Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SMTP in problem

I'm testing inbound connections using a port listener software.

all ports are working, only port 25 fail

this is what I use to route inbound connections:

access-list outside_access_in extended permit tcp any host 63.x.y.26 eq 951

access-list outside_access_in extended permit tcp any host 63.x.y.27 eq 952

static (inside,outside) tcp 63.x.y.26 951 192.168.200.2 951 netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.27 952 192.168.200.2 952 netmask 255.255.255.255

using the exact command with port 25 replacing port 951\952 fail.

any reason?

is there a different way of testing SMTP inbound traffic (test environment - no SMTP server)?

which log records will show me what exactly happen to those incoming packets that never show on the port listener?

8 REPLIES
New Member

Re: SMTP in problem

Hello,

Try Disabling smtp inspection and see if you get a different result.

New Member

Re: SMTP in problem

same result

actually, inspect smtp does not exist. I've disabled inspect esmtp

Re: SMTP in problem

Hi,

Is the 192.168.200.2 host listening on port 25? If so, what do the syslogs show when you try to connect to the outside address on port 25? Do you see a connection being built in the conn table?

-Mike

New Member

Re: SMTP in problem

that was my question - which log should I check to see if the connection even started

is it just: show logging?

Re: SMTP in problem

sometime esmtp inspection make problems

try to disable esmtp inspection in ur default policy

New Member

Re: SMTP in problem

already done that. didn't make a difference

Re: SMTP in problem

add the following to ur config

access-list outside_access_in extended permit tcp any host 63.x.y.26 eq 25

access-list outside_access_in extended permit tcp any host 63.x.y.27 eq 25

then make static nat for smtp

static (inside,outside) tcp 63.x.y.26 25 192.168.200.2 25 netmask 255.255.255.255

static (inside,outside) tcp 63.x.y.27 25 192.168.200.2 25 netmask 255.255.255.255

by the way i have don it for both IPs

u can do it for one if u want

i have don that because i cant see static nat also there is no ACL entry to permit tcp 25(smtp)

**AFTER THAT RELOAD THE firewall THEN TEST IT**

good lcuk

please, if helpful rate

New Member

Re: SMTP in problem

it is NOT working

first, I had a problem adding these static commands - the first was good (after deleting the previous statics) but the second produced this error:

***********

ERROR: duplicate of existing static

TCP inside:192.168.200.6/25 to outside:63.x.y.26/25 netmask 255.255.255.255

the current config include this:

********************************

config;

ASA# sh run | inc static

static (inside,outside) tcp 63.x.y.28 953 192.168.200.2 953 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.200.6 smtp netmask 255.255.255.255

ASA# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outside_access_in; 7 elements

access-list outside_access_in line 1 extended permit icmp any interface outside (hitcnt=0) 0xbdd73ad6

access-list outside_access_in line 2 extended permit tcp any host 63.x.y.26 eq 951 (hitcnt=0) 0x3ce31844

access-list outside_access_in line 3 extended permit tcp any host 63.x.y.27 eq 952 (hitcnt=0) 0x47759ff9

access-list outside_access_in line 4 extended permit tcp any host 63.x.y.28 eq 953 (hitcnt=0) 0x34502744

access-list outside_access_in line 5 extended permit tcp any host 63.x.y.29 eq smtp (hitcnt=0) 0x9c033920

access-list outside_access_in line 6 extended permit tcp any host 63.x.y.26 eq smtp (hitcnt=0) 0xc254efef

access-list outside_access_in line 7 extended permit tcp any host 63.x.y.27 eq smtp (hitcnt=0) 0xc9867e83

reload, retry port 25 via 63.x.y.26, this is the log:

log file:

6|Aug 07 2008 08:46:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:46:18|302021: Teardown ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:46:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:46:18|302021: Teardown ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:46:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:46:18|302021: Teardown ICMP connection for faddr 10.a.b.c/0 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302021: Teardown ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302021: Teardown ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302020: Built inbound ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

6|Aug 07 2008 08:47:18|302021: Teardown ICMP connection for faddr 10.a.b.c/256 gaddr 63.x.y.26/0 laddr 63.x.y.26/0

10.a.b.c => source IP (PC that connect to test enc)

192.168.200.6 => destination IP (PC that listen to port 25)

201
Views
0
Helpful
8
Replies