.0
access-list inside_access_in permit tcp host 172.20.53.10 any
access-list inside_access_in permit tcp 172.20.53.0 255.255.255.0 any object-group TCP-Ports
access-list inside_access_in permit udp 172.20.53.0 255.255.255.0 any object-group UDP-Ports
access-list inside_access_in permit icmp 172.20.53.0 255.255.255.0 any
access-list outside_access_in permit tcp any host x.x.x.203 eq smtp
access-list outside_access_in permit tcp any host x.x.x.202 eq ssh
access-list outside_access_in permit udp any host x.x.x.202 eq ntp
ip address outside x.x.x.202 255.255.255.248
ip address inside 172.20.53.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location xxxx 255.255.248.0 outside
pdm location xxxxx 255.255.255.0 outside
pdm location xxxxxr 255.255.255.0 outside
pdm location x.x.252.0 255.255.255.0 outside
pdm location x.x.138.0 255.255.255.240 outside
pdm location 172.20.0.0 255.255.0.0 inside
pdm location 172.20.53.10 255.255.255.255 inside
pdm location x.x.x.203 255.255.255.255 outside
pdm location xxxx 255.255.255.0 outside
pdm location xxxxxx 255.255.0.0 outside
pdm location xxxxx 255.255.255.240 outside
pdm location x.x.x.16 255.255.255.240 inside
pdm location x.x.x.0 255.255.255.0 outside
pdm location x.x.x.0 255.255.255.255 outside
pdm location 172.20.53.175 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.203 smtp 172.20.53.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ssh 172.20.53.175 ssh netmask 255.255.255.255 0 0
static (inside,outside) udp interface ntp 172.20.53.175 ntp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.201 1
ntp authenticate
ntp server 172.20.53.10 source inside prefer
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 43200 kilobytes 10000
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 172.20.53.0 255.255.255.0 inside
telnet 172.20.0.0 255.255.0.0 inside
telnet timeout 5
ssh x.x.x.x 255.255.255.240 outside
ssh x.x.x.x 255.255.255.0 outside
ssh x.x.x.x 255.255.255.240 inside
ssh timeout 5
console timeout 0
dhcpd address 172.20.53.2-172.20.53.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username adminpix password n689NHfZVCbxNgje encrypted privilege 15
terminal width 80
Cryptochecksum:6c1e269e740397967284c83d240eebe8
: end0
11-05-2013 01:12 AM
Hi everybody, i solved the problem. I used the first configuration i posted in the begaining. The problem was solved when i restart the provider router. I think is something with the arp tables.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide