• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 859
  • Last Modified:

Cisco Firewall 5510 ASA not allowing Exchange emails

I am using a Cisco Firewall and emails are not going in to Exchange server.

I got a new cisco firewall and I am not able to receive emails from the out side. I can send email internal but I am not able to receive emails from the outside.

Email goes to Cisco firewall then Barracuda device then it comes to my exchange on port 25. Another thing if I got to http://66.120.127.3/exchange I am not able to go to my Outlook Web Access

cisco firewall configuration:

Result of the command: "show config"

: Saved
: Written by enable_15 at 16:31:38.889 PDT Sun Sep 30 2007
!
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
 description WAN Interface
 nameif Outside
 security-level 0
 ip address 66.120.127.3 255.255.255.192
 ospf cost 10
!
interface Ethernet0/1
 description LAN Interface
 nameif Inside
 security-level 100
 ip address 10.0.0.1 255.255.192.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name hbr.ads.inc
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service BarracudaLogin tcp
 description 8000
 port-object eq 8000
object-group service ProductionWebsite tcp
 description Production Website
 port-object eq 88
object-group service DSProxy tcp
 description DS Proxy
 port-object eq 6004
object-group service DSStore tcp
 description Store and DS Referal
 port-object eq 6001
 port-object eq 6002
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service EndPointMapper tcp
 description End Point Mapper
 port-object eq 593
object-group service DM_INLINE_TCP_2 tcp
 group-object DSProxy
 group-object DSStore
 port-object eq pop3
 group-object EndPointMapper
object-group service DM_INLINE_TCP_3 tcp
 group-object BarracudaLogin
 port-object eq domain
 port-object eq smtp
 port-object eq ssh
object-group network DM_INLINE_NETWORK_1
 network-object host 10.0.0.3
 network-object host 10.0.0.50
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.108 object-group ProductionWebsite
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.3 object-group DM_INLINE_TCP_3
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.156 eq pptp
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.50 object-group DM_INLINE_TCP_2
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.9 eq citrix-ica
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.55 eq ftp
access-list Outside_access_in extended permit udp 66.120.127.0 255.255.255.192 host 10.0.0.3 eq ntp
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 66.120.127.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.192.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.0.1.1-10.0.1.254 Inside
dhcpd dns 10.0.0.54 10.0.0.58 interface Inside
dhcpd wins 10.0.0.54 10.0.0.58 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2935fd3fb61c8b19999737938340dd87
0
jwjones2000
Asked:
jwjones2000
  • 4
  • 2
1 Solution
 
Pete LongConsultantCommented:
You have no Static Translations? for smtp?

See my website here to for info on port forwarding http://www.petenetlive.com/Tech/Firewalls/Cisco/portforward.htm
0
 
Pete LongConsultantCommented:
SO

remove these bad boys

no access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.3 object-group DM_INLINE_TCP_3

no access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.50 object-group DM_INLINE_TCP_2


Then add these

access-list Outside_access_in permit tcp any interface outside eq DSProxy
access-list Outside_access_in permit tcp any interface outside eq DSStore
access-list Outside_access_in permit tcp any interface outside eq pop3
access-list Outside_access_in permit tcp any interface outside eq EndPointMapper
access-list Outside_access_in permit tcp any interface outside eq BarracudaLogin
access-list Outside_access_in permit tcp any interface outside eq smtp
access-list Outside_access_in permit tcp any interface outside eq www
access-list Outside_access_in permit tcp any interface outside eq ssh
static (inside,outside) tcp interface DSProxy 10.0.0.50 DSProxy netmask 255.255.255.255
static (inside,outside) tcp interface DSStore 10.0.0.50 DSStore netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.0.0.50 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface EndPointMapper 10.0.0.50 EndPointMapper netmask 255.255.255.255
static (inside,outside) tcp interface BarracudaLogin 10.0.0.3 BarracudaLogin netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.0.0.3 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.0.0.3 www netmask 255.255.255.255
static (inside,outside) tcp interface ssh 10.0.0.3 ssh netmask 255.255.255.255
Then Clear Xlate

Try again :)
0
 
Pete LongConsultantCommented:
point to note where I have put
(inside,outside)

you use

(Inside,Outside)

:)
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
jwjones2000Author Commented:
Result of the command: "no access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.3 object-group DM_INLINE_TCP_3"

Specified access-list does not exist

Result of the command: "no access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.50 object-group DM_INLINE_TCP_2"

Specified access-list does not exist



This is how it looks I will test this settings in few hours. I notice that it didn't delete the



Thanks for the site I will read it in few minutes.



