Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Problem sending mails thought ASA 5505

Hi,

I have 2 subnets bought from my provider 194.102.98.128/27 and 194.102.98.160/27.

From my provider a have the following setup:

IP Address:  86.120.151.66
Netmask:     255.255.255.128
Gateway:     86.120.151.1
DNS (1): 213.154.124.1
DNS (2): 193.231.252.1

My IPs are static routed by my provider thought 86.120.151.66 .

On the firewall I have the following set-up:

Outside Interface: 86.120.151.66/25 security level 0

DMZ interface: 194.102.98.129/27 security level 50

Inside Interface: 194.102.98.161/27 security level 100

0.0.0.0 0.0.0.0 [1/0] via 86.120.151.1, outside

Everything works perfectly except when I try to sent an email. The email gets sent (eventually), but afert a long waiting time, 45-60 sec. The connection is opened instally to the server but then just hangs there for 40-50 sec. The problem is that a have an aplication on a server that has to send confirmation emails, and that aplication is limited to a 30 sec timeout for conecting to the mail server, much less then the 45-60 sec that I have now. The mail server is hosted by a data center, it is not in my networks (location).

I have tried deleting the ESMTP inspection, that doesn't work. Pinging my mail server rezults in a average time of 20 ms. And when a do a tracert the hight value in a  hop doesn't usually pass 80 ms, the average is 20-25 ms.

The problem is ONLY when sending emails. Everything else works perfect, including receiving emails from the same server.

My running config is:

hostname ASA-Adisys

domain-name Intern.ro

enable password 0./39zRW9yhKK/bO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 91.220.232.66 www.itarena.ro description Adresa IP a site-ului

name 194.102.98.161 Inside_Gateway

name 172.16.10.96 VPN_Adress_POOL

name 194.102.98.185 Adisys_Cara

name 194.102.98.165 Adisys_Cyclope

name 194.102.98.184 Adisys_UC540W description Adresa de WAN Adisys

name 194.102.98.133 DMZ_Agnor_IP1

name 194.102.98.134 DMZ_Agnor_IP2

name 194.102.98.146 DMZ_Fasttrack

name 194.102.98.150 DMZ_Graitec_Auth_Server

name 194.102.98.148 DMZ_Graitec_Axapta

name 194.102.98.149 DMZ_Graitec_Citrix

name 194.102.98.147 DMZ_Graitec_FTP

name 194.102.98.144 DMZ_Jeka

name 194.102.98.142 DMZ_Agras

name 194.102.98.132 DMZ_Router_Dlink description Adresa de la router-ul din spate

name 89.122.106.51 Graitec_Remote_PC1 description Calculator dupa care se face RDC Graitec

name 89.122.49.40 Graitec_Remote_PC3 description Calculator dupa care se face RDC Graitec

name 184.154.10.114 Graitec_mail.graitec.info

name 89.120.49.209 Graitec_mail.graitec.net description Calculator dupa care se face RDC Graitec

name 89.122.248.141 Graitec_mail.graitec.ro description Calculator dupa care se face RDC Graitec

name 81.80.156.221 Graitec_mailhost.graitec.com

name 82.137.9.82 Test_IP description IP de test

!

interface Vlan1

nameif inside

security-level 100

ip address Inside_Gateway 255.255.255.224

!

interface Vlan2

description IP Internet

nameif outside

security-level 0

ip address 86.120.151.66 255.255.255.128

!

interface Vlan12

description Retea clienti

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 194.102.98.129 255.255.255.224

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

switchport access vlan 12

!

interface Ethernet0/7

switchport access vlan 12

!

