Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to check ASA 5512-x block SMTP from outside to Inside?

Dear all,

Now i have problem with email ( Exchange server) , i can email out ( inside to outside ) but i cannot receive email from outside?

How can i check ASA block email ?

Which command that email SMTP ?

Best Regards,

Rechard                  

5 REPLIES
Super Bronze

How to check ASA 5512-x block SMTP from outside to Inside?

Hi,

Do you either have a Static NAT or Static PAT (Port Forward) configuration for the server so it can be reached from the public network with the destination port TCP/25 (SMTP)?

If you do have NAT configuration in place, have you allowed the traffic in the ACL that is connected to the "outside" interface?

If you want to test the ASA configurations you can use the "packet-tracer". The format would be

packet-tracer input outside tcp 12355 25

Naturally replace the with some random source IP and the with the actual NAT IP address of the server.

There is also a change the the "inspect esmtp" configuration might cause problem. I know it did for some of our customers. You might want to try and remove it for testing

You can see if you have it configured with the command

show run policy-map

It should list all the Inspection and related configurations on the ASA.

- Jouni

New Member

How to check ASA 5512-x block SMTP from outside to Inside?

dear Jouni,

could you check for me on this?

How can i do next step?

this the result that i got

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   y.y.y.y    255.255.255.0   inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit tcp any host x.x.x.x eq smtp
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT    
Subtype: rpf-check
Result: DROP
Config:
nat (inside,outside) source static obj-in-smtp obj-out-smtp
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Super Bronze

How to check ASA 5512-x block SMTP from outside to Inside?

Hi,

Did you use the public/NAT IP address in the destination of the "packet-tracer" command?

Because at the moment the output seems to indicate that you are using the real IP address of the server as the destination since the packet drops when checking the reverse direction.

- Jouni

VIP Green

How to check ASA 5512-x block SMTP from outside to Inside?

Is this a new Exchange server setup?  If so, it could be a misconfiguration on the Exchange server.

--

Please remember to rate and select a correct answer
New Member

How to check ASA 5512-x block SMTP from outside to Inside?

Dear all,

Thanks you for action!

i miss NAT. now it solve .

Thanks for your help !

Best Regards,

Rechard.

671
Views
4
Helpful
5
Replies
CreatePlease login to create content