Result of the command: "show config"

: Saved
: Written by enable_15 at 17:57:11.036 PDT Sun Sep 30 2007
!
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
 description WAN Interface
 nameif Outside
 security-level 0
 ip address 66.120.127.4 255.255.255.192
 ospf cost 10
!
interface Ethernet0/1
 description LAN Interface
 nameif Inside
 security-level 100
 ip address 10.0.0.1 255.255.192.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name hbr.ads.inc
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group service BarracudaLogin tcp
 description 8000
 port-object eq 8000
object-group service ProductionWebsite tcp
 description Production Website
 port-object eq 88
object-group service DSProxy tcp
 description DS Proxy
 port-object eq 6004
object-group service DSStore tcp
 description Store and DS Referal
 port-object eq 6001
 port-object eq 6002
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service EndPointMapper tcp
 description End Point Mapper
 port-object eq 593
object-group service DM_INLINE_TCP_2 tcp
 group-object DSProxy
 group-object DSStore
 port-object eq pop3
 group-object EndPointMapper
object-group service DM_INLINE_TCP_3 tcp
 group-object BarracudaLogin
 port-object eq domain
 port-object eq smtp
 port-object eq ssh
object-group network DM_INLINE_NETWORK_1
 network-object host 10.0.0.3
 network-object host 10.0.0.50
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.108 object-group ProductionWebsite
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.3 object-group DM_INLINE_TCP_3
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.156 eq pptp
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.50 object-group DM_INLINE_TCP_2
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.9 eq citrix-ica
access-list Outside_access_in extended permit tcp 66.120.127.0 255.255.255.192 host 10.0.0.55 eq ftp
access-list Outside_access_in extended permit udp 66.120.127.0 255.255.255.192 host 10.0.0.3 eq ntp
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 66.120.127.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.192.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.0.1.1-10.0.1.254 Inside
dhcpd dns 68.94.156.1 68.94.157.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:aa2ea7fe24ea7bd29245c2366b7dbff7
0
 
jwjones2000Author Commented:
I finally swap the Cisco firewall with our Sonic wall

Exchange works okay but the only thing I wasn't able to make it work it was Outlook Web Access to my exchange server using the HTTP or HTTPS.

10.0.0.3 and 10.0.0.50 both of them need HTTP open
10.0.0.50 needs to have HTTPS open
10.0.0.3 needs to have 8000 open too.

Here is my configuration:

Result of the command: "show config"

: Saved
: Written by enable_15 at 00:33:58.956 PDT Mon Oct 8 2007
!
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
 description WAN Interface
 nameif Outside
 security-level 0
 ip address 66.120.127.3 255.255.255.192
 ospf cost 10
!
interface Ethernet0/1
 description LAN Interface
 nameif Inside
 security-level 100
 ip address 10.0.0.1 255.255.192.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name hbr.ads.inc
object-group service BarracudaLogin tcp
 description 8000
 port-object eq 8000
object-group service ProductionWebsite tcp
 description Production Website
 port-object eq 88
object-group service DSProxy tcp
 description DS Proxy
 port-object eq 6004
object-group service DSStore tcp
 description Store and DS Referal
 port-object eq 6001
 port-object eq 6002
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service EndPointMapper tcp
 description End Point Mapper
 port-object eq 593
object-group service DM_INLINE_TCP_2 tcp
 group-object DSProxy
 group-object DSStore
 port-object eq pop3
 group-object EndPointMapper
object-group service DM_INLINE_TCP_3 tcp
 group-object BarracudaLogin
 port-object eq domain
 port-object eq smtp
 port-object eq ssh
access-list Outside_access_in extended permit tcp any interface Outside eq pop3
access-list Outside_access_in extended permit tcp any interface Outside eq smtp
access-list Outside_access_in extended permit tcp any interface Outside eq https
access-list Outside_access_in extended permit tcp any interface Outside object-group BarracudaLogin
access-list Outside_access_in extended permit tcp any interface Outside eq www
access-list Outside_access_in extended permit tcp any interface Outside eq ssh
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp interface pop3 10.0.0.50 pop3 netmask 255.255.255.255
static (Inside,Outside) tcp interface 8000 10.0.0.3 8000 netmask 255.255.255.255
static (Inside,Outside) tcp interface https 10.0.0.50 https netmask 255.255.255.255
static (Inside,Outside) tcp interface smtp 10.0.0.3 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface www 10.0.0.3 www netmask 255.255.255.255
static (Inside,Outside) tcp interface ssh 10.0.0.3 ssh netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 66.120.127.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.192.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.0.1.1-10.0.1.254 Inside
dhcpd dns 68.94.156.1 68.94.157.1 interface Inside
dhcpd wins 10.0.0.54 10.0.0.58 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5a62773f6f5f87a0ce034b9a34948c1b
0
 
Pete LongConsultantCommented:
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now