Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't get SMTP to bypass ASA5510

I have a one to one nat setup and access lists configured. I can't seem to be able to translate any port. Something must be wrong...

Here is my config:

ASA Version 8.2(2)19

!

hostname *****-DC-SR1-5510-1

domain-name ***.local

enable password ds4hdW4uvMnfKnfo encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.245.2.0 ***LAN description 10.245.2.x

name 10.245.2.14 ****vox description Phone System

name x.x.156.154 mchamberland description Mike's Static Home IP

name 10.245.50.0 VPNLAN

name 10.245.253.1 Inside

name 10.245.2.25 ***AD01 description Radius Server 1

name x.x.102.142 Outside_SIP

name x.x.60.91 Outside_SIP_Gateway description Fiber

name 10.245.2.44 Internal_SMTP_Server

name x.x.102.131 External_SMTP_Server

!

interface Ethernet0/0

description Fiber

nameif outside

security-level 0

ip address x.x.102.130 255.255.255.240

!

interface Ethernet0/1

description Cable

shutdown

nameif Outside2

security-level 0

ip address dhcp setroute

!

interface Ethernet0/2

nameif inside

security-level 100

ip address Inside 255.255.255.0

!

interface Ethernet0/3

shutdown

nameif Inside2

security-level 100

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.245.1.2 255.255.255.0

management-only

!

boot system disk0:/asa822-19-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name ***.local

same-security-traffic permit inter-interface

object-group service RTP udp

port-object range 10000 20000

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network Outside_SIP_Group

description SIP Acces to *****vox

network-object host mchamberland

network-object host Outside_SIP_Gateway

access-list outside_access_in extended permit icmp ***LAN 255.255.255.0 any echo-reply

access-list outside_access_in extended permit esp ***LAN 255.255.255.0 host x.x.182.76

access-list outside_access_in extended permit udp ***LAN 255.255.255.0 eq isakmp host 64.85.182.76

access-list outside_access_in extended permit udp ***LAN 255.255.255.0 eq 4500 host 64.85.182.76

access-list outside_access_in extended permit udp ***LAN 255.255.255.0 eq 1701 host 64.85.182.76

access-list outside_access_in extended permit tcp any eq smtp host External_SMTP_Server eq smtp

access-list outside_access_in extended permit ip object-group Outside_SIP_Group host *****vox

access-list outside_access_in extended permit tcp any any eq telnet

access-list ***VPN_splitTunnelAcl standard permit ***LAN 255.255.255.0

access-list ***VPN_splitTunnelAcl standard permit 10.245.253.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip ***LAN 255.255.255.0 VPNLAN 255.255.255.0

access-list inside_access_out extended deny tcp any any eq telnet

pager lines 24

logging enable

logging timestamp

logging trap notifications

logging asdm informational

logging host inside 10.245.2.21

mtu outside 1500

mtu Outside2 1500

mtu inside 1500

mtu Inside2 1500

mtu management 1500

ip local pool ***VPNPOOL 10.245.50.50-10.245.50.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-632.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) Outside_SIP *****vox netmask 255.255.255.255

static (outside,inside) *****vox Outside_SIP netmask 255.255.255.255

static (inside,outside) External_SMTP_Server Internal_SMTP_Server netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_out out interface inside

!

route outside 0.0.0.0 0.0.0.0 x.x.102.129 1

route inside 10.245.1.0 255.255.255.0 10.245.253.2 1

route inside ***LAN 255.255.255.0 10.245.253.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Radius protocol radius

aaa-server Radius (inside) host ***AD01

key *****

radius-common-pw *****

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http ***LAN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map type inspect sip Default

parameters

  max-forwards-validation action drop log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect pptp

  inspect sip

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:a5a816524a34b550a467e0c7e0c48c90

: end

8 REPLIES

Re: Can't get SMTP to bypass ASA5510

Hi,

Is this what you're referring to?

static (inside,outside) External_SMTP_Server Internal_SMTP_Server netmask 255.255.255.255

access-list outside_access_in extended permit tcp any eq smtp host External_SMTP_Server eq smtp

In order to reach the SMTP server from the outside you need to do the following:

no access-list outside_access_in extended permit tcp any eq smtp host External_SMTP_Server eq smtp

access-list outside_access_in extended permit tcp any host External_SMTP_Server eq smtp

If you see, I changed the source port on the ACL from SMTP to any.

This is because if you want to reach the SMTP server from the outside, the destination port is TCP 25, but the source port is unknown.

Try the above and let us know.

Federico.

New Member

Re: Can't get SMTP to bypass ASA5510

That's the entries...

Made the change, at least I am getting hits on the ACL now. The problem is I am getting denied by my inside_access_out ACL's. So confusing...

Here is the error(I am running the SMTP test from mxtoolbox.com):

4Nov 09 201008:27:2164.20.227.13350714External_SMTP_Server25Deny tcp src outside:64.20.227.133/50714 dst inside:External_SMTP_Server/25 by access-group "inside_access_out" [0x0, 0x0]

Re: Can't get SMTP to bypass ASA5510

The outbound traffic is controlled by the inside_access_out ACL.

There's only one statement in it and it's a deny rule, this means no outbound traffic is permitted.

You should include permit statements in that ACL to allow outgoing traffic.

For example to allow IP access outbound from the SMTP server:

access-list inside_access_out permit ip host SMTP_SERVER any

Federico.

New Member

Re: Can't get SMTP to bypass ASA5510

this is in:

access-list inside_access_out extended permit ip host Internal_SMTP_Server any

now I am getting this error:

4Nov 09 201009:19:5664.20.227.13354914External_SMTP_Server25Deny tcp src outside:64.20.227.133/54914 dst inside:External_SMTP_Server/25 by access-group "inside_access_out" [0x0, 0x0]

Re: Can't get SMTP to bypass ASA5510

There's something wrong here:

You're attempting a connection from the outside (inbound) and the error is by the ACL applied to the inside interface.

Can you please post the following:

sh run static

sh run access-list

sh run access-group

Federico.

New Member

Re: Can't get SMTP to bypass ASA5510

Tell me about it, it's confusing me to no end...

Here's the output:

sh run static
static (inside,outside) tcp External_SMTP_Server smtp Internal_SMTP_Server smtp netmask 255.255.255.255
static (inside,outside) Outside_SIP Switchvox netmask 255.255.255.255
static (outside,inside) Switchvox Outside_SIP netmask 255.255.255.255

sh run access-list
access-list outside_access_in extended permit icmp ***LAN 255.255.255.0 any echo-reply
access-list outside_access_in extended permit esp ***LAN 255.255.255.0 host x.x.182.76
access-list outside_access_in extended permit udp ***LAN 255.255.255.0 eq isakmp host 64.85.182.76
access-list outside_access_in extended permit udp ***LAN 255.255.255.0 eq 4500 host 64.85.182.76
access-list outside_access_in extended permit udp ***LAN 255.255.255.0 eq 1701 host 64.85.182.76
access-list outside_access_in extended permit tcp any host External_SMTP_Server eq smtp
access-list outside_access_in extended permit ip object-group Outside_SIP_Group host *****vox
access-list outside_access_in extended deny tcp any any eq telnet
access-list ***VPN_splitTunnelAcl standard permit ***LAN 255.255.255.0
access-list ***VPN_splitTunnelAcl standard permit 10.245.253.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip ***LAN 255.255.255.0 VPNLAN 255.255.255.0
access-list inside_access_out extended permit ip host Internal_SMTP_Server any
access-list inside_access_out extended deny tcp any eq telnet any eq telnet

sh run access-group
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside

Re: Can't get SMTP to bypass ASA5510

Yes, the error is not correct with the config, but let's do the following:

packet-tracer input outside tcp 64.20.227.133 1024 External_SMTP_Server 25 det

Or via ASDM you can do it.... to simulate the connection to see if you get the same report from the ASA.

Federico.

Re: Can't get SMTP to bypass ASA5510

sh run access-group
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside

The above output says you have access list inside_access_out in OUT direction which is blocking the traffic ,

do this :-

no access-group inside_access_out out interface inside

access-group inside_access_out in interface inside

Thanks

Manish

552
Views
0
Helpful
8
Replies
CreatePlease login to create content