Solved

Having trouble with SMTP and ASA 5520

Posted on 2007-03-23
8
724 Views
Last Modified: 2012-06-27
I am having trouble getting SMTP traffic to my email server from the outside. Attached is the config. Any help would be appreciated!

ASA Version 7.0(5)
!
hostname ASA5520-1
domain-name default.domain.invalid
enable password NRoXq8kCCb4g.z.n encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/1
 nameif inside
 security-level 90
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 0qIpoWH6/P3x3Q06 encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns name-server 4.2.2.2
object-group service BMM_Server tcp
 description Ports for BMM Server
 port-object eq www
 port-object eq https
 port-object eq smtp
access-list outside_access_in extended permit tcp any range 10000 20000 host 10.0.0.3
access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
access-list inside_nat0_outbound extended permit ip any 10.0.0.96 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool BMM 10.0.0.100-10.0.0.110 mask 255.255.255.0
no failover
icmp permit host 10.0.0.5 echo-reply outside
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy BMM internal
group-policy BMM attributes
 dns-server value 4.2.2.2 10.0.0.5
 webvpn
username nysambart password sdnUx/3yIN/o/DyO encrypted privilege 0
username nysambart attributes
 vpn-group-policy BMM
 webvpn
username digital password p6uB0Zx3drDndZXp encrypted
http server enable
http 10.0.0.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group BMM type ipsec-ra
tunnel-group BMM general-attributes
 address-pool BMM
 default-group-policy BMM
tunnel-group BMM ipsec-attributes
 pre-shared-key *
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.50 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect esmtp
!
service-policy global_policy global
Cryptochecksum:94843041f157f9cb76fa44734a020991
: end
0
Comment
Question by:nytechnoguru
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18780513
You need to create a static tranlsation for your mail server.  Since you are using DHCP to obtain your outside interface IP address, we will have to use port redirection from the outside interface IP address for the translation to your mail server.  If you have other public IP addresses available, you can use those, but looking at your posted config we'll have to go with the interface IP address itself.  Put in these commands and see if it helps:

static (inside,outside) tcp interface smtp 10.0.0.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.5 www netmask 255.255.255.255
static (inside,outside) tcp interface 443 10.0.0.5 443 netmask 255.255.255.255

These statements will port forward TCP 25, TCP 80 and TCP 443 (https) from the outside interface IP address of the ASA to the 10.0.0.5 server.  You should really see about getting a static public IP address if you're going to be running your own internal mail server since you'll need to setup the MX record for mail flow to work.
0
 
LVL 2

Author Comment

by:nytechnoguru
ID: 18780970
Should I remove the following:
object-group service BMM_Server tcp
 description Ports for BMM Server
 port-object eq www
 port-object eq https
 port-object eq smtp

access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18781004
You don't have to, but if you want to allow those 3 ports inbound to your server, you'll need to leave it in.  Did you understand my statement about obtaining a static public IP address?  If you have a service that you want to advertise to the world, in this case a mail server, you really should have a public IP address that doesn't change so that you know mail flow will be stable.
0
Are Your IoT Devices Out to Get You?

IoT business is booming, with manufacturers connecting any and every “thing” to the Internet. But as pressure grows to release new products faster and faster, we’re all left to wonder: is security a priority? Join our webinar on June 29th for the answer.

 
LVL 2

Author Comment

by:nytechnoguru
ID: 18781061
I've been using the DHCP with my email server for sometime now, but just recently changed the firewall. So a new IP was issued due to the new MAC address. Most of the DNS changes have propgated and I'm sure that I have to wait until the next DNS update to make sure that the IPs/hostnames are updated. Unfortunately, the service doesn't provide static IPs which I would rather have, but in this case the email server isn't critical.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18781132
Then you should be set.
0
 
LVL 2

Author Comment

by:nytechnoguru
ID: 18781171
I will let you know tomorrow once I'm sure that all the DNS changes have propogated.

Thanks!
0
 
LVL 2

Author Comment

by:nytechnoguru
ID: 18781761
I checked out some DNS settings from other networks and my DNS is resoliving to the correct IP, but I'm getting mail back with the following response:
TCP active open: Failed connect()    Error: Connection refused

Any thoughts on what might be causing this? I've included an updated config:
ASA Version 7.0(5)
!
hostname ASA5520-1
domain-name default.domain.invalid
enable password NRoXq8kCCb4g.z.n encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/1
 nameif inside
 security-level 90
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 0qIpoWH6/P3x3Q06 encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service BMM_Server tcp
 description Ports for BMM Server
 port-object eq www
 port-object eq https
 port-object eq smtp
access-list outside_access_in extended permit tcp any range 10000 20000 host 10.0.0.3
access-list outside_access_in extended permit tcp any object-group BMM_Server interface outside obje
ct-group BMM_Server
access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
access-list inside_nat0_outbound extended permit ip any 10.0.0.96 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool BMM 10.0.0.100-10.0.0.110 mask 255.255.255.0
no failover
icmp permit any echo-reply outside
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.0.0.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.5 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.5 https netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy BMM internal
group-policy BMM attributes
 dns-server value 4.2.2.2 10.0.0.5
 webvpn
username nysambart password sdnUx/3yIN/o/DyO encrypted privilege 15
username nysambart attributes
 vpn-group-policy BMM
 webvpn
username digital password p6uB0Zx3drDndZXp encrypted
http server enable
http 10.0.0.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group BMM type ipsec-ra
tunnel-group BMM general-attributes
 address-pool BMM
 default-group-policy BMM
tunnel-group BMM ipsec-attributes
 pre-shared-key *
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.50 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 4.2.2.2 4.2.2.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:7a6b98c328423adf0d10e04295bdd4f5
: end
0
 
LVL 2

Accepted Solution

by:
nytechnoguru earned 0 total points
ID: 18781772
Also, here is what is shown with a sho nat command:
  match tcp inside host 10.0.0.5 eq 25 outside any
    static translation to 67.80.xxx.xxx/25
    translate_hits = 0, untranslate_hits = 152
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question