Cisco ASA5510 POP3 access

furque
furque used Ask the Experts™
on

I am new to Cisco ASA firewall and need to enable POP3 access to an external mail server. We have our own exchange server for emails but some users need to connect to an external POP3 mail server. Can you please let me know what I need to do on the firewall to enable this?

I guess I need to open the necessary port on ASA5510 to the IP address of the POP3 mail server but not sure how I go about doing this.

Thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Furque,

By default all connection starting on the inside and traversing the ASA outbound are open. If this is not allowed you probably have an ACL applied to the inside interface. Would it be possible to see your config (scrubbed of course) or at least the ACL that is applied to the inside interface?

Regards,

3nerds

Author

Commented:
Is there an easy way to get the config from Cisco ASDM?
Sure open ASDM and click file, then select Show Running config in a new window this will dispay the config for you to copy out and paste here. Make sure you X out your external IP addresses.

Regards,

3nerds
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
Hi

do you have a CSC module plugged and run on your ASA??
if yes then you need to allow inspect to pop3
,, it's not easy to post you the ASDM steps ..
here is a link for that

http://www.ciscosystems.ch/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/cscssm.html

or use the following are sample CLI commands ...

object-group service CSC_sevice tcp
 description CSC sevice
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq pop3
 port-object eq smtp

!

access-list CSC extended deny tcp host 192.168.111.8 any
access-list CSC extended permit tcp any any eq www
access-list CSC extended permit tcp any any eq pop3
access-list CSC extended permit tcp any any eq smtp
access-list CSC extended permit tcp any any eq ftp
access-list CSC extended permit tcp any any eq pptp


Author

Commented:

Thanks for looking at this. I have attached the config.

: Saved
:
ASA Version 8.2(1)
!
hostname FW01
domain-name
enable
passwd
names
name 10.10.0.0 VLAN_All description Supernet of all VLANs
name 67.97.80.84 McAfee_01 description MyAvert Server
name 205.227.136.116 McAfee_02 description MyAvert Server
name 216.82.240.0 MessageLabs_01
name 85.158.136.0 MessageLabs_02
name 117.120.16.0 MessageLabs_03
name 193.109.254.0 MessageLabs_04
name 194.106.220.0 MessageLabs_05
name 195.245.230.0 MessageLabs_06
name 62.231.131.0 MessageLabs_07
name 62.173.108.16 MessageLabs_09
name 193.109.81.0 RIM_01
name 206.51.26.0 RIM_02
name 206.53.144.0 RIM_03
name 216.9.240.0 RIM_04
name 212.125.75.16 MessageLabs_08
name 10.10.10.0 VLAN_Servers description VLAN10
name 158.43.128.72 Verizon_DNS00 description cache0000.ns.eu.uu.net
name 10.10.10.72 SRVINQ01_2 description 2nd IP for external NAT
dns-guard
!
interface Ethernet0/0
 description WAN Interface
 nameif Outside
 security-level 0
 ip address FW01 255.255.255.224
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 description LAN Interface
 nameif Inside
 security-level 100
 ip address 10.10.0.1 255.255.255.0
!
interface Management0/0
 description MGMT Interface
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
banner exec ################################################################################
banner exec             NOTE - All changes are flagged and logged
banner exec       Ensure you write the config to startup before exiting
banner exec ################################################################################
banner login ********************************************************************************
banner login                   This ASA .
banner login                You MUST be authorised in order to connect to this device.
banner login                    Your session has been logged and an alert generated.
banner login        Any unauthorised access is deemed an attempt to compromise security.
banner login               DO NOT PROCEED UNLESS YOU ARE AUTHORISED TO DO SO
banner login ********************************************************************************
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server SRVDC01
 name-server SRVDC02
 domain-name xxxx
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq 3689
 service-object udp eq 5353
object-group service DM_INLINE_TCP_3 tcp
 port-object eq imap4
 port-object eq pop3
object-group network BarVault
 description Meridian Law Diary Backup
 network-object host BarVault_01
 network-object host BarVault_02
 network-object host BarVault_03
 network-object host BarVault_04
object-group network McAfee_MyAvert
 description New Virus Alert Servers
 network-object host McAfee_02
 network-object host McAfee_01
object-group network MessageLabs_Towers
 description All EMEA Towers
 network-object MessageLabs_03 255.255.248.0
 network-object MessageLabs_04 255.255.254.0
 network-object MessageLabs_05 255.255.254.0
 network-object MessageLabs_06 255.255.254.0
 network-object MessageLabs_01 255.255.240.0
 network-object MessageLabs_09 255.255.255.240
 network-object MessageLabs_07 255.255.255.0
 network-object MessageLabs_02 255.255.248.0
 network-object MessageLabs_08 255.255.255.240
object-group network RIM_Servers
 description Blackberry Servers for routing email
 network-object RIM_01 255.255.255.0
 network-object RIM_02 255.255.255.0
 network-object RIM_03 255.255.240.0
 network-object RIM_04 255.255.240.0
object-group network DM_INLINE_NETWORK_1
 network-object host SRVDC01
 network-object host SRVDC02
object-group network DNS_Servers_Ext
 description External DNS Servers
 network-object host Verizon_DNS02
 network-object host Verizon_DNS00
 network-object host Verizon_DNS03
 network-object host Verizon_DNS01
object-group service DM_INLINE_TCP_5 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_6 tcp
 port-object eq 8079
 port-object eq 8331
object-group network Skadden_SMTP
 description All SMTP Gateways
 network-object host Skad_01
 network-object host Skad_02
 network-object host Skad_03
object-group network DM_INLINE_NETWORK_2
 network-object host SRVML01
 network-object host SRVML02
 network-object host SRVEXCH01
 network-object host SRVIQ01
 network-object host SRVINQ01
object-group service DM_INLINE_SERVICE_3
 service-object icmp
 service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_5
 service-object icmp
 service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_6
 service-object icmp
 service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_11
 service-object icmp
 service-object tcp eq smtp
object-group network WhiteCase_SMTP
 description All SMTP Gateway
 network-object host Wh_01
 network-object host Wh_02
object-group service DM_INLINE_SERVICE_15
 service-object icmp