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns server-group DefaultDNS

domain-name Intern.ro

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1

network-object host Graitec_mail.graitec.net

network-object host Graitec_Remote_PC1

network-object host Graitec_mail.graitec.ro

network-object host Graitec_Remote_PC3

network-object host Test_IP

object-group network DM_INLINE_NETWORK_2

network-object host DMZ_Graitec_Axapta

network-object host DMZ_Graitec_Citrix

network-object host DMZ_Graitec_Auth_Server

object-group network DM_INLINE_NETWORK_3

network-object host DMZ_Graitec_Axapta

network-object host DMZ_Graitec_Citrix

network-object host DMZ_Graitec_Auth_Server

object-group network DM_INLINE_NETWORK_4

network-object host DMZ_Graitec_Citrix

network-object host DMZ_Graitec_Auth_Server

network-object host Inside_Gateway

network-object host Adisys_UC540W

object-group network DM_INLINE_NETWORK_5

network-object host DMZ_Graitec_Axapta

network-object host DMZ_Graitec_Citrix

network-object host DMZ_Graitec_Auth_Server

object-group network DM_INLINE_NETWORK_6

network-object host DMZ_Graitec_Citrix

network-object host DMZ_Graitec_Auth_Server

object-group network DM_INLINE_NETWORK_7

network-object host DMZ_Graitec_Axapta

network-object host DMZ_Graitec_Citrix

network-object host DMZ_Graitec_Auth_Server

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_8

network-object host Inside_Gateway

network-object host Adisys_UC540W

object-group network DM_INLINE_NETWORK_10

network-object host DMZ_Graitec_FTP

network-object host DMZ_Graitec_Axapta

network-object host DMZ_Graitec_Citrix

network-object host DMZ_Graitec_Auth_Server

object-group network DM_INLINE_NETWORK_9

network-object host Graitec_mail.graitec.info

network-object host Graitec_mailhost.graitec.com

network-object host Graitec_mail.graitec.net

network-object host Graitec_mail.graitec.ro

network-object host Graitec_Remote_PC3

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object icmp

protocol-object icmp6

object-group service DM_INLINE_TCP_1 tcp

port-object eq 2525

port-object eq 465

port-object eq pop3

port-object eq smtp

access-list outside_access_in remark Allow access to Auth, Axapta, Citrix to 3389

access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 eq 3389

access-list outside_access_in remark Allow access to Citrix, Auth, Adisys_WAN to port 443

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq https

access-list outside_access_in remark Allow access to Auth, Axapta, Citrix from port 80

access-list outside_access_in extended permit tcp any eq www object-group DM_INLINE_NETWORK_3

access-list outside_access_in remark Allow access to Auth, Axapta, Citrix from port 53

access-list outside_access_in extended permit object-group TCPUDP any eq domain object-group DM_INLINE_NETWORK_5

access-list outside_access_in remark Allow access to Auth, Citrix from port 443

access-list outside_access_in extended permit tcp any eq https object-group DM_INLINE_NETWORK_6

access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_1

access-list outside_access_in remark Allow Ping to graitec servers

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

access-list outside_access_in remark Deny any to Axapta, Auth, Citrix

access-list outside_access_in extended deny ip any object-group DM_INLINE_NETWORK_7

access-list outside_access_in remark Allow access to Adisys_WAN from Non500-isakmp

access-list outside_access_in extended permit udp any host Adisys_UC540W eq 4500

access-list outside_access_in remark Allow access to Adisys_WAN from Isakmp

access-list outside_access_in extended permit udp any object-group DM_INLINE_NETWORK_8 eq isakmp

access-list outside_access_in remark Allow access to Adisys_WAN from esp

access-list outside_access_in extended permit esp any host Adisys_UC540W

access-list outside_access_in remark Allow access to Adisys_WAN from AHP

access-list outside_access_in extended permit ah any host Adisys_UC540W

access-list outside_access_in remark Allow syslog messeger from ITarena.ro to Cyclope Syslog

access-list outside_access_in extended permit udp host www.itarena.ro host Adisys_Cyclope eq syslog

access-list outside_access_in remark Allow 113 from www.itarena.ro

access-list outside_access_in extended permit tcp host www.itarena.ro 194.102.98.160 255.255.255.224 eq ident

