Solved

ASA 5505 - SMTP not coming thru firewall

Posted on 2008-10-15
7
2,097 Views
Last Modified: 2013-11-30
Greetings Friends...

I have an ASA 5505 on my network, that I need to "poke-a-hole" in to allow SMTP traffic.  I thought I had set this up properly, but alas, it does not seem correct.  I searched these forums and found many of the same questions / answers but the solutions people here provided, I already had / have in my setup.  Any help here would be greatly appreciated.

"sh run" gives me this:

ASA Version 8.0(3)
!
hostname jmbasa
domain-name jmbasa.local
enable password jBlNGKlwT0nL4Buh encrypted
names
name 192.168.75.10 Exchange description Exchange_Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.75.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.137.29.249 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/new/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name jmbasa.local
access-list outside_access_in extended permit tcp any host Exchange eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/new/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.137.29.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.75.0 255.255.255.0
threat-detection statistics access-list
ntp server 98.172.32.171 source outside prefer
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e7b91745efcdef2257e0ad18bd4f1836
: end
----

Thank you all.
0
Comment
Question by:knoxlogic
  • 3
  • 2
  • 2
7 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 22724893
For traffic coming in from the outside world there are two components you need - an access rule and a NAT. You have the access rule:


access-list outside_access_in extended permit tcp any host Exchange eq smtp

But you don't have an address for SMTP to attach to. You either need to port forward SMTP to your Exchange server or create a static NAT for the Exchange server.

To port forward SMTP, add this:

static (inside,outside) tcp interface smtp 192.168.75.10 smtp netmask 255.255.255.255

To create a static NAT, you'd need to assign an IP out of your 206.137.29.x pool - say you wanted to assign 206.137.29.251, you enter a line like so:

static (inside,outside) 206.137.29.251 192.168.75.10 netmask 255.255.255.255

0
 

Author Comment

by:knoxlogic
ID: 22725041
When I send in the last command, I get this response from the ASA:


"WARNING: static redirecting all traffics at outside interface;"
"WARNING: all services terminating at outside interface are disabled."

The first command took.
0
 
LVL 10

Expert Comment

by:stsonline
ID: 22725060
Enter either command but not both - if you entered the port forward, you don't need a NAT (nor should you have one for smtp).
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 79

Expert Comment

by:lrmoore
ID: 22725851
your acl is incorrect. You need to reference the public IP and not the private IP
Put it all together:

no access-list outside_access_in extended permit tcp any host Exchange eq smtp
access-list outside_access_in extended permit tcp any interface outside eq smtp
static (inside,outside) tcp interface smtp 192.168.75.10 smtp netmask 255.255.255.255
access-group outside_access_in in interface outside



0
 

Author Comment

by:knoxlogic
ID: 22732275
Okay...

That seemed to "work" somewhat.  The telnet to port 25 from the outside gives me a 220 **********************...  that's it.

When I telnet on the inside network, it's totally different.  I get actual text back, etc.  Here is my running config, based upon the rules above (which worked btw):

ASA Version 8.0(3)
!
hostname jmbasa
domain-name jmbasa.local
enable password jBlNGKlwT0nL4Buh encrypted
names
name 192.168.75.10 Exchange description Exchange_Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.75.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.137.29.249 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/new/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name jmbasa.local
access-list outside_access_in extended permit tcp any interface outside eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/new/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.137.29.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.75.0 255.255.255.0
threat-detection statistics access-list
ntp server 98.172.32.171 source outside prefer
username eddie password xcio6Pkr5NHL1uvW encrypted privilege 15
username chris password TYGBt4.L24KH1.mU encrypted privilege 15
username justin password 361/tIhYn5ULJPFD encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e7b91745efcdef2257e0ad18bd4f1836
: end

-----

Again, Thank you all.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22733557
Try disabling esmtp inspect

policy-map global_policy
 class inspection_default
   no inspect esmtp

If that doesn't work, enable smtp inspect

policy-map global_policy
 class inspection_default
   inspect smtp


0
 

Author Closing Comment

by:knoxlogic
ID: 31506435
That was it.  I'll need to update the code to 8.03(19)+ to get ESMTP Inspection back...  Thanks for the help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Junk folder 23 111
Sonicwall NSA240 AppFlow 2 31
Native Vlans, Tagged & untagged annnd Trunks 6 28
stacking Catalyst 3650 20 15
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now