Solved

ASA 5505 email not working with current configuration

Posted on 2010-08-17
4
760 Views
Last Modified: 2012-05-10
Dear Experts,

I am having a hard time with our change of firewall. I cannot get the right rule for our email to work. The main problem that I have is that I cannot get into the current firewall to see the actual rules for the email server. We do not have the password and I cannot work around it. But we do have the MX record public IP information. Our email comes from MX logic and the MX records and hosted by our ISP. This ASA firewall is configure to work dual ISP. Internet access is fine.

:
ASA Version 7.2(4)
!


Sample config
names
name 10.1.1.25 sjd-00 description Email Server
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
 description
 backup interface Vlan3
 nameif primary-isp
 security-level 0
 ip address 66.xx.xx.226 255.255.255.224
!
interface Vlan3
 description
 nameif backup-isp
 security-level 0
 ip address 140.xx.xx.194255.255.255.224
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
 switchport trunk allowed vlan 3
!
interface Ethernet0/2
 switchport trunk allowed vlan 2-3
 switchport mode trunk
!
interface Ethernet0/3
 switchport protected
 shutdown
!
interface Ethernet0/4
 switchport protected
 shutdown
!
interface Ethernet0/5
 switchport protected
!
interface Ethernet0/6
 switchport access vlan 69
!
interface Ethernet0/7
 switchport access vlan 69
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server emailserver-00
 name-server 65.xx.xx.196
 domain-name mydoamin.org
object-group service remotedesktop tcp
 port-object eq 3389
object-group network internal_lan
object-group network email_server_static
 network-object host sjd-00
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network smtp
 group-object email_server_static
access-list deny-flow-max 200
access-list primary-isp_access_in extended permit tcp host 66.xx.xx.240host sjd-00 eq smtp
access-list primary-isp_access_in extended permit icmp any any echo-reply
access-list primary-isp_access_in extended permit icmp any host sjd-00
access-list inside extended permit tcp any interface inside eq 4125
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside extended permit tcp any interface primary-isp eq www
access-list outside extended permit tcp any interface primary-isp eq https
access-list outside extended permit tcp any interface primary-isp eq 444
access-list outside extended permit tcp any interface primary-isp eq 8080
access-list primary-isp extended permit ip any any
access-list backup-isp extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 any
access-list onside_access_in extended permit icmp any any echo-reply
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended deny ip any any log
access-list outside_in extended permit tcp any host sjd-00 eq smtp
access-list outside_in extended permit tcp any host 10.1.1.0 eq www
access-list inside_access_in extended permit tcp 10.1.1.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 10.1.1.0 255.255.255.0 any eq https

access-list backup-isp_access_in extended permit icmp any any echo-reply
access-list backup-isp_access_in_1 extended permit tcp host 140.xx.xx.195 host sjd-00 eq smtp
access-list backup-isp_access_in_1 extended permit icmp any any echo-reply
access-list backup-isp_access_in_1 extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu primary-isp 1500
mtu backup-isp 1500
no failover
monitor-interface inside
monitor-interface primary-isp
monitor-interface backup-isp
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any primary-isp
icmp permit any backup-isp
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (primary-isp) 1 interface
global (backup-isp) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
static (primary-isp,inside) tcp sjd-00 smtp 66.xx.xx.240 smtp netmask 255.255.255.255
access-group primary-isp_access_in in interface primary-isp
access-group backup-isp_access_in_1 in interface backup-isp
route primary-isp 0.0.0.0 0.0.0.0 66.xx.xx.225 1 track 1
route backup-isp 0.0.0.0 0.0.0.0 140.xx.xx.193 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


http server enable
http 10.1.1.0 255.255.255.0 inside
http 10.2.1.0 255.255.255.0 inside
http authentication-certificate primary-isp
http authentication-certificate backup-isp
http redirect primary-isp 80
http redirect backup-isp 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
 type echo protocol ipIcmpEcho 66.0.0.225 interface primary-isp
 num-packets 3
 frequency 10
sla monitor schedule 1 life forever start-time now

 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 1 reachability

console timeout 0
management-access inside


!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
! Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
Config file at boot was "startup-config"

sjdfw1 up 4 days 16 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   :  CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode:  CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  :  CNlite-MC-IPSECm-MAIN-2.05
 0: Int: Internal-Data0/0    : address is c84c.75bb.f3d9, irq 11
 1: Ext: Ethernet0/0         : address is c84c.75bb.f3d1, irq 255
 2: Ext: Ethernet0/1         : address is c84c.75bb.f3d2, irq 255
 3: Ext: Ethernet0/2         : address is c84c.75bb.f3d3, irq 255
 4: Ext: Ethernet0/3         : address is c84c.75bb.f3d4, irq 255
 5: Ext: Ethernet0/4         : address is c84c.75bb.f3d5, irq 255
 6: Ext: Ethernet0/5         : address is c84c.75bb.f3d6, irq 255
 7: Ext: Ethernet0/6         : address is c84c.75bb.f3d7, irq 255
 8: Ext: Ethernet0/7         : address is c84c.75bb.f3d8, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8        
VLANs                       : 20, DMZ Unrestricted
Inside Hosts                : 10        
Failover                    : Active/Standby
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled  
VPN Peers                   : 25        
WebVPN Peers                : 2        
Dual ISPs                   : Enabled  
VLAN Trunk Ports            : 8        

This platform has an ASA 5505 Security Plus license.


Please remember that our email is filter and comes from MX logic.

0
Comment
Question by:marceloNYC
  • 3
4 Comments
 
LVL 4

Accepted Solution

by:
jffrybauer earned 500 total points
Comment Utility
I use mx logic for several clients and have always had to add:

access-list inbound extended permit tcp 208.65.144.0 255.255.248.0 host 1.2.3.4 eq smtp
access-list inbound extended permit tcp 208.81.64.0 255.255.252.0 host 1.2.3.4 eq smtp

In mxlogic control panel, make sure under the setup tab you have your mail server IP listed.

Also under Setup > MX records tab you can find the Firewall IP settings (the 208. addresses I have listed above.
0
 
LVL 4

Expert Comment

by:jffrybauer
Comment Utility
sorry for the double post...once you have the MX logic IP's in your access list, you should remove all other SMTP ACL's so you don't leave a back door open to your mailserver.
0
 
LVL 4

Expert Comment

by:jffrybauer
Comment Utility
sorry for the triple post....

host 1.2.3.4 of course being your mailservers public IP...
0
 

Author Closing Comment

by:marceloNYC
Comment Utility
Thank You!!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now