access-list outside_access_in remark Allow Mark Vision from internet

access-list outside_access_in extended permit tcp any host Adisys_UC540W eq 9788

access-list outside_access_in extended permit tcp any host DMZ_Router_Dlink eq www

access-list outside_access_in remark Allow TFTP for Voice

access-list outside_access_in extended permit ip VPN_Adress_POOL 255.255.255.240 194.102.98.160 255.255.255.224 inactive

access-list outside_access_in remark Allow TFTP from inside to VPN

access-list outside_access_in extended permit ip 194.102.98.160 255.255.255.224 VPN_Adress_POOL 255.255.255.240 inactive

access-list outside_access_in remark Deny any to Inside Network 194.102.98.160/27

access-list outside_access_in extended deny ip any 194.102.98.160 255.255.255.224

access-list outside_access_in extended permit ip any 194.102.98.128 255.255.255.224

access-list outside_access_in remark Allow Ping

access-list outside_access_in extended permit icmp any any echo-reply

access-list THROTTLE_GRAITEC_FTP extended permit ip host DMZ_Graitec_FTP any

access-list THROTTLE_GRAITEC_FTP extended permit ip any host DMZ_Graitec_FTP

access-list Adisan-VPN_splitTunnelAcl standard permit 194.102.98.160 255.255.255.224

access-list outside_mpc extended permit ip host DMZ_Fasttrack any

access-list outside_mpc extended permit ip any host DMZ_Fasttrack

access-list outside_access_in_1 remark Allow

access-list outside_access_in_1 extended permit tcp any any eq https

pager lines 24

logging enable

logging trap warnings

logging asdm informational

logging host inside Adisys_UC540W

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool VPN_POOL 172.16.10.97-172.16.10.110

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

access-group outside_access_in_1 in interface outside control-plane

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 86.120.151.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 194.102.98.160 255.255.255.224 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 194.102.98.160 255.255.255.224 inside

telnet timeout 15

ssh 194.102.98.160 255.255.255.224 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address Adisys_Cyclope-194.102.98.170 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics host number-of-rate 2

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy Adisan-VPN internal

group-policy Adisan-VPN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Adisan-VPN_splitTunnelAcl

tunnel-group Adisan-VPN type remote-access

tunnel-group Adisan-VPN general-attributes

address-pool VPN_POOL

default-group-policy Adisan-VPN

tunnel-group Adisan-VPN ipsec-attributes

pre-shared-key *

!

class-map THROTTLE_GRAITEC_FTP

match access-list THROTTLE_GRAITEC_FTP

class-map THROTTLE_FASTTRACK

match access-list outside_mpc

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map THROTTLE_GRAITEC_FTP

class THROTTLE_GRAITEC_FTP

  police output 10000000 20000

  police input 10000000 20000

class THROTTLE_FASTTRACK

  police input 6000000 12000

  police output 6000000 12000

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect dns

  inspect tftp

!

service-policy global_policy global

service-policy THROTTLE_GRAITEC_FTP interface outside

prompt hostname context

Cryptochecksum:347696f9e2888a7c7c1adf4a1a20eeef

: end

Everyone's tags (4)
3 REPLIES
Community Member

Problem sending mails thought ASA 5505

Did you ever find a solution to why the ASA is doing this? Im having the same problem

Problem sending mails thought ASA 5505

Hello Paul,

Please explain your issue and the desing of your network so we can help you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Problem sending mails thought ASA 5505

Please see the following post that i started.

http://social.technet.microsoft.com/Forums/en-US/exchangesvrclients/thread/56717f7b-9638-4e0d-b22c-f1031c1d021c

I have verified that this is indeed a problem when I have the ASA in place. Bypassing the ASA resolves the issue. I have no inspection in place. No time outs in place either.

I am having the same issue as the original person that started this post.

When routing between two different segments with an exchange server and outlook clients on different networks, going through the ASA at random times the clients are experiencing hangs when sending emails in outlook. Aparently the other person fixed it by disabled RPC inspection on the juniper he has..

1119
Views
0
Helpful
3
Replies
CreatePlease to create content