Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

ASA 5505 Mail Config Issue URGENT!!!!!

Posted on 2009-04-17
14
Medium Priority
?
391 Views
Last Modified: 2012-05-06
with this config i can receive email but cant send
if i remove the smtp info i can send but not receive please help!!!!

ASA Version 7.2(4)
!
hostname firewall
domain-name domain.org
enable password EVPnDGSMGKNp/h2o encrypted
passwd EVPnDGSMGKNp/h2o encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.7 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *5.*.1*.129 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec Unauthorized access will be prosecuted!!!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.org
access-list OUT_IN extended permit tcp any host 69.*.*.129 eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
access-list smtp_in extended permit tcp 208.*.*.0 255.255.248.0 any eq smtp
access-list smtp_in extended permit tcp 208.*.*.0 255.255.252.0 any eq smtp
access-list smtp_in extended deny tcp any any eq smtp
access-list smtp_in extended permit ip any any
pager lines 24
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5632 192.168.1.98 5632 netmask 255.255.255.255
static (inside,outside) tcp interface pcanywhere-data 192.168.1.98 pcanywhere-data netmask 255.255.255.255
static (inside,outside) tcp interface 3001 192.168.1.97 3001 netmask 255.255.255.255
static (inside,outside) tcp interface 2000 192.168.1.97 2000 netmask 255.255.255.255
static (inside,outside) tcp interface 2001 192.168.1.97 2001 netmask 255.255.255.255
static (inside,outside) tcp interface 2002 192.168.1.97 2002 netmask 255.255.255.255
static (inside,outside) tcp interface 2003 192.168.1.97 2003 netmask 255.255.255.255
static (inside,outside) tcp interface 4124 192.168.1.101 4124 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.98 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.101 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.101 https netmask 255.255.255.255
static (inside,outside) tcp interface 4144 192.168.1.2 4144 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group smtp_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.*.*.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 5
dhcpd auto_config outside
!            
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7c9dde185631b213490a6e13b085f94d
: end
0
Comment
Question by:adamshields
  • 5
  • 5
  • 4
14 Comments
 
LVL 6

Expert Comment

by:ged125
ID: 24173108
First of all, what do you mean by "If I remove the SMTP info"?
0
 
LVL 3

Author Comment

by:adamshields
ID: 24173112
if i remove this info
no access-list inside_access_in extended deny tcp any any eq smtp
no access-list inside_access_in extended permit ip any any
no access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
no access-list smtp_in extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
no access-list smtp_in extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
no access-list smtp_in extended deny tcp any any eq smtp
no access-list smtp_in extended permit ip any any
no access-group smtp_in in interface outside
0
 
LVL 6

Expert Comment

by:ged125
ID: 24173113
If this is an inbound list you have it backwards.  

access-list smtp_in extended permit tcp 208.*.*.0 255.255.248.0 any eq smtp
access-list smtp_in extended permit tcp 208.*.*.0 255.255.252.0 any eq smtp

Should be:

access-list smtp_in extended permit tcp any 208.*.*.0 255.255.248.0 eq smtp
access-list smtp_in extended permit tcp any 208.*.*.0 255.255.252.0 eq smtp
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24173125
You need to permit SMTP outbound.  This will properly reorder your inside access list.

no access-list inside_access_in extended deny tcp any any eq smtp
no access-list inside_access_in extended permit ip any any
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
0
 
LVL 6

Expert Comment

by:ged125
ID: 24173146

The deny statement is hitting first on your inside_access_in list.  You need to remove it, and put it back in so that it will be at the end of the list.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24173147
So, the lists should be this:

access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside
access-list smtp_in extended permit ip any any
access-group smtp_in in interface outside

You can't restrict inbound SMTP as you could be recieving it from any mail server on the Internet.
0
 
LVL 3

Author Comment

by:adamshields
ID: 24173154
we are using mxlogic hosted spam solution thats why we only except mail from those ip addresses
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24173158
Okay, so they should be this:

access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-group inside_access_in in interface inside

access-list smtp_in extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list smtp_in extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list smtp_in extended deny tcp any any eq smtp
access-list smtp_in extended permit ip any any
access-group smtp_in in interface outside
0
 
LVL 6

Expert Comment

by:ged125
ID: 24173160
What are the 208.x.x.x servers?  Is that your mail server or some sort of relay server on the internet?
0
 
LVL 3

Author Comment

by:adamshields
ID: 24173161
its mxlogic relay servers
0
 
LVL 6

Expert Comment

by:ged125
ID: 24173171
Ok, then ignore my comment earlier.  Looks like Jfredrick29 has you covered.
0
 
LVL 3

Author Comment

by:adamshields
ID: 24173221
this is correct now thank you so much can you check this below it seems to be working now thanks a bunch!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!11


ASA Version 7.2(4)
!
hostname jcafire
domain-name jsdfsdf.org
enable password EVPnDGSMGKNp/h2o encrypted
passwd EVPnDGSMGKNp/h2o encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.7 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 69.*.*.129 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec Unauthorized access will be prosecuted!!!
ftp mode passive
dns server-group DefaultDNS
 domain-name jsfdfsd.org
access-list OUT_IN extended permit tcp any host 69.*.*.129 eq https
access-list OUT_IN extended permit tcp any any eq pcanywhere-data
access-list OUT_IN extended permit tcp any any eq www
access-list OUT_IN extended permit tcp any any eq 4124
access-list OUT_IN extended permit tcp any any eq 3389
access-list OUT_IN extended permit tcp any any eq 4144
access-list inside_access_in extended permit tcp host 192.168.1.11 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip any any
access-list smtp_in extended permit tcp 208.65.144.0 255.255.248.0 any eq smtp
access-list smtp_in extended permit tcp 208.81.64.0 255.255.252.0 any eq smtp
access-list smtp_in extended deny tcp any any eq smtp
access-list smtp_in extended permit ip any any
pager lines 24
logging console informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5632 192.168.1.98 5632 netmask 255.255.255.255
static (inside,outside) tcp interface pcanywhere-data 192.168.1.98 pcanywhere-data netmask 255.255.255.255
static (inside,outside) tcp interface 3001 192.168.1.97 3001 netmask 255.255.255.255
static (inside,outside) tcp interface 2000 192.168.1.97 2000 netmask 255.255.255.255
static (inside,outside) tcp interface 2001 192.168.1.97 2001 netmask 255.255.255.255
static (inside,outside) tcp interface 2002 192.168.1.97 2002 netmask 255.255.255.255
static (inside,outside) tcp interface 2003 192.168.1.97 2003 netmask 255.255.255.255
static (inside,outside) tcp interface 4124 192.168.1.101 4124 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.98 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.101 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.101 https netmask 255.255.255.255
static (inside,outside) tcp interface 4144 192.168.1.2 4144 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.11 smtp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group smtp_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.8.18.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 5
dhcpd auto_config outside
!            
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7c9dde185631b213490a6e13b085f94d
: end
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24173224
That looks good now.
0
 
LVL 3

Author Closing Comment

by:adamshields
ID: 31571706
if i could give you  a million points i would thanks for your fast response and your help i really appreciate it. i thought i would be out of luck on a friday night Thanks
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month11 days, 6 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question