Solved

ASA 5505 - SMTP not coming thru firewall

Posted on 2008-10-15
7
2,110 Views
Last Modified: 2013-11-30
Greetings Friends...

I have an ASA 5505 on my network, that I need to "poke-a-hole" in to allow SMTP traffic.  I thought I had set this up properly, but alas, it does not seem correct.  I searched these forums and found many of the same questions / answers but the solutions people here provided, I already had / have in my setup.  Any help here would be greatly appreciated.

"sh run" gives me this:

ASA Version 8.0(3)
!
hostname jmbasa
domain-name jmbasa.local
enable password jBlNGKlwT0nL4Buh encrypted
names
name 192.168.75.10 Exchange description Exchange_Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.75.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.137.29.249 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/new/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name jmbasa.local
access-list outside_access_in extended permit tcp any host Exchange eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/new/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.137.29.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.75.0 255.255.255.0
threat-detection statistics access-list
ntp server 98.172.32.171 source outside prefer
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e7b91745efcdef2257e0ad18bd4f1836
: end
----

Thank you all.
0
Comment
Question by:knoxlogic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 22724893
For traffic coming in from the outside world there are two components you need - an access rule and a NAT. You have the access rule:


access-list outside_access_in extended permit tcp any host Exchange eq smtp

But you don't have an address for SMTP to attach to. You either need to port forward SMTP to your Exchange server or create a static NAT for the Exchange server.

To port forward SMTP, add this:

static (inside,outside) tcp interface smtp 192.168.75.10 smtp netmask 255.255.255.255

To create a static NAT, you'd need to assign an IP out of your 206.137.29.x pool - say you wanted to assign 206.137.29.251, you enter a line like so:

static (inside,outside) 206.137.29.251 192.168.75.10 netmask 255.255.255.255

0
 

Author Comment

by:knoxlogic
ID: 22725041
When I send in the last command, I get this response from the ASA:


"WARNING: static redirecting all traffics at outside interface;"
"WARNING: all services terminating at outside interface are disabled."

The first command took.
0
 
LVL 10

Expert Comment

by:stsonline
ID: 22725060
Enter either command but not both - if you entered the port forward, you don't need a NAT (nor should you have one for smtp).
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 79

Expert Comment

by:lrmoore
ID: 22725851
your acl is incorrect. You need to reference the public IP and not the private IP
Put it all together:

no access-list outside_access_in extended permit tcp any host Exchange eq smtp
access-list outside_access_in extended permit tcp any interface outside eq smtp
static (inside,outside) tcp interface smtp 192.168.75.10 smtp netmask 255.255.255.255
access-group outside_access_in in interface outside



0
 

Author Comment

by:knoxlogic
ID: 22732275
Okay...

That seemed to "work" somewhat.  The telnet to port 25 from the outside gives me a 220 **********************...  that's it.

When I telnet on the inside network, it's totally different.  I get actual text back, etc.  Here is my running config, based upon the rules above (which worked btw):

ASA Version 8.0(3)
!
hostname jmbasa
domain-name jmbasa.local
enable password jBlNGKlwT0nL4Buh encrypted
names
name 192.168.75.10 Exchange description Exchange_Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.75.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.137.29.249 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/new/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name jmbasa.local
access-list outside_access_in extended permit tcp any interface outside eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/new/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.137.29.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.75.0 255.255.255.0
threat-detection statistics access-list
ntp server 98.172.32.171 source outside prefer
username eddie password xcio6Pkr5NHL1uvW encrypted privilege 15
username chris password TYGBt4.L24KH1.mU encrypted privilege 15
username justin password 361/tIhYn5ULJPFD encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e7b91745efcdef2257e0ad18bd4f1836
: end

-----

Again, Thank you all.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22733557
Try disabling esmtp inspect

policy-map global_policy
 class inspection_default
   no inspect esmtp

If that doesn't work, enable smtp inspect

policy-map global_policy
 class inspection_default
   inspect smtp


0
 

Author Closing Comment

by:knoxlogic
ID: 31506435
That was it.  I'll need to update the code to 8.03(19)+ to get ESMTP Inspection back...  Thanks for the help.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question