Avatar of LANadmn
LANadmnFlag for United States of America asked on

Cisco ASA 5505 Inbound SMTP to Exchaneg 2003

Hello ASA Guru's.

I am having an issue allowing SMTP traffic in. I have setup the static NAT and I have tested other applications such as remote desktop with the same NAT settings and it worked perfectly. I made sure inspection was turned off as well. When I run a packet trace from the ASDM on the outside interface sourcing from a public IP to my Public static it the traffic is fine. When I do the same trace on the inside interface it fails and it is complaining about my NAT. I have attached screenshots of my ACL, NAT, and a copy of the config
 putty.log putty.log Access Rules Inside NAT
Cisco

Avatar of undefined
Last Comment
LANadmn

8/22/2022 - Mon
Ernie Beek

First thing: get rid of your outside_access_in!!!!

permit ip any any? that is almost the same as having no firewall at all (in other words, not good).

I'll have a look at the rest now, give me a few minutes....
ASKER
LANadmn

done. I for got to remove it while I was testing my issue
Ernie Beek

Static is looking good. You just need an outside access list to match the incoming traffic on port 25:

access-list outside_access_in extended permit tcp any interface eq smtp

Thats the only rule you need right now. Accesslist are allways ended with an implicit 'deny all', so no need for the deny icmp rule.

Also, dump the inside accesslist. You are ending it with a permit ip any any so all traffic is allowed.

Next, inspect rules are good to have. Once you setup this correctly, put them back in place.

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
LANadmn

how come my static nat worked with 3389?
Ernie Beek

Ah, testing. Ok you're forgiven ;)

Now let's see if we can get it to work.
ASKER
LANadmn

I appreciate your help I am new to firewalls ive been a server guy my whol elife

I am getting this error


access-list outside_access_in extended permit tcp any interface eq smtp
                                                                                                         ^
ERROR: % Invalid Hostname
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ernie Beek

The static with 3389 was to the same server?

Just to make sure.
ASKER
LANadmn

yes same server thats why im confused why SMTP is not working
Ernie Beek

Oops, my wrong.

You need the outside interface ip address in there (interface doesn't work for accesslists).
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
LANadmn

replaced interface with my public same error
ASKER
LANadmn

for got the host before the ip
Ernie Beek

Sorry, keep forgetting you're new to this.

Try this:

access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp

Offcourse replacing x.x.x.x with your public.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
LANadmn

still cannot telnet to port 25 from the outside
ASKER
LANadmn

that's OK I am grateful for your help
Ernie Beek

Mmmmm,

Ok, so we have

access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp

access-group outside_access_in in interface outside

static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255

.....

How do you do a telnet from the outside?
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
LANadmn

I am remoting into my home server
ASKER
LANadmn

I did a packet trace on the outside int with success public to public

when I do the inside I get this error public to private

Type-NAT Action-DROP
Config
NAT (inside) 1 0.0.0.0 0.0.0.0
nat control
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits=5006, untranslate_hits=0

When I click on the rule that is blocking it brings me to my Dynamic NAT any outside





ASKER
LANadmn

What is a NAT exempt?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
LANadmn

I have this feelign that if I add a NAT exempt it will work
ASKER
LANadmn

I have this feelign that if I add a NAT exempt it will work
Ernie Beek

Nat exempt: addresses not going through nat translation (don't want that for private ip's)

I was just walking the dogs and thought of something. There are a lot of ISPs overhere blocking port 25 'for security reasons'. Don't know how it is at your place.....

For now, I have to sign off (that's the problem with different time zones), it's way past my bedtime :-~

Could you post a configuration as it is now? I'll have a look at it tomorrow (or for you: in the middle of the night :) and see what is perhaps missing still.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
LANadmn

we have a business account they allow 25 and 80. this was workign at one point. long story
Ernie Beek

Let's continue and turn on some logging.

In the ASDM you can open up a separate windows for logging purposes. Should be found at: monitoring -> logging -> real time log viewer.

When it is running, try to connect again and see if anything shows up in the log.
ASKER
LANadmn

Wierd. If I do the trace on the inside int from the ASA to the Exchange server using TCP src=25 dst=25 it points to the access list blocking the connection. If I change the source from the ASA to any other node on the network it points to the NAT. When I execute from the ASA ip it things its getting spoofed! NAT Block ACL Block
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ernie Beek

You can't do a trace from the inside (through the outside) to the inside. that's why you're getting these results.

What is showing up in the log if you try to connect to port 25 from the outside?
ASKER
LANadmn

I dont understand. I am trying to telnet from my home server to the dest. and My public doesnt even show up in the log trying to connect. but yet when I try on port 80 my public shows up in the logs and is denied from the ACL (which is correct)
ASKER
LANadmn

im wondering if my ISP is blocking it! even though we have a business account and port 80 is working
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Ernie Beek

Might want to check your server, if nothing shows in the logs that usually means its passed through.
ASKER
LANadmn

Interal telnet on port 25 works fine
ASKER
LANadmn

I called the ISP everyting looks good on their end
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Ernie Beek

Ok,

Could you post another config as it is now?

The internal telnet, did you do that to 192.168.0.5 or localhost (127.0.0.1)?
ASKER
LANadmn

from a host on the network to 192.168.0.5

I did a sh tech

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.12.02 14:05:34 =~=~=~=~=~=~=~=~=~=~=~=
login as:
@192.168.0.1's password:
Type help or '?' for a list of available commands.

FHQ-ASA-01> en
Password:

FHQ-ASA-01# sh tech

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(5)

Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"

FHQ-ASA-01 up 1 day 18 hours

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 001d.7007.1798, irq 11
 1: Ext: Ethernet0/0         : address is 001d.7007.1790, irq 255
 2: Ext: Ethernet0/1         : address is 001d.7007.1791, irq 255
 3: Ext: Ethernet0/2         : address is 001d.7007.1792, irq 255
 4: Ext: Ethernet0/3         : address is 001d.7007.1793, irq 255
 5: Ext: Ethernet0/4         : address is 001d.7007.1794, irq 255
 6: Ext: Ethernet0/5         : address is 001d.7007.1795, irq 255
<--- More --->
             
 7: Ext: Ethernet0/6         : address is 001d.7007.1796, irq 255
 8: Ext: Ethernet0/7         : address is 001d.7007.1797, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : 50        
Failover                       : Disabled
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 10        
Total VPN Peers                : 10        
Dual ISPs                      : Disabled  
VLAN Trunk Ports               : 0        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled  
AnyConnect for Cisco VPN Phone : Disabled  
AnyConnect Essentials          : Disabled  
Advanced Endpoint Assessment   : Disabled  
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
<--- More --->
             
Botnet Traffic Filter          : Disabled  

This platform has a Base license.

Serial Number:
Running Activation Key: 0x9800de50 0x209b10c7 0x94b3e110 0xbde43814 0x810d27a1
Configuration register is 0x1
Configuration last modified by  at 13:42:26.396 EST Thu Dec 2 2010

------------------ show disk0: controller ------------------


Flash Model: STI Flash 8.0.0


------------------ show clock ------------------

14:03:21.946 EST Thu Dec 2 2010

------------------ show crashinfo ------------------

Saved crash: 11:11:09.414 UTC Tue Feb 2 2010


<--- More --->
             
------------------ show module ------------------


Mod Card Type                                    Model              Serial No.
--- -------------------------------------------- ------------------ -----------
  0 ASA 5505 Adaptive Security Appliance         ASA5505            

Mod MAC Address Range                 Hw Version   Fw Version   Sw Version    
--- --------------------------------- ------------ ------------ ---------------
  0 001d.7007.1790 to 001d.7007.179a  1.0          1.0(12)6     8.2(2)

Mod SSC Application Name           Status           SSC Application Version
--- ------------------------------ ---------------- --------------------------

Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  0 Up Sys             Not Applicable        


------------------ show memory ------------------

Free memory:       104804624 bytes (39%)
Used memory:       163630832 bytes (61%)
-------------     ----------------
<--- More --->
             
Total memory:      268435456 bytes (100%)

------------------ show conn count ------------------

191 in use, 630 most used

------------------ show xlate count ------------------

220 in use, 1034 most used

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT
     0    400    399    400
     4    100     99     99
    80    150    134    150
   256    200    197    200
  1550   6884   6791   6873
  2048   1200   1145   1200
  2560    264    264    264
  4096    100    100    100
  8192    100    100    100
 16384    100    100    100
 65536     16     16     16
<--- More --->
             
CORE  LIMIT  ALLOC   HIGH    CNT       FAILED
   0  24576     21     21     20            0

------------------ show blocks queue history detail ------------------

History buffer memory usage: 2832 bytes (default)
History analysis time limit: 100 msec

Please see 'show blocks exhaustion snapshot' for more information

------------------ show interface ------------------

Interface Internal-Data0/0 "", is up, line protocol is up
  Hardware is y88acs06, BW 1000 Mbps, DLY 10 usec
      (Full-duplex), (1000 Mbps)
      Input flow control is unsupported, output flow control is unsupported
      MAC address 001d.7007.1798, MTU not set
      IP address unassigned
      17013444 packets input, 11575053040 bytes, 0 no buffer
      Received 206715 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops, 0 demux drops
      17074674 packets output, 11772189035 bytes, 0 underruns
      0 pause output, 0 resume output
<--- More --->
             
      0 output errors, 0 collisions, 0 interface resets
      0 late collisions, 0 deferred
      0 input reset drops, 0 output reset drops, 0 tx hangs
      input queue (blocks free curr/low): hardware (512/487)
      output queue (blocks free curr/low): hardware (510/443)
  Control Point Interface States:
      Interface number is 3
      Interface config status is active
      Interface state is active
Interface Internal-Data0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 1000 Mbps, DLY 10 usec
      (Full-duplex), (1000 Mbps)
      Input flow control is unsupported, output flow control is unsupported
      MAC address 0000.0003.0002, MTU not set
      IP address unassigned
      17073940 packets input, 11771873749 bytes, 0 no buffer
      Received 355 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 switch ingress policy drops
      17012801 packets output, 11574765744 bytes, 0 underruns
      0 pause output, 0 resume output
      0 output errors, 0 collisions, 0 interface resets
      0 late collisions, 0 deferred
      0 input reset drops, 0 output reset drops
<--- More --->
             
      0 switch egress policy drops
  Control Point Interface States:
      Interface number is 12
      Interface config status is active
      Interface state is active
Interface Vlan1 "inside", is up, line protocol is up
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
      MAC address 001d.7007.1798, MTU 1500
      IP address 192.168.0.1, subnet mask 255.255.255.0
  Traffic Statistics for "inside":
      7084539 packets input, 1087471370 bytes
      10634243 packets output, 10332859126 bytes
      145618 packets dropped
      1 minute input rate 78 pkts/sec,  16072 bytes/sec
      1 minute output rate 104 pkts/sec,  86966 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 79 pkts/sec,  10333 bytes/sec
      5 minute output rate 123 pkts/sec,  128561 bytes/sec
      5 minute drop rate, 0 pkts/sec
  Control Point Interface States:
      Interface number is 15
      Interface config status is active
      Interface state is active
Interface Vlan2 "outside", is up, line protocol is up
<--- More --->
             
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
      MAC address 001d.7007.1798, MTU 1500
      IP address 75.127.190.2, subnet mask 255.255.255.248
  Traffic Statistics for "outside":
      9929291 packets input, 10078243014 bytes
      6440757 packets output, 1052735373 bytes
      48731 packets dropped
      1 minute input rate 82 pkts/sec,  80813 bytes/sec
      1 minute output rate 64 pkts/sec,  15407 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 104 pkts/sec,  122851 bytes/sec
      5 minute output rate 67 pkts/sec,  9775 bytes/sec
      5 minute drop rate, 0 pkts/sec
  Control Point Interface States:
      Interface number is 16
      Interface config status is active
      Interface state is active
Interface Virtual0 "_internal_loopback", is up, line protocol is up
  Hardware is Virtual      MAC address 0000.0000.0000, MTU 1500
      IP address 127.0.0.1, subnet mask 255.255.255.0
  Traffic Statistics for "_internal_loopback":
      1 packets input, 28 bytes
      1 packets output, 28 bytes
      1 packets dropped
<--- More --->
             
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
  Control Point Interface States:
      Interface number is 13
      Interface config status is active
      Interface state is active
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Input flow control is unsupported, output flow control is unsupported
      Available but not configured via nameif
      MAC address 001d.7007.1790, MTU not set
      IP address unassigned
      10006221 packets input, 10265223083 bytes, 0 no buffer
      Received 719 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      77285 switch ingress policy drops
      6440458 packets output, 1197819940 bytes, 0 underruns
      0 pause output, 0 resume output
<--- More --->
             
      0 output errors, 0 collisions, 0 interface resets
      0 late collisions, 0 deferred
      0 input reset drops, 0 output reset drops
      0 rate limit drops
      0 switch egress policy drops
  Control Point Interface States:
      Interface number is 4
      Interface config status is active
      Interface state is active
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Input flow control is unsupported, output flow control is unsupported
      Available but not configured via nameif
      MAC address 001d.7007.1791, MTU not set
      IP address unassigned
      1736237 packets input, 1046967144 bytes, 0 no buffer
      Received 46738 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      1890558 packets output, 541401642 bytes, 0 underruns
      0 pause output, 0 resume output
      0 output errors, 0 collisions, 0 interface resets
<--- More --->
             
      0 late collisions, 0 deferred
      0 input reset drops, 0 output reset drops
      0 rate limit drops
      0 switch egress policy drops
  Control Point Interface States:
      Interface number is 5
      Interface config status is active
      Interface state is active
Interface Ethernet0/2 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Input flow control is unsupported, output flow control is unsupported
      Available but not configured via nameif
      MAC address 001d.7007.1792, MTU not set
      IP address unassigned
      7337420 packets input, 1314762615 bytes, 0 no buffer
      Received 159286 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      17646 switch ingress policy drops
      10921686 packets output, 11119023468 bytes, 0 underruns
      0 pause output, 0 resume output
      0 output errors, 0 collisions, 0 interface resets
      0 late collisions, 0 deferred
<--- More --->
             
      0 input reset drops, 0 output reset drops
      0 rate limit drops
      0 switch egress policy drops
  Control Point Interface States:
      Interface number is 6
      Interface config status is active
      Interface state is active
Interface Ethernet0/3 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Input flow control is unsupported, output flow control is unsupported
      Available but not configured via nameif
      MAC address 001d.7007.1793, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 pause output, 0 resume output
      0 output errors, 0 collisions, 0 interface resets
      0 late collisions, 0 deferred
      0 input reset drops, 0 output reset drops
<--- More --->
             
      0 rate limit drops
      0 switch egress policy drops
  Control Point Interface States:
      Interface number is 7
      Interface config status is active
      Interface state is active
Interface Ethernet0/4 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Input flow control is unsupported, output flow control is unsupported
      Available but not configured via nameif
      MAC address 001d.7007.1794, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 pause output, 0 resume output
      0 output errors, 0 collisions, 0 interface resets
      0 late collisions, 0 deferred
      0 input reset drops, 0 output reset drops
      0 rate limit drops
<--- More --->
             
