Using ASDM, I have created an access rule for a pix 525 that allows as follows:
Source IP address: internal IP of inside server, e.g. 192.168.1.10
Destination IP address: external IP of an external mail server. I have tried several and it doesn't work for any - for instance, one example is the MX for Gmail, gmail-smtp-in.l.google.com which resolves to 184.108.40.206
Source port: any
Destination port: smtp
This is what happens:
Before the policy is added, attempting to telnet to the mail server IP on port 25 times out, as you might expect.
When the policy is added, the outbound connection starts, because when testing from the inside server I get this:
However nothing else happens, no ehlo commands can be entered or anything like that. Eventually it the external mail server just sends back a 421 SMTP timeout error.
It is not a problem with the destination server because they work from anywhere else - I have tried several 3rd party external servers as examples, such as Gmail. Connecting to the Gmail server works fine from elsewhere:
$ t 220.127.116.11 25
Connected to 18.104.22.168.
Escape character is '^]'.
220 mx.google.com ESMTP c24si20282948ika.4
250-mx.google.com at your service, [22.214.171.124]
I see you have a mail server in your network and need to allow it to access external mail servers. you can't specify the destination of gmail, yahoo or hotmail as this servers have many IP addresses.
Try to make the destination ip address any and port number 25.
secondly: many mail servers like yahoo and hotmail doesn't allow any further communications like hello message only you can telnet and see the starts nothing more. so try to send an e-mail and see if it's recieved.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :