Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASA 5505 email not working with current configuration

Posted on 2010-08-17
4
Medium Priority
?
772 Views
Last Modified: 2012-05-10
Dear Experts,

I am having a hard time with our change of firewall. I cannot get the right rule for our email to work. The main problem that I have is that I cannot get into the current firewall to see the actual rules for the email server. We do not have the password and I cannot work around it. But we do have the MX record public IP information. Our email comes from MX logic and the MX records and hosted by our ISP. This ASA firewall is configure to work dual ISP. Internet access is fine.

:
ASA Version 7.2(4)
!


Sample config
names
name 10.1.1.25 sjd-00 description Email Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 description
 backup interface Vlan3
 nameif primary-isp
 security-level 0
 ip address 66.xx.xx.226 255.255.255.224
!
interface Vlan3
 description
 nameif backup-isp
 security-level 0
 ip address 140.xx.xx.194255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
 switchport trunk allowed vlan 3
!
interface Ethernet0/2
 switchport trunk allowed vlan 2-3
 switchport mode trunk
!
interface Ethernet0/3
 switchport protected
 shutdown
!
interface Ethernet0/4
 switchport protected
 shutdown
!
interface Ethernet0/5
 switchport protected
!
interface Ethernet0/6
 switchport access vlan 69
!
interface Ethernet0/7
 switchport access vlan 69
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server emailserver-00
 name-server 65.xx.xx.196
 domain-name mydoamin.org
object-group service remotedesktop tcp
 port-object eq 3389
object-group network internal_lan
object-group network email_server_static
 network-object host sjd-00
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network smtp
 group-object email_server_static
access-list deny-flow-max 200
access-list primary-isp_access_in extended permit tcp host 66.xx.xx.240host sjd-00 eq smtp
access-list primary-isp_access_in extended permit icmp any any echo-reply
access-list primary-isp_access_in extended permit icmp any host sjd-00
access-list inside extended permit tcp any interface inside eq 4125
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside extended permit tcp any interface primary-isp eq www
access-list outside extended permit tcp any interface primary-isp eq https
access-list outside extended permit tcp any interface primary-isp eq 444
access-list outside extended permit tcp any interface primary-isp eq 8080
access-list primary-isp extended permit ip any any
access-list backup-isp extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 any
access-list onside_access_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended deny ip any any log
access-list outside_in extended permit tcp any host sjd-00 eq smtp
access-list outside_in extended permit tcp any host 10.1.1.0 eq www
access-list inside_access_in extended permit tcp 10.1.1.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 10.1.1.0 255.255.255.0 any eq https

access-list backup-isp_access_in extended permit icmp any any echo-reply
access-list backup-isp_access_in_1 extended permit tcp host 140.xx.xx.195 host sjd-00 eq smtp
access-list backup-isp_access_in_1 extended permit icmp any any echo-reply
access-list backup-isp_access_in_1 extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu primary-isp 1500
mtu backup-isp 1500
no failover
monitor-interface inside
monitor-interface primary-isp
monitor-interface backup-isp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any primary-isp
icmp permit any backup-isp
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (primary-isp) 1 interface
global (backup-isp) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
static (primary-isp,inside) tcp sjd-00 smtp 66.xx.xx.240 smtp netmask 255.255.255.255
access-group primary-isp_access_in in interface primary-isp
access-group backup-isp_access_in_1 in interface backup-isp
route primary-isp 0.0.0.0 0.0.0.0 66.xx.xx.225 1 track 1
route backup-isp 0.0.0.0 0.0.0.0 140.xx.xx.193 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.2.1.0 255.255.255.0 inside
http authentication-certificate primary-isp
http authentication-certificate backup-isp
http redirect primary-isp 80
http redirect backup-isp 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
 type echo protocol ipIcmpEcho 66.0.0.225 interface primary-isp
 num-packets 3
 frequency 10
sla monitor schedule 1 life forever start-time now

 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 1 reachability

console timeout 0
management-access inside


!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
! Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
Config file at boot was "startup-config"

sjdfw1 up 4 days 16 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   :  CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode:  CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  :  CNlite-MC-IPSECm-MAIN-2.05
 0: Int: Internal-Data0/0    : address is c84c.75bb.f3d9, irq 11
 1: Ext: Ethernet0/0         : address is c84c.75bb.f3d1, irq 255
 2: Ext: Ethernet0/1         : address is c84c.75bb.f3d2, irq 255
 3: Ext: Ethernet0/2         : address is c84c.75bb.f3d3, irq 255
 4: Ext: Ethernet0/3         : address is c84c.75bb.f3d4, irq 255
 5: Ext: Ethernet0/4         : address is c84c.75bb.f3d5, irq 255
 6: Ext: Ethernet0/5         : address is c84c.75bb.f3d6, irq 255
 7: Ext: Ethernet0/6         : address is c84c.75bb.f3d7, irq 255
 8: Ext: Ethernet0/7         : address is c84c.75bb.f3d8, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 20, DMZ Unrestricted
Inside Hosts                : 10        
Failover                    : Active/Standby
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 25        
WebVPN Peers                : 2        
Dual ISPs                   : Enabled  
VLAN Trunk Ports            : 8        

This platform has an ASA 5505 Security Plus license.


Please remember that our email is filter and comes from MX logic.

0
Comment
Question by:marceloNYC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 4

Accepted Solution

by:
jffrybauer earned 2000 total points
ID: 33457242
I use mx logic for several clients and have always had to add:

access-list inbound extended permit tcp 208.65.144.0 255.255.248.0 host 1.2.3.4 eq smtp
access-list inbound extended permit tcp 208.81.64.0 255.255.252.0 host 1.2.3.4 eq smtp

In mxlogic control panel, make sure under the setup tab you have your mail server IP listed.

Also under Setup > MX records tab you can find the Firewall IP settings (the 208. addresses I have listed above.
0
 
LVL 4

Expert Comment

by:jffrybauer
ID: 33457263
sorry for the double post...once you have the MX logic IP's in your access list, you should remove all other SMTP ACL's so you don't leave a back door open to your mailserver.
0
 
LVL 4

Expert Comment

by:jffrybauer
ID: 33457288
sorry for the triple post....

host 1.2.3.4 of course being your mailservers public IP...
0
 

Author Closing Comment

by:marceloNYC
ID: 33579528
Thank You!!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question