      0 switch egress policy drops
  Control Point Interface States:
      Interface number is 8
      Interface config status is active
      Interface state is active
Interface Ethernet0/5 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Input flow control is unsupported, output flow control is unsupported
      Available but not configured via nameif
      MAC address 001d.7007.1795, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 pause output, 0 resume output
      0 output errors, 0 collisions, 0 interface resets
      0 late collisions, 0 deferred
      0 input reset drops, 0 output reset drops
      0 rate limit drops
      0 switch egress policy drops
<--- More --->
             
  Control Point Interface States:
      Interface number is 9
      Interface config status is active
      Interface state is active
Interface Ethernet0/6 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Input flow control is unsupported, output flow control is unsupported
      Available but not configured via nameif
      MAC address 001d.7007.1796, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 pause output, 0 resume output
      0 output errors, 0 collisions, 0 interface resets
      0 late collisions, 0 deferred
      0 input reset drops, 0 output reset drops
      0 rate limit drops
      0 switch egress policy drops
  Control Point Interface States:
<--- More --->
             
      Interface number is 10
      Interface config status is active
      Interface state is active
Interface Ethernet0/7 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
      Auto-Duplex, Auto-Speed
      Input flow control is unsupported, output flow control is unsupported
      Available but not configured via nameif
      MAC address 001d.7007.1797, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 pause output, 0 resume output
      0 output errors, 0 collisions, 0 interface resets
      0 late collisions, 0 deferred
      0 input reset drops, 0 output reset drops
      0 rate limit drops
      0 switch egress policy drops
  Control Point Interface States:
      Interface number is 11
<--- More --->
             
      Interface config status is active
      Interface state is active

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 18%; 1 minute: 16%; 5 minutes: 12%

------------------ show cpu hogging process ------------------


Process:      Unicorn Admin Handler, PROC_PC_TOTAL: 1, MAXHOG: 13, LASTHOG: 13
LASTHOG At:   19:16:43 EST Nov 30 2010
PC:           8c0d08b (suspend)

Process:      Unicorn Admin Handler, NUMHOG: 1, MAXHOG: 13, LASTHOG: 13
LASTHOG At:   19:16:43 EST Nov 30 2010
PC:           8c0d08b (suspend)
Call stack:   8c0d492  842ea3a  842652f  8426912  8426c34  842d0bd  80626e3
           

Process:      Dispatch Unit, NUMHOG: 13, MAXHOG: 16, LASTHOG: 15
LASTHOG At:   20:14:07 EST Dec 1 2010
PC:           81aba19 (suspend)
Call stack:   81aba19  80626e3
<--- More --->
             

Process:      Dispatch Unit, PROC_PC_TOTAL: 73, MAXHOG: 17, LASTHOG: 12
LASTHOG At:   20:14:09 EST Dec 1 2010
PC:           81aba19 (suspend)

Process:      ssh_init, NUMHOG: 7, MAXHOG: 12, LASTHOG: 10
LASTHOG At:   14:03:00 EST Dec 2 2010
PC:           8bc05fc (suspend)
Call stack:   8bc05fc  8bcd34d  8bcb29e  8bcb448  8bcc4d1  8bc5dc4  80626e3
           

Process:      ssh_init, PROC_PC_TOTAL: 8, MAXHOG: 31, LASTHOG: 31
LASTHOG At:   14:03:21 EST Dec 2 2010
PC:           8bc05fc (suspend)

Process:      ssh, NUMHOG: 1, MAXHOG: 31, LASTHOG: 31
LASTHOG At:   14:03:21 EST Dec 2 2010
PC:           8bc05fc (suspend)
Call stack:   8bc05fc  8bcf176  8bc4e95  8bc502f  8bc5163  888c8f4  92f6581
              8998b6d  88c5e12  8895706  8896e2a  80c2b20  80c3e66  80c4a3a

CPU hog threshold (msec): 10.240
Last cleared: None

<--- More --->
             
------------------ show process ------------------


    PC       SP       STATE       Runtime    SBASE     Stack Process
Lwe 08054f7c d529c97c 09e62138          0 d529aa78 7544/8192 block_diag
Mrd 081ab744 d52cc29c 09e61694     721734 d52ac458 123604/131072 Dispatch Unit
Msi 08ea78df d577fddc 09e610ac        805 d577ded8 6372/8192 y88acs06 OneSec Thread
Mwe 08068a26 d57841dc 09e610ac          0 d5782338 7576/8192 Reload Control Thread
Mwe 08070c86 d578f164 09e63a58         18 d578b5b0 12496/16384 aaa
Mwe 08c53b1d d60dd09c 09e610ac          5 d578f738 6856/8192 UserFromCert Thread
Mwe 080a1b36 d57981cc 09e63ab4          0 d57942d8 15712/16384 CMGR Server Process
Mwe 080a2045 d579a2f4 09e610ac          0 d5798460 7760/8192 CMGR Timer Process
Lwe 081aab6c d57a2984 09e71de8          0 d57a0a80 7376/8192 dbgtrace
Mwe 0846a3d5 d57aaf74 09e610ac        104 d57a91f0 4712/8192 eswilp_svi_init
Mwe 08c53b1d d59ec41c 09e610ac          0 d57c2d08 7016/8192 netfs_thread_init
Mwe 092ae235 d57d1154 09e610ac          0 d57cf300 7612/8192 Chunk Manager
Msi 088d047e d57d3904 09e610ac        839 d57d1a20 6236/8192 PIX Garbage Collector
Mwe 088c3904 d57de624 09d6114c          0 d57dc720 7904/8192 IP Address Assign
Mwe 08a92e56 d5971104 09da59b8          0 d596f200 7904/8192 QoS Support Module
Mwe 0893faef d59732cc 09d62190          0 d59713c8 7904/8192 Client Update Task
Lwe 092f8e9a d5975c2c 09e610ac      21100 d5973d98 6228/8192 Checkheaps
Mwe 08a96945 d597e094 09e610ac        555 d597a420 8256/16384 Quack process
Mwe 08aedfd2 d598641c 09e610ac        115 d597e5a8 31888/32768 Session Manager
Mwe 08bffd55 d598c30c d7c01f88          4 d59888b8 14520/16384 uauth
<--- More --->
             
Mwe 08b9f655 d598e944 09db2a04          0 d598ca40 7376/8192 Uauth_Proxy
Msp 08bd5d35 d5994ddc 09e610ac         44 d5992ed8 7512/8192 SSL
Mwe 08bfdce6 d5996f44 09db85a4          0 d5995060 7480/8192 SMTP
Mwe 08bf68e6 d59990cc 09db8518      20667 d59971e8 5044/8192 Logger
Mwe 08bf7148 d599b144 09e610ac          0 d5999370 7568/8192  Syslog Retry Thread
Mwe 08bf117e d599d38c 09e610ac          0 d599b4f8 7344/8192 Thread Logger
Mwe 08de42f2 d59c7454 09dec168          0 d59c5570 7040/8192 vpnlb_thread
Mwe 08273dad d59d2f54 09e610ac          0 d59d10d0 7660/8192 TLS Proxy Inspector
Msi 08b07c33 d5a5e4d4 09e610ac        655 d5a5c5d0 7792/8192 emweb/cifs_timer
Mwe 08693087 d5ab11e4 09d55794          0 d5aaf2f0 7432/8192 netfs_mount_handler
Msi 08526b48 d57cf04c 09e610ac       5625 d57cd178 6324/8192 arp_timer
Mwe 085306bc d56fd5ec 09e86fa8          0 d56fb738 7824/8192 arp_forward_thread
Mwe 085a0925 d616660c 09e8be40          0 d6164788 7808/8192 Lic TMR
Mwe 08c02d31 d61686ac 09db8820          0 d61667b8 7776/8192 tcp_fast
Mwe 08c05e90 d616a6cc 09db8820          0 d61687e8 7760/8192 tcp_slow
Mwe 08c31019 d6178bcc 09dc0788          0 d6176cd8 7776/8192 udp_timer
Mwe 080feec8 d59cd89c 09e610ac          0 d59cba08 7760/8192 CTCP Timer process
Mwe 08d93793 d59cf8ac 09e610ac          0 d59cda38 7728/8192 L2TP data daemon
Mwe 08d94563 d6a46924 09e610ac          0 d6a44aa0 7744/8192 L2TP mgmt daemon
Mwe 08d808f8 d6a7ea74 09de6004        174 d6a7abc0 16028/16384 ppp_timer_thread
Msi 08de47c7 d6a80ac4 09e610ac        940 d6a7ebf0 7744/8192 vpnlb_timer_thread
Mwe 0811581f d6ab3c84 d57c6578          2 d6aafde0 15656/16384 IPsec message handler
Msi 08128f5c d5990a7c 09e610ac      11571 d598ebc8 7352/8192 CTM message handler
Mwe 089a16a9 d59c0f3c 09e610ac          0 d59bf0d8 7628/8192 NAT security-level reconfiguration
<--- More --->
             
