ASA 5505 - SMTP not coming thru firewall

Greetings Friends...

I have an ASA 5505 on my network, that I need to "poke-a-hole" in to allow SMTP traffic.  I thought I had set this up properly, but alas, it does not seem correct.  I searched these forums and found many of the same questions / answers but the solutions people here provided, I already had / have in my setup.  Any help here would be greatly appreciated.

"sh run" gives me this:

ASA Version 8.0(3)
!
hostname jmbasa
domain-name jmbasa.local
enable password jBlNGKlwT0nL4Buh encrypted
names
name 192.168.75.10 Exchange description Exchange_Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.75.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.137.29.249 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/new/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name jmbasa.local
access-list outside_access_in extended permit tcp any host Exchange eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/new/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.137.29.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.75.0 255.255.255.0
threat-detection statistics access-list
ntp server 98.172.32.171 source outside prefer
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e7b91745efcdef2257e0ad18bd4f1836
: end
----

Thank you all.
knoxlogicAsked:
Who is Participating?
 
lrmooreCommented:
Try disabling esmtp inspect

policy-map global_policy
 class inspection_default
   no inspect esmtp

If that doesn't work, enable smtp inspect

policy-map global_policy
 class inspection_default
   inspect smtp


0
 
stsonlineCommented:
For traffic coming in from the outside world there are two components you need - an access rule and a NAT. You have the access rule:


access-list outside_access_in extended permit tcp any host Exchange eq smtp

But you don't have an address for SMTP to attach to. You either need to port forward SMTP to your Exchange server or create a static NAT for the Exchange server.

To port forward SMTP, add this:

static (inside,outside) tcp interface smtp 192.168.75.10 smtp netmask 255.255.255.255

To create a static NAT, you'd need to assign an IP out of your 206.137.29.x pool - say you wanted to assign 206.137.29.251, you enter a line like so:

static (inside,outside) 206.137.29.251 192.168.75.10 netmask 255.255.255.255

0
 
knoxlogicAuthor Commented:
When I send in the last command, I get this response from the ASA:


"WARNING: static redirecting all traffics at outside interface;"
"WARNING: all services terminating at outside interface are disabled."

The first command took.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
stsonlineCommented:
Enter either command but not both - if you entered the port forward, you don't need a NAT (nor should you have one for smtp).
0
 
lrmooreCommented:
your acl is incorrect. You need to reference the public IP and not the private IP
Put it all together:

no access-list outside_access_in extended permit tcp any host Exchange eq smtp
access-list outside_access_in extended permit tcp any interface outside eq smtp
static (inside,outside) tcp interface smtp 192.168.75.10 smtp netmask 255.255.255.255
access-group outside_access_in in interface outside



0
 
knoxlogicAuthor Commented:
Okay...

That seemed to "work" somewhat.  The telnet to port 25 from the outside gives me a 220 **********************...  that's it.

When I telnet on the inside network, it's totally different.  I get actual text back, etc.  Here is my running config, based upon the rules above (which worked btw):

ASA Version 8.0(3)
!
hostname jmbasa
domain-name jmbasa.local
enable password jBlNGKlwT0nL4Buh encrypted
names
name 192.168.75.10 Exchange description Exchange_Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.75.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.137.29.249 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/new/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name jmbasa.local
access-list outside_access_in extended permit tcp any interface outside eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/new/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.137.29.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.75.0 255.255.255.0
threat-detection statistics access-list
ntp server 98.172.32.171 source outside prefer
username eddie password xcio6Pkr5NHL1uvW encrypted privilege 15
username chris password TYGBt4.L24KH1.mU encrypted privilege 15
username justin password 361/tIhYn5ULJPFD encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e7b91745efcdef2257e0ad18bd4f1836
: end

-----

Again, Thank you all.
0
 
knoxlogicAuthor Commented:
That was it.  I'll need to update the code to 8.03(19)+ to get ESMTP Inspection back...  Thanks for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.