 service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_18
 service-object icmp
 service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_19
 service-object icmp
 service-object tcp eq smtp
object-group network Bingham_SMTP
 description Bingham SMTP server
 network-object host Bingham_01
 network-object host Bingham_02
object-group service DM_INLINE_SERVICE_22
 service-object icmp
 service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_8
 service-object icmp
 service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_14
 service-object icmp
 service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_7
 service-object icmp
 service-object tcp eq smtp
object-group service DM_INLINE_SERVICE_16
 service-object icmp
 service-object tcp eq smtp
object-group network DM_INLINE_NETWORK_4
 network-object VLAN_B 255.255.255.0
 network-object VLAN_Staff 255.255.255.0
object-group network DM_INLINE_NETWORK_5
 network-object VLAN_B 255.255.255.0
 network-object VLAN_Staff 255.255.255.0
object-group service DM_INLINE_TCP_4 tcp
 port-object eq 1863
 port-object eq 9339
object-group network DM_INLINE_NETWORK_3
 network-object host Ext_eMail
 network-object host Ext_Diary
object-group network DM_INLINE_NETWORK_6
 network-object host SRVEXCH01
 group-object Skadden_SMTP
object-group network DM_INLINE_NETWORK_7
 network-object host SRVEXCH01
 group-object Skadden_SMTP
access-list Inside_access_in remark Allows SMTP to MessageLabs
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_16 host SRVEXCH01 host CR_SMTP
access-list Inside_access_in remark Allows outbound ICMP
access-list Inside_access_in extended permit icmp VLAN_All 255.255.0.0 any inactive
access-list Outside_access_in remark Allows MessageLabs to send SMTP inbound
access-list Outside_access_in extended permit tcp object-group MessageLabs_Towers host Ext_eMail eq smtp
access-list Outside_access_in remark Allows access to OWA for xxxx
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_TCP_5
access-list Outside_access_in extended permit ip VLAN_Clients-VPN 255.255.255.0 VLAN_All 255.255.0.0
access-list Outside_access_in extended permit icmp any VLAN_All 255.255.0.0 inactive
access-list Brick-Court-Client-VPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list Inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 VLAN_Clients-VPN 255.255.255.0
access-list Iris_VPN remark Permits RDP from Iris to SRVMLxx Servers
access-list Iris_VPN extended permit tcp VLAN_Clients-VPN 255.255.255.0 object-group DM_INLINE_NETWORK_2 eq 3389
access-list Outside_cryptomap_S2S-Ho remark Allows traffic to Howrey through the S2S
access-list Outside_cryptomap_S2S-Hoy extended permit ip host SRVEXCH01 host Howrey_SMTP
access-list Outside_cryptomap_S2S-Gi remark Allows traffic to GD through the S2S
access-list Outside_cryptomap_S2S-Gi extended permit ip host SRVEXCH01 host GD_SMTP
access-list Outside_cryptomap_S2S-Wil Allows traffic to Wilmerhale (DC) through the S2S
access-list Outside_cryptomap_S2S-Wil extended permit ip host SRVEXCH01 host Wilmerhale_SMTP_DC
access-list Outside_cryptomap_S2S-Wil remark Allows traffic to Wilmerhale (Boston) through the S2S
access-list Outside_cryptomap_S2S-Wil_Boston extended permit ip host SRVEXCH01 host Wilmer_SMTP_Boston
access-list Outside_cryptomap_S2S-Inremark Allows traffic to Intel through the S2S
access-list Outside_cryptomap_S2S-In extended permit ip host SRVEXCH01 host Intel_SMTP
access-list Outside_cryptomap_S2S-Whi remark Allows access to White Case through the S2S
access-list Outside_cryptomap_S2S-Whi extended permit ip host SRVEXCH01 object-group WhiteCase_SMTP
access-list Outside_cryptomap_S2S-As remark Allows traffic to Ashurst through the S2S
access-list Outside_cryptomap_S2S-As extended permit ip host SRVEXCH01 host Ashurst_SMTP
access-list Outside_cryptomap_S2S-Bin remark Allows traffic to Bingham through S2S
access-list Outside_cryptomap_S2S-Bin extended permit ip host SRVEXCH01 object-group Bingham_SMTP
access-list Outside_cryptomap_S2S-Ch extended permit ip host SRVEXCH01 host CR_SMTP
access-list Outside_cryptomap extended permit ip host SRVEXCH01 object-group Sk_SMTP
pager lines 24
logging enable
logging list FW01_Access message 605004
logging list FW01_Access message 611102
logging list FW01_Access message 605005
logging list FW01_Access message 111005
logging list FW01_Access message 111008
logging list FW01_Access message 111004
logging buffer-size 16384
logging buffered debugging
logging asdm debugging
logging mail FW01_Access
logging from-address fw01@xxxx
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool Client-VPN-Pool 172.16.100.10-172.16.100.250 mask 255.255.255.0
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
icmp permit any Inside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) Ext_eMail SRVEXCH0w1 netmask 255.255.255.255
static (Inside,Outside) Ext_Diary SRVINQ01_2 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 194.73.85.97 1
route Inside VLAN_All 255.255.0.0 10.10.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD-Kerberos protocol kerberos
aaa-server AD-Kerberos (Inside) host SRVDC01
 kerberos-realm xxxx
aaa-server AD-Kerberos (Inside) host SRVDC02
 kerberos-realm xxxx
aaa-server AD-LDAP protocol ldap
aaa-server AD-LDAP (Inside) host SRVDC01
 server-port 389
 ldap-base-dn dc=xxx, dc=co, dc=uk
 ldap-scope subtree
 ldap-login-password *
 ldap-login-dn svc-ldap
 server-type auto-detect
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http server idle-timeout 15
http 192.168.1.0 255.255.255.0 management
http VLAN_Servers 255.255.255.0 Inside
http 10.10.20.0 255.255.255.0 Inside
http 10.0.0.0 255.0.0.0 Inside
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
sysopt connection tcpmss 0
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df Outside
crypto ipsec df-bit clear-df Inside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 10 match address Outside_cryptomap
crypto map Outside_map 10 set peer 162.90.96.10
crypto map Outside_map 10 set transform-set ESP-3DES-MD5
crypto map Outside_map 10 set security-association lifetime seconds 3600
crypto map Outside_map 10 set nat-t-disable
crypto map Outside_map 11 match address Outside_cryptomap_S2S-How
crypto map Outside_map 11 set peer 206.16.198.163
crypto map Outside_map 11 set transform-set ESP-AES-256-SHA
crypto map Outside_map 11 set security-association lifetime seconds 3600
crypto map Outside_map 11 set nat-t-disable
crypto map Outside_map 12 match address Outside_cryptomap_S2S-Ch
crypto map Outside_map 12 set peer 65.198.98.2
crypto map Outside_map 12 set transform-set ESP-AES-256-SHA
crypto map Outside_map 12 set security-association lifetime seconds 3600
crypto map Outside_map 12 set nat-t-disable
crypto map Outside_map 13 match address Outside_cryptomap_S2S-Gi
crypto map Outside_map 13 set peer 12.129.218.3
crypto map Outside_map 13 set transform-set ESP-3DES-MD5
crypto map Outside_map 13 set security-association lifetime seconds 3600
crypto map Outside_map 13 set nat-t-disable
crypto map Outside_map 16 match address Outside_cryptomap_S2S-In
crypto map Outside_map 16 set peer 143.183.175.4
crypto map Outside_map 16 set transform-set ESP-AES-256-SHA
crypto map Outside_map 16 set security-association lifetime seconds 3600
crypto map Outside_map 16 set nat-t-disable
crypto map Outside_map 18 match address Outside_cryptomap_S2S-Wh
crypto map Outside_map 18 set peer 206.103.20.119
crypto map Outside_map 18 set transform-set ESP-AES-256-MD5
crypto map Outside_map 18 set security-association lifetime seconds 3600
crypto map Outside_map 18 set nat-t-disable
crypto map Outside_map 19 match address Outside_cryptomap_S2S-Ash
crypto map Outside_map 19 set peer 194.131.14.25
crypto map Outside_map 19 set transform-set ESP-AES-256-MD5
crypto map Outside_map 19 set security-association lifetime seconds 3600
crypto map Outside_map 19 set nat-t-disable
crypto map Outside_map 20 match address Outside_cryptomap_S2S-Bin
crypto map Outside_map 20 set peer 38.114.160.87
crypto map Outside_map 20 set transform-set ESP-3DES-MD5
crypto map Outside_map 20 set security-association lifetime seconds 3600
crypto map Outside_map 20 set nat-t-disable
crypto map Outside_map 21 match address Outside_cryptomap_S2S-Wi
crypto map Outside_map 21 set peer 216.207.71.1
crypto map Outside_map 21 set transform-set ESP-AES-256-SHA
crypto map Outside_map 21 set security-association lifetime seconds 3600
crypto map Outside_map 21 set nat-t-disable
crypto map Outside_map 22 match address Outside_cryptomap_S2S-Wi
crypto map Outside_map 22 set peer 148.139.13.5
crypto map Outside_map 22 set transform-set ESP-AES-256-SHA
crypto map Outside_map 22 set security-association lifetime seconds 3600
crypto map Outside_map 22 set nat-t-disable
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 3600
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 25
 authentication pre-share
 encryption aes-256
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 55
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet VLAN_Servers 255.255.255.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 10
ssh 10.10.20.0 255.255.255.0 Inside
ssh timeout 10
ssh version 2
console timeout 10
management-access management
dhcpd address 192.168.1.10-192.168.1.20 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 158.43.128.33 source Outside prefer
ntp server 158.43.128.66 source Outside
webvpn
 enable Outside
 svc image disk0:/anyconnect-win-2.3.0185-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy B internal
group-policy B attributes
 banner value **********************************************************
 banner value
 banner value You have successfully connected to the
 banner value x
 banner value
 banner value If you are not specifically authorised to use
 banner value this service you MUST disconnect immediately.
 banner value
 banner value **********************************************************
 dns-server value 10.10.10.11 10.10.10.12
 vpn-idle-timeout 60
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Br VPN_splitTunnelAcl
 default-domain value xxxx
 msie-proxy method no-proxy
 webvpn
  url-list value Default
  deny-message value Login was unsuccessful. You may have entered your username or password incorrectly. Please try again
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 ip-comp enable
group-policy Iris internal
group-policy Iris attributes
 banner value **********************************************************
 banner value
 banner value You have successfully connected to the
 banner value xxx
 banner value
 banner value N.B. This service is monitored and must only
 banner value be used by designated 3rd Party Support Personnel.
 banner value
 banner value **********************************************************
 dns-server value 10.10.10.11 10.10.10.12
 vpn-idle-timeout 30
 vpn-session-timeout 480
 vpn-filter value Iris_VPN
 vpn-tunnel-protocol IPSec
 default-domain value xxxx
username
username
username
username
username
username
tunnel-group Br
tunnel-group Br
 address-pool Client-VPN-Pool
 authentication-server-group AD-Kerberos
 default-group-policy Br
tunnel-group Br-attributes
 group-alias xxxx enable
tunnel-group Br ipsec-attributes
 pre-shared-key *
tunnel-group Sk type ipsec-l2l
tunnel-group Sk ipsec-attributes
 pre-shared-key *
tunnel-group 162.90.96.10 type ipsec-l2l
tunnel-group 162.90.96.10 ipsec-attributes
 pre-shared-key *
tunnel-group Iris type remote-access
tunnel-group Iris general-attributes
 address-pool Client-VPN-Pool
 authentication-server-group AD-Kerberos
 default-group-policy Iris
tunnel-group Iris ipsec-attributes
 pre-shared-key *
tunnel-group Iris ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
tunnel-group 206.16.198.163 type ipsec-l2l
tunnel-group 206.16.198.163 ipsec-attributes
 pre-shared-key *
tunnel-group 216.207.71.1 type ipsec-l2l
tunnel-group 216.207.71.1 ipsec-attributes
 pre-shared-key *
tunnel-group 12.129.218.3 type ipsec-l2l
tunnel-group 12.129.218.3 ipsec-attributes
 pre-shared-key *
tunnel-group 148.139.13.5 type ipsec-l2l
tunnel-group 148.139.13.5 ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group 143.183.175.4 type ipsec-l2l
tunnel-group 143.183.175.4 ipsec-attributes
 pre-shared-key *
tunnel-group 65.198.98.2 type ipsec-l2l
tunnel-group 65.198.98.2 ipsec-attributes
 pre-shared-key *
tunnel-group 206.103.20.119 type ipsec-l2l
tunnel-group 206.103.20.119 ipsec-attributes
 pre-shared-key *
tunnel-group 194.131.14.25 type ipsec-l2l
tunnel-group 194.131.14.25 ipsec-attributes
 pre-shared-key *
tunnel-group 38.114.160.87 type ipsec-l2l
tunnel-group 38.114.160.87 ipsec-attributes
 pre-shared-key *
no tunnel-group-map enable peer-ip
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect tftp
!
service-policy global_policy global
smtp-server 10.0.0.10
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:540684bf734e43801158caa6aace8e3e
: end
asdm image disk0:/asdm-621.bin
asdm location VLAN_Servers 255.255.255.0 Inside
asdm location VLAN_All 255.255.0.0 Inside
asdm location SRVAPP03 255.255.255.255 Inside
asdm location SRVAPP01 255.255.255.255 Inside
asdm location SRVISA01 255.255.255.255 Inside
asdm location SRVML01 255.255.255.255 Inside
asdm location SRVML02 255.255.255.255 Inside
asdm location SRVEXCH01 255.255.255.255 Inside
asdm location Howrey_SMTP 255.255.255.255 Inside
asdm location GD_SMTP 255.255.255.255 Inside
asdm location Wilmerhale_SMTP_DC 255.255.255.255 Inside
asdm location Intel_SMTP 255.255.255.255 Inside
asdm location CR_SMTP 255.255.255.255 Inside
asdm location WhiteCase_01 255.255.255.255 Inside
asdm location WhiteCase_02 255.255.255.255 Inside
asdm location Ashurst_SMTP 255.255.255.255 Inside
asdm location Bingham_01 255.255.255.255 Inside
asdm location Bingham_02 255.255.255.255 Inside
asdm location Intel_Monitor_1 255.255.255.0 Inside
asdm location Ext_eMail 255.255.255.255 Inside
asdm location Ext_Intranet 255.255.255.255 Inside
asdm location FW01 255.255.255.255 Inside
asdm location HADES 255.255.255.255 Inside
asdm location VLAN_B 255.255.255.0 Inside
asdm location VLAN_Staff 255.255.255.0 Inside
asdm location SRVIQ01 255.255.255.255 Inside
asdm location SRVINQ01 255.255.255.255 Inside
asdm location Ext_Diary 255.255.255.255 Inside
asdm location SRVINQ01_2 255.255.255.255 Inside
no asdm history enable



OK so you have an Access-list on your inside interface that is found in this line:

access-group Inside_access_in in interface Inside

So now we know you access-list is called Inside_access_in

Here is the ACL:
access-list Inside_access_in remark Allows SMTP to MessageLabs
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_16 host SRVEXCH01 host CR_SMTP
access-list Inside_access_in remark Allows outbound ICMP
access-list Inside_access_in extended permit icmp VLAN_All 255.255.0.0 any inactive

So it looks like you will need to add this if you want to allow POP3

access-list Inside_access_in remark Allows POP3 outbound
access-list Inside_access_in extended permit any any eq 110

Mine line is very general, if you want to narrow it down for some reason, you will need to change the "any" to host X.X.X.X or a network range.

Good Luck,

3nerds
Yeah, you need to allow POP on the access-list "inside_access_in", which is bound to the LAN interface.  The command is:

access-list inside_access_in permit tcp any any eq 110  <enter>

That will allow inside hosts to hit pop servers outside your network.  --TX

Author

Commented:

So I need to add this rule to the firewall, can I add this through ASDM or do I need to do it through the CLI?

Just to confirm the command I need to use are correct below where 1.2.3.4 is the IP address of the external POP3 server? I assume nothing needs to be done for the inbound?

access-list Inside_access_in remark Allows POP3 outbound
access-list Inside_access_in extended permit any 1.2.3.4 eq 110

Thanks and sorry for the basic questions as I am new to this.
That looks right.

You can use the ASDM the problem is explaining how to add rules via text is tuff so I stick with the command line.


Regards,

3nerds

Author

Commented:
Sorry for the late reply, I have been away.

I tried this command but its showing a warning at "any"

access-list Inside_access_in remark Allows POP3 outbound
access-list Inside_access_in extended permit any 1.2.3.4 eq 110

Does the any need to be replaced with an IP address or node?

Thnaks
access-list Inside_access_in extended permit any 1.2.3.4 eq 110

the any is fine it is what is after it.

if 1.2.3.4 is a host you have to put host in front or add a network afterward.

my suggestion was this:
access-list Inside_access_in remark Allows POP3 outbound
access-list Inside_access_in extended permit any any eq 110

You suggested this:
access-list Inside_access_in remark Allows POP3 outbound
access-list Inside_access_in extended permit any 1.2.3.4 eq 110

Change yours to this:
access-list Inside_access_in remark Allows POP3 outbound
access-list Inside_access_in extended permit any host 1.2.3.4 eq 110

Regards,

3nerds

Author

Commented:
I have tried both commands but it still comes up with Error Invalid input detected at any.

Is there something else I am doing wrong?

Thanks
100% my fault I need to remember to reread my answers.

Here is an example from a working config I have:
access-list inbound extended permit tcp any host X.X.X.X eq pop3

here was the example I gave you:

access-list Inside_access_in extended permit any host 1.2.3.4 eq 110

See whats missing? You need to add tcp to the acl. Sorry for the confusion.

access-list Inside_access_in extended permit tcp any host 1.2.3.4 eq 110

Regards,

3nerds

Author

Commented:
Hi

Thanks, I am now able to run this command and sending to the external pop3 server is fine.

But the receiving from the POP3 server is blocked. Is there another command to allow outlook to receive from external POP3 server?

I dont know if this helps but on outlook setting for external mail server, the incoming is mail.xxx.net and outgoing is smtp.xxx.net.

Hopefuly we are nearly there.
You have your inside acl very restrictive so if you want SMTP to flow as well then you will have to repeat the process for port 25 as well.

access-list Inside_access_in remark Allows SMTP outbound
access-list Inside_access_in extended permit tcp any host 4.3.2.1 eq 25 --> 4.3.2.1 is smtp.xxx.net just like 1.2.3.4 was mail.x.x.x.net

Regards,

3nerds

Author

Commented:
Receiving still didnt work because it was using SSL for pop3 access and I changed it to port 995 and everything is good.

Thanks a lot for your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial