ip address 46.x.x.10 is the address of name server, where's mx record of my mail server and my public static ip is 178.x.x.x/29. my mail server ecrypt pop3 and smtp with ssl on ports 465 and 995. how it make acl's for these ports?

Are you using the ip address of the ASA outside interface for your mail server, or you are using a unique public ip address for your mail server?

and what version is your ASA?

i use unique public static address for my mail server and my asa is the asa5510 with asa8.4.2 and asdm 6.4.5

my runn config is:

Result of the command: "show runn"

: Saved

:

ASA Version 8.4(2)

!

hostname asa5510

domain-name dri.local

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 178.x.x.x 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.10 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name dri.local

object network VPN-POOL

subnet 192.168.50.0 255.255.255.0

description VPN Client pool

object network LAN-NETWORK

subnet 192.168.0.0 255.255.255.0

description LAN Network

object network NETWORK_OBJ_192.168.5.0_24

subnet 192.168.5.0 255.255.255.0

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network 192.168.0.10

host 192.168.0.10

object service ssl

service tcp destination eq 465

object service tls

service tcp destination eq 995

object network mail

host 192.168.0.253

object network mailout

host 178.x.x.179

object-group network PAT-SOURCE-NETWORKS

description Source networks for PAT

network-object 192.168.0.0 255.255.255.0

object-group service DM_INLINE_SERVICE_0

service-object icmp echo-reply

service-object object ssl

service-object tcp destination eq pop3

service-object tcp destination eq smtp

service-object object tls

service-object tcp destination eq www

service-object tcp destination eq https

object-group service DM_INLINE_SERVICE_2

service-object object ssl

service-object tcp destination eq pop3

service-object tcp destination eq smtp

service-object object tls

service-object ip

object-group service DM_INLINE_SERVICE_3

service-object icmp echo-reply

service-object object ssl

service-object tcp destination eq www

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

service-object object tls

access-list INSIDE-IN remark Allow traffic from LAN

access-list INSIDE-IN extended permit object-group DM_INLINE_SERVICE_2 192.168.0.0 255.255.255.0 any

access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any

access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list outside_access extended permit object-group DM_INLINE_SERVICE_3 any object mailout

access-list outside_access extended permit object-group DM_INLINE_SERVICE_0 any object mail

access-list outside_access extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL

!

object network mail

nat (inside,outside) static 178.x.x.179 dns

access-group outside_access in interface outside

access-group INSIDE-IN in interface inside

route outside 0.0.0.0 0.0.0.0 178.x.x.x 1

route inside 192.168.5.0 255.255.255.0 192.168.0.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record dripolisa

aaa-server DRI protocol ldap

aaa-server DRI (inside) host 192.168.0.20

ldap-base-dn DC=dri,DC=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn CN=xxx xxx,OU=xxx,OU=sektor2,OU=xxxx,DC=xxx,DC=local

server-type microsoft

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

virtual telnet 192.168.1.12

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 195.222.96.223

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.14-192.168.0.45 inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_195.222.96.223 internal

group-policy GroupPolicy_195.222.96.223 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy drivpn internal

group-policy drivpn attributes

dns-server value 192.168.0.20 192.168.0.254

vpn-simultaneous-logins 10

vpn-idle-timeout 30

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-network-list value Split_Tunnel_List

default-domain value dri.local

username driadmin password AojCAMO/soZo8W.W encrypted privilege 15

tunnel-group drivpn type remote-access

tunnel-group drivpn general-attributes

address-pool vpnadrese

authentication-server-group DRI

default-group-policy drivpn

tunnel-group drivpn ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 195.222.96.223 type ipsec-l2l

tunnel-group 195.222.96.223 general-attributes

default-group-policy GroupPolicy_195.222.96.223

tunnel-group 195.222.96.223 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:27c3f78395a038ad10d9c79309af611a

: end

access-list outside_access permit tcp any object mail eq 465

access-list outside_access permit tcp any object mail eq 995

my running config is good? on public dns server 46.x.x.x i have mx record mail.drims.rs of my mail server but he is on the other domain, not on drims.rs and i don't have a record. how i resolve this problem?

yes, running config looks good to me, with the following that needs to be added for outbound mail:

access-list INSIDE-IN permit tcp object mail any eq 465

access-list INSIDE-IN permit tcp object mail any eq 995

mail.drims.rs doesn't seem to resolve to any ip  address. In regards to the DNS, you would need to add that on to the  public dns server, and it needs to resolve to the static NAT configured  on the ASA, ie: 178.x.x.179. Otherwise, it won't work.

in name server of my provider on domain dri.rs there's mx record for my mail.drims.rs but i can't resolve mail.drims.rs to ip address. my isp must to add a record for my mail server?

Your name server provider should be able to add that, right?

my isp provider said that he is finished the work but i can't resolve mail.drims.rs to ip address. i received mail from provider

nenad@nenad-desktop:~$ dig mx dri.rs

; <<>> DiG 9.7.0-P1 <<>> mx dri.rs

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12726

;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:

;dri.rs. IN MX

;; ANSWER SECTION:

dri.rs. 14400 IN MX 10 mail.drims.rs.

dri.rs. 14400 IN MX 0 dri.rs.

;; AUTHORITY SECTION:

dri.rs. 5777 IN NS name server from ISP 1

dri.rs. 5777 IN NS name server from ISP 2

;; ADDITIONAL SECTION:

dri.rs. 9377 IN A 46.x.x.x

name server from ISP 1 428 IN A 46.x.x.x

name server from ISP 1. 428 IN A 46.x.x.x

;; Query time: 2 msec

;; SERVER: 46.x.x.x#53(x.x.x.x)

;; WHEN: Fri Aug 3 10:21:30 2012

;; MSG SIZE rcvd: 168