Solved

ASA 5505 - SMTP not coming thru firewall

Posted on 2008-10-15
7
2,109 Views
Last Modified: 2013-11-30
Greetings Friends...

I have an ASA 5505 on my network, that I need to "poke-a-hole" in to allow SMTP traffic.  I thought I had set this up properly, but alas, it does not seem correct.  I searched these forums and found many of the same questions / answers but the solutions people here provided, I already had / have in my setup.  Any help here would be greatly appreciated.

"sh run" gives me this:

ASA Version 8.0(3)
!
hostname jmbasa
domain-name jmbasa.local
enable password jBlNGKlwT0nL4Buh encrypted
names
name 192.168.75.10 Exchange description Exchange_Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.75.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.137.29.249 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/new/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name jmbasa.local
access-list outside_access_in extended permit tcp any host Exchange eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/new/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.137.29.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.75.0 255.255.255.0
threat-detection statistics access-list
ntp server 98.172.32.171 source outside prefer
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e7b91745efcdef2257e0ad18bd4f1836
: end
----

Thank you all.
0
Comment
Question by:knoxlogic
  • 3
  • 2
  • 2
7 Comments
 
LVL 10

Expert Comment

by:stsonline
ID: 22724893
For traffic coming in from the outside world there are two components you need - an access rule and a NAT. You have the access rule:


access-list outside_access_in extended permit tcp any host Exchange eq smtp

But you don't have an address for SMTP to attach to. You either need to port forward SMTP to your Exchange server or create a static NAT for the Exchange server.

To port forward SMTP, add this:

static (inside,outside) tcp interface smtp 192.168.75.10 smtp netmask 255.255.255.255

To create a static NAT, you'd need to assign an IP out of your 206.137.29.x pool - say you wanted to assign 206.137.29.251, you enter a line like so:

static (inside,outside) 206.137.29.251 192.168.75.10 netmask 255.255.255.255

0
 

Author Comment

by:knoxlogic
ID: 22725041
When I send in the last command, I get this response from the ASA:


"WARNING: static redirecting all traffics at outside interface;"
"WARNING: all services terminating at outside interface are disabled."

The first command took.
0
 
LVL 10

Expert Comment

by:stsonline
ID: 22725060
Enter either command but not both - if you entered the port forward, you don't need a NAT (nor should you have one for smtp).
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 22725851
your acl is incorrect. You need to reference the public IP and not the private IP
Put it all together:

no access-list outside_access_in extended permit tcp any host Exchange eq smtp
access-list outside_access_in extended permit tcp any interface outside eq smtp
static (inside,outside) tcp interface smtp 192.168.75.10 smtp netmask 255.255.255.255
access-group outside_access_in in interface outside



0
 

Author Comment

by:knoxlogic
ID: 22732275
Okay...

That seemed to "work" somewhat.  The telnet to port 25 from the outside gives me a 220 **********************...  that's it.

When I telnet on the inside network, it's totally different.  I get actual text back, etc.  Here is my running config, based upon the rules above (which worked btw):

ASA Version 8.0(3)
!
hostname jmbasa
domain-name jmbasa.local
enable password jBlNGKlwT0nL4Buh encrypted
names
name 192.168.75.10 Exchange description Exchange_Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.75.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.137.29.249 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/new/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name jmbasa.local
access-list outside_access_in extended permit tcp any interface outside eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/new/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Exchange smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.137.29.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.75.0 255.255.255.0
threat-detection statistics access-list
ntp server 98.172.32.171 source outside prefer
username eddie password xcio6Pkr5NHL1uvW encrypted privilege 15
username chris password TYGBt4.L24KH1.mU encrypted privilege 15
username justin password 361/tIhYn5ULJPFD encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e7b91745efcdef2257e0ad18bd4f1836
: end

-----

Again, Thank you all.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22733557
Try disabling esmtp inspect

policy-map global_policy
 class inspection_default
   no inspect esmtp

If that doesn't work, enable smtp inspect

policy-map global_policy
 class inspection_default
   inspect smtp


0
 

Author Closing Comment

by:knoxlogic
ID: 31506435
That was it.  I'll need to update the code to 8.03(19)+ to get ESMTP Inspection back...  Thanks for the help.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question