Solved

Having trouble with SMTP and ASA 5520

Posted on 2007-03-23
8
711 Views
Last Modified: 2012-06-27
I am having trouble getting SMTP traffic to my email server from the outside. Attached is the config. Any help would be appreciated!

ASA Version 7.0(5)
!
hostname ASA5520-1
domain-name default.domain.invalid
enable password NRoXq8kCCb4g.z.n encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/1
 nameif inside
 security-level 90
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 0qIpoWH6/P3x3Q06 encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns name-server 4.2.2.2
object-group service BMM_Server tcp
 description Ports for BMM Server
 port-object eq www
 port-object eq https
 port-object eq smtp
access-list outside_access_in extended permit tcp any range 10000 20000 host 10.0.0.3
access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
access-list inside_nat0_outbound extended permit ip any 10.0.0.96 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool BMM 10.0.0.100-10.0.0.110 mask 255.255.255.0
no failover
icmp permit host 10.0.0.5 echo-reply outside
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy BMM internal
group-policy BMM attributes
 dns-server value 4.2.2.2 10.0.0.5
 webvpn
username nysambart password sdnUx/3yIN/o/DyO encrypted privilege 0
username nysambart attributes
 vpn-group-policy BMM
 webvpn
username digital password p6uB0Zx3drDndZXp encrypted
http server enable
http 10.0.0.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group BMM type ipsec-ra
tunnel-group BMM general-attributes
 address-pool BMM
 default-group-policy BMM
tunnel-group BMM ipsec-attributes
 pre-shared-key *
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.50 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect esmtp
!
service-policy global_policy global
Cryptochecksum:94843041f157f9cb76fa44734a020991
: end
0
Comment
Question by:nytechnoguru
  • 5
  • 3
8 Comments
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
You need to create a static tranlsation for your mail server.  Since you are using DHCP to obtain your outside interface IP address, we will have to use port redirection from the outside interface IP address for the translation to your mail server.  If you have other public IP addresses available, you can use those, but looking at your posted config we'll have to go with the interface IP address itself.  Put in these commands and see if it helps:

static (inside,outside) tcp interface smtp 10.0.0.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.5 www netmask 255.255.255.255
static (inside,outside) tcp interface 443 10.0.0.5 443 netmask 255.255.255.255

These statements will port forward TCP 25, TCP 80 and TCP 443 (https) from the outside interface IP address of the ASA to the 10.0.0.5 server.  You should really see about getting a static public IP address if you're going to be running your own internal mail server since you'll need to setup the MX record for mail flow to work.
0
 
LVL 2

Author Comment

by:nytechnoguru
Comment Utility
Should I remove the following:
object-group service BMM_Server tcp
 description Ports for BMM Server
 port-object eq www
 port-object eq https
 port-object eq smtp

access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
You don't have to, but if you want to allow those 3 ports inbound to your server, you'll need to leave it in.  Did you understand my statement about obtaining a static public IP address?  If you have a service that you want to advertise to the world, in this case a mail server, you really should have a public IP address that doesn't change so that you know mail flow will be stable.
0
 
LVL 2

Author Comment

by:nytechnoguru
Comment Utility
I've been using the DHCP with my email server for sometime now, but just recently changed the firewall. So a new IP was issued due to the new MAC address. Most of the DNS changes have propgated and I'm sure that I have to wait until the next DNS update to make sure that the IPs/hostnames are updated. Unfortunately, the service doesn't provide static IPs which I would rather have, but in this case the email server isn't critical.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Then you should be set.
0
 
LVL 2

Author Comment

by:nytechnoguru
Comment Utility
I will let you know tomorrow once I'm sure that all the DNS changes have propogated.

Thanks!
0
 
LVL 2

Author Comment

by:nytechnoguru
Comment Utility
I checked out some DNS settings from other networks and my DNS is resoliving to the correct IP, but I'm getting mail back with the following response:
TCP active open: Failed connect()    Error: Connection refused

Any thoughts on what might be causing this? I've included an updated config:
ASA Version 7.0(5)
!
hostname ASA5520-1
domain-name default.domain.invalid
enable password NRoXq8kCCb4g.z.n encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface GigabitEthernet0/1
 nameif inside
 security-level 90
 ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 0qIpoWH6/P3x3Q06 encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service BMM_Server tcp
 description Ports for BMM Server
 port-object eq www
 port-object eq https
 port-object eq smtp
access-list outside_access_in extended permit tcp any range 10000 20000 host 10.0.0.3
access-list outside_access_in extended permit tcp any object-group BMM_Server interface outside obje
ct-group BMM_Server
access-list outside_access_in extended permit tcp any object-group BMM_Server host 10.0.0.5 object-group BMM_Server log interval 1
access-list inside_nat0_outbound extended permit ip any 10.0.0.96 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool BMM 10.0.0.100-10.0.0.110 mask 255.255.255.0
no failover
icmp permit any echo-reply outside
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.0.0.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.5 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.0.0.5 https netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy BMM internal
group-policy BMM attributes
 dns-server value 4.2.2.2 10.0.0.5
 webvpn
username nysambart password sdnUx/3yIN/o/DyO encrypted privilege 15
username nysambart attributes
 vpn-group-policy BMM
 webvpn
username digital password p6uB0Zx3drDndZXp encrypted
http server enable
http 10.0.0.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group BMM type ipsec-ra
tunnel-group BMM general-attributes
 address-pool BMM
 default-group-policy BMM
tunnel-group BMM ipsec-attributes
 pre-shared-key *
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.10-10.0.0.50 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 4.2.2.2 4.2.2.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config inside
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:7a6b98c328423adf0d10e04295bdd4f5
: end
0
 
LVL 2

Accepted Solution

by:
nytechnoguru earned 0 total points
Comment Utility
Also, here is what is shown with a sho nat command:
  match tcp inside host 10.0.0.5 eq 25 outside any
    static translation to 67.80.xxx.xxx/25
    translate_hits = 0, untranslate_hits = 152
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now