Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

smtp not working-200****

Hi support,

I require your help very badly.

I have a firewall with inside,outside and dmz. I have smtp server in dmz. I have given nat 0 from inside to dmz and vice versa. From outside to dmz smtp server static nat is there.

when i telnet to smtp server on port 25 i am getting the below error..

Pls help me...

220 ****************************************************************************

***************

helo

500 5.3.3 Unrecognized command

regards

Rajesh

3 ACCEPTED SOLUTIONS

Accepted Solutions

Re: smtp not working-200****

try do the same from DMZ. Do you have the same error?

Silver

Re: smtp not working-200****

Your running ESMTP inspection. I've seen many issues with this inspection and some mail servers. (like MS Exchange). Usually, the recommended thing is to disable inspection.

It's easy to disable but you should do your research and fully understand the changes.

Conf t

policy-map global_policy

class inspection_default

no inspect esmtp

KB that was for the old fixup smtp in early versions of pix software.

http://support.microsoft.com/kb/295725/en-us

Cisco doc for ESMTP inspection for 8.0.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_esmtp.html

Hope this helps.

Thanks,

Chad

Silver

Re: smtp not working-200****

Rajesh,

a.alekseev was trying to tell you that you've got acl's that aren't needed.

By default traffic flowing from a high security interface to low is permitted. Your ACL's applied to both directions on the inside and dmz interfaces are not needed unless you need to block traffic from leaving. And will probably only confuse the issue.

You could also use static to do nonat on the inside<->DMZ traffic. I find it a little cleaner then ACL's.

static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (dmz,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

You might want to rethink your 106 ACL. The 1st and 3rd line is allowing all tcp and udp traffic to those hosts. Only open up what is needed.

You only need port 25 to do SMTP. You should also change your ACL for traffic leaving the dmz to inside to only permit the port and hosts that it needs to communicate with. If you open all traffic your reducing the effectiveness of the DMZ.

Here is an example of a mail server dmz configuration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Hope this helps.

Thanks,

Chad

Please rate if helpful.

13 REPLIES

Re: smtp not working-200****

try do the same from DMZ. Do you have the same error?

New Member

Re: smtp not working-200****

Hi, Im unable to telnet to nat ip of the exchange server with port 25.

access-list 105 extended permit tcp any host exch_ip eq smtp

access-group 105 in interface outside

what are the other ports to be opened for accessing smtp from outside ??

regards

Rajesh P

Silver

Re: smtp not working-200****

Rajesh,

a.alekseev was trying to tell you that you've got acl's that aren't needed.

By default traffic flowing from a high security interface to low is permitted. Your ACL's applied to both directions on the inside and dmz interfaces are not needed unless you need to block traffic from leaving. And will probably only confuse the issue.

You could also use static to do nonat on the inside<->DMZ traffic. I find it a little cleaner then ACL's.

static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (dmz,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

You might want to rethink your 106 ACL. The 1st and 3rd line is allowing all tcp and udp traffic to those hosts. Only open up what is needed.

You only need port 25 to do SMTP. You should also change your ACL for traffic leaving the dmz to inside to only permit the port and hosts that it needs to communicate with. If you open all traffic your reducing the effectiveness of the DMZ.

Here is an example of a mail server dmz configuration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Hope this helps.

Thanks,

Chad

Please rate if helpful.

New Member

Re: smtp not working-200****

Hi Chad,

I feel ISP has to allow port 25 for inbound traffic from outside. Because even after giving ip any any it does not come up, where as another static ip is accessible from outside to port no - 443

So i strongly believe its ISP issue..

regards

Rajesh

Silver

Re: smtp not working-200****

Being that you where getting the error before I would say there not.

220 ****************************************************************************

***************

helo

500 5.3.3 Unrecognized command

If they blocked port 25 you would have not gotten that far.

Thanks,

Chad

New Member

Re: smtp not working-200****

Hi,

Error 200*** was taken from the local segment and its working at present after disabling inspect esmtp.

But we were getting only a black screen when we telnet from side. So i suspected its an ISP issue. Informed ISP and they also confirmed that its their end problem and opened 25 port. Now from outside we are able to telnet to 25 port.

So, everything is working fine...

Thanks a lot Chad ..

regards

Rajesh P

Silver

Re: smtp not working-200****

Your running ESMTP inspection. I've seen many issues with this inspection and some mail servers. (like MS Exchange). Usually, the recommended thing is to disable inspection.

It's easy to disable but you should do your research and fully understand the changes.

Conf t

policy-map global_policy

class inspection_default

no inspect esmtp

KB that was for the old fixup smtp in early versions of pix software.

http://support.microsoft.com/kb/295725/en-us

Cisco doc for ESMTP inspection for 8.0.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_esmtp.html

Hope this helps.

Thanks,

Chad

New Member

Re: smtp not working-200****

Hi Chad,

You are damn good in Security, i really appreciate it.

Actually I disabled yesterday itself and found smtp is working now..

But any way, You have given me the ultimate solution..Thanks, thanks a lot..

I have one more doubt. I have enabled ACL permit tcp any to smtp_server eq 25, and applied on ACL group in interface outside.

Apart from my laptop which has Tataindicom datacard, no one else are able to telnet to 25 from outside world..I am able to telnet to 25 (smtp server). Do you think is that could be an ISP issues...

Your reply is precious..

regards

Rajesh

Silver

Re: smtp not working-200****

There is the possibility that your ISP would block port 25 traffic. Usually done if your using a consumer account. If it is a business account it should not be an issue.

Your firewall seems ok since it allowed you to telnet. Although there could another rule causing problems. Feel free to post the config (minus password, also mask part of the begining ip's).

Could also be the settings on your mail server.

Setup a packet capture on the firewall to see if the traffic is actually making it to the firewall. Turn on logging to see if it's getting denied. If it's not debug from your mail server.

ASA Capture:

access-list cap permit tcp any host MAIL_SRVR_EXTERNAL_IP eq 25

capture smtp_cap access-list cap interface outside buffer BUFFER_SIZE_BYTES

View capture from CLI:

show cap smtp_cap

Download Capture .pcap

https://FIREWALL_IP/capture/smtp_cap/pcap

Remove the ACL and Capture when done.

Use wireshark to review the capture.

Hope this helps.

Chad

Please rate posts if helpful!!

New Member

Re: smtp not working-200****

Hi Chad,

I am attaching the complete configuration ..

Now the situation is like, from inside as well as from outside "telnet 10.10.10.10 25" is not working. It gives could not open port 25 on the host.

Please help ..

regards

Rajesh P

New Member

Re: smtp not working-200****

Hi Chad,

From the ASDM logs, i found connection is getting established between the local host and exchange server during telnetting to port 25.

regards

Rajesh

Re: smtp not working-200****

no nat (dmz) 0 access-list 121

no access-group 144 out interface inside

no access-group 133 out interface dmz

New Member

Re: smtp not working-200****

Quick solution is to take out inspect (e)smtp from the policy applied to that interface. From the docs you would expect esmtp inspection to work, but it may not in some cases. Taking it out is a quick fix.

Satya

1571
Views
4
Helpful
13
Replies
CreatePlease to create content