cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1000
Views
4
Helpful
5
Replies

How to check ASA 5512-x block SMTP from outside to Inside?

rechard_hk
Level 1
Level 1

Dear all,

Now i have problem with email ( Exchange server) , i can email out ( inside to outside ) but i cannot receive email from outside?

How can i check ASA block email ?

Which command that email SMTP ?

Best Regards,

Rechard                  

5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Do you either have a Static NAT or Static PAT (Port Forward) configuration for the server so it can be reached from the public network with the destination port TCP/25 (SMTP)?

If you do have NAT configuration in place, have you allowed the traffic in the ACL that is connected to the "outside" interface?

If you want to test the ASA configurations you can use the "packet-tracer". The format would be

packet-tracer input outside tcp 12355 25

Naturally replace the with some random source IP and the with the actual NAT IP address of the server.

There is also a change the the "inspect esmtp" configuration might cause problem. I know it did for some of our customers. You might want to try and remove it for testing

You can see if you have it configured with the command

show run policy-map

It should list all the Inspection and related configurations on the ASA.

- Jouni

dear Jouni,

could you check for me on this?

How can i do next step?

this the result that i got

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   y.y.y.y    255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit tcp any host x.x.x.x eq smtp
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT    
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static obj-in-smtp obj-out-smtp
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

Did you use the public/NAT IP address in the destination of the "packet-tracer" command?

Because at the moment the output seems to indicate that you are using the real IP address of the server as the destination since the packet drops when checking the reverse direction.

- Jouni

Is this a new Exchange server setup?  If so, it could be a misconfiguration on the Exchange server.

--
Please remember to select a correct answer and rate helpful posts

Dear all,

Thanks you for action!

i miss NAT. now it solve .

Thanks for your help !

Best Regards,

Rechard.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: