nytechnoguru
asked on
Having trouble with SMTP and ASA 5520
I am having trouble getting SMTP traffic to my email server from the outside. Attached is the config. Any help would be appreciated!
ASA Version 7.0(5)
!
hostname ASA5520-1
domain-name default.domain.invalid
enable password NRoXq8kCCb4g.z.n encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 90
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 0qIpoWH6/P3x3Q06 encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns name-server 4.2.2.2
object-group service BMM_Server tcp
description Ports for BMM Server
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any range 10000 20000 host 10.0.0.3
access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
access-list inside_nat0_outbound extended permit ip any 10.0.0.96 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool BMM 10.0.0.100-10.0.0.110 mask 255.255.255.0
no failover
icmp permit host 10.0.0.5 echo-reply outside
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy BMM internal
group-policy BMM attributes
dns-server value 4.2.2.2 10.0.0.5
webvpn
username nysambart password sdnUx/3yIN/o/DyO encrypted privilege 0
username nysambart attributes
vpn-group-policy BMM
webvpn
username digital password p6uB0Zx3drDndZXp encrypted
http server enable
http 10.0.0.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group BMM type ipsec-ra
tunnel-group BMM general-attributes
address-pool BMM
default-group-policy BMM
tunnel-group BMM ipsec-attributes
pre-shared-key *
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.50 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect esmtp
!
service-policy global_policy global
Cryptochecksum:94843041f15 7f9cb76fa4 4734a02099 1
: end
ASA Version 7.0(5)
!
hostname ASA5520-1
domain-name default.domain.invalid
enable password NRoXq8kCCb4g.z.n encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 90
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 0qIpoWH6/P3x3Q06 encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns name-server 4.2.2.2
object-group service BMM_Server tcp
description Ports for BMM Server
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any range 10000 20000 host 10.0.0.3
access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
access-list inside_nat0_outbound extended permit ip any 10.0.0.96 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool BMM 10.0.0.100-10.0.0.110 mask 255.255.255.0
no failover
icmp permit host 10.0.0.5 echo-reply outside
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy BMM internal
group-policy BMM attributes
dns-server value 4.2.2.2 10.0.0.5
webvpn
username nysambart password sdnUx/3yIN/o/DyO encrypted privilege 0
username nysambart attributes
vpn-group-policy BMM
webvpn
username digital password p6uB0Zx3drDndZXp encrypted
http server enable
http 10.0.0.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group BMM type ipsec-ra
tunnel-group BMM general-attributes
address-pool BMM
default-group-policy BMM
tunnel-group BMM ipsec-attributes
pre-shared-key *
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.50 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect esmtp
!
service-policy global_policy global
Cryptochecksum:94843041f15
: end
ASKER
Should I remove the following:
object-group service BMM_Server tcp
description Ports for BMM Server
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
object-group service BMM_Server tcp
description Ports for BMM Server
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
You don't have to, but if you want to allow those 3 ports inbound to your server, you'll need to leave it in. Did you understand my statement about obtaining a static public IP address? If you have a service that you want to advertise to the world, in this case a mail server, you really should have a public IP address that doesn't change so that you know mail flow will be stable.
ASKER
I've been using the DHCP with my email server for sometime now, but just recently changed the firewall. So a new IP was issued due to the new MAC address. Most of the DNS changes have propgated and I'm sure that I have to wait until the next DNS update to make sure that the IPs/hostnames are updated. Unfortunately, the service doesn't provide static IPs which I would rather have, but in this case the email server isn't critical.
Then you should be set.
ASKER
I will let you know tomorrow once I'm sure that all the DNS changes have propogated.
Thanks!
Thanks!
ASKER
I checked out some DNS settings from other networks and my DNS is resoliving to the correct IP, but I'm getting mail back with the following response:
TCP active open: Failed connect() Error: Connection refused
Any thoughts on what might be causing this? I've included an updated config:
ASA Version 7.0(5)
!
hostname ASA5520-1
domain-name default.domain.invalid
enable password NRoXq8kCCb4g.z.n encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 90
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 0qIpoWH6/P3x3Q06 encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service BMM_Server tcp
description Ports for BMM Server
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any range 10000 20000 host 10.0.0.3
access-list outside_access_in extended permit tcp any object-group BMM_Server interface outside obje
ct-group BMM_Server
access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
access-list inside_nat0_outbound extended permit ip any 10.0.0.96 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool BMM 10.0.0.100-10.0.0.110 mask 255.255.255.0
no failover
icmp permit any echo-reply outside
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.0.0.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.5 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.5 https netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy BMM internal
group-policy BMM attributes
dns-server value 4.2.2.2 10.0.0.5
webvpn
username nysambart password sdnUx/3yIN/o/DyO encrypted privilege 15
username nysambart attributes
vpn-group-policy BMM
webvpn
username digital password p6uB0Zx3drDndZXp encrypted
http server enable
http 10.0.0.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group BMM type ipsec-ra
tunnel-group BMM general-attributes
address-pool BMM
default-group-policy BMM
tunnel-group BMM ipsec-attributes
pre-shared-key *
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.50 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 4.2.2.2 4.2.2.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:7a6b98c3284 23adf0d10e 04295bdd4f 5
: end
TCP active open: Failed connect() Error: Connection refused
Any thoughts on what might be causing this? I've included an updated config:
ASA Version 7.0(5)
!
hostname ASA5520-1
domain-name default.domain.invalid
enable password NRoXq8kCCb4g.z.n encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 90
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 0qIpoWH6/P3x3Q06 encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service BMM_Server tcp
description Ports for BMM Server
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any range 10000 20000 host 10.0.0.3
access-list outside_access_in extended permit tcp any object-group BMM_Server interface outside obje
ct-group BMM_Server
access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
access-list inside_nat0_outbound extended permit ip any 10.0.0.96 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool BMM 10.0.0.100-10.0.0.110 mask 255.255.255.0
no failover
icmp permit any echo-reply outside
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.0.0.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.5 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.5 https netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy BMM internal
group-policy BMM attributes
dns-server value 4.2.2.2 10.0.0.5
webvpn
username nysambart password sdnUx/3yIN/o/DyO encrypted privilege 15
username nysambart attributes
vpn-group-policy BMM
webvpn
username digital password p6uB0Zx3drDndZXp encrypted
http server enable
http 10.0.0.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group BMM type ipsec-ra
tunnel-group BMM general-attributes
address-pool BMM
default-group-policy BMM
tunnel-group BMM ipsec-attributes
pre-shared-key *
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.50 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 4.2.2.2 4.2.2.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:7a6b98c3284
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
static (inside,outside) tcp interface smtp 10.0.0.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.5 www netmask 255.255.255.255
static (inside,outside) tcp interface 443 10.0.0.5 443 netmask 255.255.255.255
These statements will port forward TCP 25, TCP 80 and TCP 443 (https) from the outside interface IP address of the ASA to the 10.0.0.5 server. You should really see about getting a static public IP address if you're going to be running your own internal mail server since you'll need to setup the MX record for mail flow to work.