Mwe 08ac1eb8 d6b20ee4 09e610ac          0 d6b1f040 7776/8192 ICMP event handler
Mwe 08d4f6ed d6b2664c 09e610ac          0 d6b247b8 7760/8192 Dynamic Filter VC Housekeeper
Mwe 088273b3 d6b2a83c 09e610ac        130 d6b26998 12460/16384 IP Background
Mwe 081937d0 d6b91dd4 09cf0348        623 d6b71fb0 120296/131072 tmatch compile thread
Mwe 089ce625 d7cd0ed4 09e610ac          0 d7ccd020 15900/16384 Crypto PKI RECV
Mwe 089d1f2a d7cd5f64 09e610ac          0 d7cd20d0 15868/16384 Crypto CA
Mwe 08a07b94 d7cda0fc 09e610ac          0 d7cd6258 15884/16384 CERT API
Mwe 085cdcad d59c957c 09e610ac         32 d59c76f8 7296/8192 ESW_MRVL switch interrupt service
Mwe 08a43050 d5992c0c 09d71e30          0 d5990d28 7776/8192 lina_int
Msi 085c665c d59bcbd4 09e610ac    7536000 d59bada0 5452/8192 esw_stats
Lsi 088e1b58 d7d20c24 09e610ac         21 d7d1ed10 7808/8192 uauth_urlb clean
Lwe 088c991f d7d42c64 09e610ac        960 d7d40df0 4444/8192 pm_timer_thread
Mwe 084b7de5 d7d44cb4 09e610ac          0 d7d42e20 7760/8192 IKE Timekeeper
Mwe 084ab7eb d7d4a0c4 09d4fb14          0 d7d464f0 15268/16384 IKE Daemon
Mwe 08bb250a d7d4db9c 09db7114          0 d7d4bcb8 7872/8192 RADIUS Proxy Event Daemon
Mwe 08b80d6b d7d4fa8c d7dbb300          1 d7d4dce8 6904/8192 RADIUS Proxy Listener
Mwe 08bb1107 d7d51bac 09e610ac          0 d7d4fd18 7760/8192 RADIUS Proxy Time Keeper
Mwe 08517665 d7d548cc 09e86f28          0 d7d52a88 7024/8192 Integrity FW Task
Mwe 081c1a0b d7ddfbc4 098ba31c          1 d7dc03c0 124980/131072 ci/console
Msi 0890205c d7de245c 09e610ac      17850 d7de0548 5588/8192 update_cpu_usage
Msi 088fd30a d7dec6e4 09e610ac          0 d7dea8c0 3340/8192 NIC status poll
Mwe 08b3a2bb d57c0654 09daa264          1 d57be760 7352/8192 SNMP Notify Thread
Mwe 08522056 d7e36fc4 09e87674        729 d7e2f0f0 31608/32768 IP Thread
Mwe 08528abe d7e3916c 09e87028       9097 d7e37278 5988/8192 ARP Thread
<--- More --->
             
Mwe 08447ba0 d7e3b3c4 09e87660         87 d7e39570 4472/8192 icmp_thread
Mwe 08c31f96 d7e3d58c 09e610ac          0 d7e3b6f8 7676/8192 udp_thread
Mwe 08c07e6c d7e3f5d4 09e8767c          0 d7e3d880 7472/8192 tcp_thread
Mwe 08c11d13 d7e4189c 09e610ac          0 d7e3fa08 7340/8192 npshim_thread
Mwe 08c53b1d d7ec1a5c 09e610ac        311 d7e44bf0 24816/32768 rtcli async executor process
Mwe 08b80d6b d8199254 d8193af0          1 d81974a0 7288/8192 EAPoUDP-sock
Mwe 081e7c35 d819b034 09e610ac          0 d81994d0 6860/8192 EAPoUDP
Lwe 081b4f96 d57a4a9c 09e610ac         13 d57a2c08 7696/8192 dns_cache_timer
Mwe 081b2b4a d819d334 09e610ac          0 d819b500 7580/8192 dns_process
Mwe 0821e113 d81cb8d4 09e610ac        417 d81c7e40 10696/16384 emweb/https
Mwe 08214216 d81ce7e4 09e610ac         49 d81cc940 7544/8192 Timekeeper
Mwe 08c53b1d d860caac 09e610ac       2035 d853b470 6696/8192 Unicorn Proxy Thread
Mwe 08c12e24 d8a43454 d8804b38          0 d8a417a0 7312/8192 listen/telnet
Mwe 08c12e24 d8a4c8fc d81435a0          0 d8a4ac48 6892/8192 listen/ssh
Mwe 081ca0a1 d8a4f55c 09e610ac          0 d8a4d6b8 7776/8192 DHCPD Timer
Mwe 08dc43dd d8bf71d4 09debe90          0 d8bef2e0 32464/32768 vpnfol_thread_msg
Msi 08dcab52 d8ae6fc4 09e610ac        685 d8ae50e0 7760/8192 vpnfol_thread_timer
Mwe 08dc8dc2 d8bf91a4 09dec000          0 d8bf7310 7792/8192 vpnfol_thread_sync
Msi 08dca67c d8bfb7e4 09e610ac       2824 d8bf9900 6236/8192 vpnfol_thread_unsent
Mwe 085139f8 d59cb704 09e610ac          0 d59c9870 7760/8192 Integrity Fw Timer Thread
Msi 0869316c d7df0a9c 09e610ac         45 d7deebb8 7756/8192 netfs_vnode_reclaim
M*  08bc05fc d27eef48 09e61694        677 d8ce9ed0 22044/32768 ssh
Mwe 088afdbd d956cfac d819ea04       4472 d954e3e8 124180/131072 Unicorn Admin Handler
Mwe 088af371 d958d1ac 09e610ac       3729 d956e418 119324/131072 Unicorn Admin Handler
<--- More --->
             
Mwe 08a685f9 d8d2e18c 09fab300         13 d8d2c2c8 7760/8192 qos_metric_daemon
Mwe 08bc6c5b d91b5054 09e610ac          0 d91b31c0 7696/8192 ssh/timer
Mwe 088afdbd d95ad00c d819ea04        621 d958e448 124296/131072 Unicorn Admin Handler
Mwe 088af371 d95cd20c 09e610ac       1201 d95ae478 119324/131072 Unicorn Admin Handler
-      -        -         -             0    -         -     DATAPATH-0-232
 -     -        -         -     145461043    -         -     scheduler
 -     -        -         -     153998343    -         -     total elapsed

------------------ show kernel process ------------------


PID PPID PRI NI      VSIZE      RSS      WCHAN STAT  RUNTIME COMMAND

  1    0  17  0    1544192      508 3725685523    S     2558 init

  2    1  34 19          0        0 3725694925    S        0 ksoftirqd/0

  3    1  10 -5          0        0 3725737663    S        0 events/0

  4    1  20 -5          0        0 3725737663    S        0 khelper

  5    1  20 -5          0        0 3725737663    S        0 kthread

  7    5  10 -5          0        0 3725737663    S        0 kblockd/0

 10    5  10 -5          0        0 3726802234    S        0 khubd

 12    5  20 -5          0        0 3727007934    S        0 kseriod

 65    5  20  0          0        0 3725813080    S        0 pdflush

 66    5  15  0          0        0 3725813080    S        0 pdflush

 67    1  25  0          0        0 3725825763    S        0 kswapd0

 68    5  20 -5          0        0 3725737663    S        0 aio/0

190    1  17  0    1544192      108 3725685523    S        0 init
<--- More --->
             

191  190  20  0    1540096      468 3725685523    S        0 rcS

224  191  16  0   10076160      452 3725713492    S        0 lina_monitor

225  224  15  0   10076160      452          0    S        0 lina_monitor

226  225  16  0   10076160      452 3726344008    S        0 lina_monitor

227  224   5 -20  218882048   174980 3725716908    S      625 lina

228  227   0 -20  218882048   174980          0    S        0 lina

229  228   0 -20  218882048   174980          0    S        0 lina

230  228   0 -20  218882048   174980 3725716908    S       34 lina

231  228   5 -20  218882048   174980          0    S        0 lina

232  228   5 -20  218882048   174980          0    R 15454373 lina

------------------ show traffic ------------------

inside:
      received (in 154521.310 secs):
            7085977 packets      1087816916 bytes
            18 pkts/sec      7012 bytes/sec
      transmitted (in 154521.310 secs):
            10636209 packets      10334089313 bytes
            13 pkts/sec      66016 bytes/sec
      1 minute input rate 78 pkts/sec,  16072 bytes/sec
      1 minute output rate 104 pkts/sec,  86966 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 79 pkts/sec,  10333 bytes/sec
<--- More --->
             
      5 minute output rate 123 pkts/sec,  128561 bytes/sec
      5 minute drop rate, 0 pkts/sec
outside:
      received (in 154521.320 secs):
            9930445 packets      10079327542 bytes
            8 pkts/sec      65007 bytes/sec
      transmitted (in 154521.320 secs):
            6441735 packets      1053059238 bytes
            13 pkts/sec      6008 bytes/sec
      1 minute input rate 82 pkts/sec,  80813 bytes/sec
      1 minute output rate 64 pkts/sec,  15407 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 104 pkts/sec,  122851 bytes/sec
      5 minute output rate 67 pkts/sec,  9775 bytes/sec
      5 minute drop rate, 0 pkts/sec
_internal_loopback:
      received (in 154521.330 secs):
            1 packets      28 bytes
            0 pkts/sec      0 bytes/sec
      transmitted (in 154521.330 secs):
            1 packets      28 bytes
            0 pkts/sec      0 bytes/sec
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
<--- More --->
             
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec

----------------------------------------
Aggregated Traffic on Physical Interface
----------------------------------------
Ethernet0/0:
      received (in 154521.360 secs):
            10007396 packets      10266268430 bytes
            9 pkts/sec      66022 bytes/sec
      transmitted (in 154521.360 secs):
            6441508 packets      1198171952 bytes
            13 pkts/sec      7003 bytes/sec
      1 minute input rate 84 pkts/sec,  82871 bytes/sec
      1 minute output rate 65 pkts/sec,  17124 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 104 pkts/sec,  124346 bytes/sec
      5 minute output rate 67 pkts/sec,  11208 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/1:
      received (in 154521.370 secs):
            1736565 packets      1047095088 bytes
<--- More --->
             
            11 pkts/sec      6025 bytes/sec
      transmitted (in 154521.370 secs):
            1891008 packets      541471153 bytes
            12 pkts/sec      3003 bytes/sec
      1 minute input rate 22 pkts/sec,  6598 bytes/sec
      1 minute output rate 24 pkts/sec,  5866 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 10 pkts/sec,  2078 bytes/sec
      5 minute output rate 15 pkts/sec,  3883 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/2:
      received (in 154521.380 secs):
            7337916 packets      1314828327 bytes
            19 pkts/sec      8008 bytes/sec
      transmitted (in 154521.380 secs):
            10922374 packets      11119722586 bytes
            15 pkts/sec      71017 bytes/sec
      1 minute input rate 59 pkts/sec,  11703 bytes/sec
      1 minute output rate 85 pkts/sec,  83810 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 71 pkts/sec,  10234 bytes/sec
      5 minute output rate 111 pkts/sec,  126700 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/3:
<--- More --->
             
      received (in 154521.390 secs):
            0 packets      0 bytes
            0 pkts/sec      0 bytes/sec
      transmitted (in 154521.390 secs):
            0 packets      0 bytes
            0 pkts/sec      0 bytes/sec
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/4:
      received (in 154521.530 secs):
            0 packets      0 bytes
            0 pkts/sec      0 bytes/sec
      transmitted (in 154521.530 secs):
            0 packets      0 bytes
            0 pkts/sec      0 bytes/sec
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
<--- More --->
             
      5 minute drop rate, 0 pkts/sec
Ethernet0/5:
      received (in 154521.540 secs):
            0 packets      0 bytes
            0 pkts/sec      0 bytes/sec
      transmitted (in 154521.540 secs):
            0 packets      0 bytes
            0 pkts/sec      0 bytes/sec
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/6:
      received (in 154521.550 secs):
            0 packets      0 bytes
            0 pkts/sec      0 bytes/sec
      transmitted (in 154521.550 secs):
            0 packets      0 bytes
            0 pkts/sec      0 bytes/sec
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
<--- More --->
             
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Ethernet0/7:
      received (in 154521.560 secs):
            0 packets      0 bytes
            0 pkts/sec      0 bytes/sec
      transmitted (in 154521.560 secs):
            0 packets      0 bytes
            0 pkts/sec      0 bytes/sec
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Internal-Data0/0:
      received (in 154521.570 secs):
            17016488 packets      11576747754 bytes
            26 pkts/sec      74002 bytes/sec
      transmitted (in 154521.570 secs):
            17078195 packets      11774068825 bytes
            27 pkts/sec      76002 bytes/sec
      1 minute input rate 161 pkts/sec,  100814 bytes/sec
<--- More --->
             
      1 minute output rate 168 pkts/sec,  106198 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 184 pkts/sec,  137673 bytes/sec
      5 minute output rate 190 pkts/sec,  142664 bytes/sec
      5 minute drop rate, 0 pkts/sec
Internal-Data0/1:
      received (in 154521.590 secs):
            17076922 packets      11773371779 bytes
            27 pkts/sec      76025 bytes/sec
      transmitted (in 154521.590 secs):
            17015430 packets      11576137073 bytes
            26 pkts/sec      74026 bytes/sec
      1 minute input rate 182 pkts/sec,  115200 bytes/sec
      1 minute output rate 174 pkts/sec,  108963 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 191 pkts/sec,  143236 bytes/sec
      5 minute output rate 185 pkts/sec,  138093 bytes/sec
      5 minute drop rate, 0 pkts/sec

------------------ show perfmon ------------------


PERFMON STATS:                     Current      Average
Xlates                                1/s          0/s
<--- More --->
             
Connections                           1/s          1/s
TCP Conns                             0/s          0/s
UDP Conns                             0/s          0/s
URL Access                            0/s          0/s
URL Server Req                        0/s          0/s
TCP Fixup                             0/s          0/s
TCP Intercept Established Conns       0/s          0/s
TCP Intercept Attempts                0/s          0/s
TCP Embryonic Conns Timeout           0/s          0/s
HTTP Fixup                            0/s          0/s
FTP Fixup                             0/s          0/s
AAA Authen                            0/s          0/s
AAA Author                            0/s          0/s
AAA Account                           0/s          0/s

VALID CONNS RATE in TCP INTERCEPT:    Current      Average
                                       N/A         100.00%

------------------ show counters ------------------

Protocol     Counter                             Value   Context
IP           IN_PKTS                             90614   Summary
IP           OUT_PKTS                             2239   Summary
IP           IN_DROP_NFU                             9   Summary
<--- More --->
             
IP           TO_ARP                              88724   Summary
IP           TO_UDP                                  1   Summary
IP           TO_ICMP                              1880   Summary
UDP          IN_PKTS                                 1   Summary
UDP          OUT_PKTS                               91   Summary
ICMP         IN_PKTS                              1880   Summary
ICMP         OUT_PKTS                             1880   Summary
SSLERR       BAD_SIGNATURE                           2   Summary
SSLALERT     RX_CLOSE_NOTIFY                       301   Summary
SSLALERT     RX_WARNING_ALERT                      301   Summary
SSLALERT     TX_CLOSE_NOTIFY                      2163   Summary
SSLALERT     TX_WARNING_ALERT                     2163   Summary
SSLDEV       NEW_CTX                                 1   Summary
SSLNP        OPEN_CONN                               1   Summary
SSLNP        HANDSHAKE_START                      2181   Summary
SSLNP        HANDSHAKE_DONE                       2181   Summary
SSLNP        DOWNSTREAM_CLOSE                     5576   Summary
SSLNP        DOWNSTREAM_CLOSE_NEXT                2177   Summary
SSLNP        UPSTREAM_CLOSE                       2475   Summary
SSLNP        UPSTREAM_CLOSE_NEXT                  2177   Summary
SSLNP        FREE_CONN                            2177   Summary
SSLNP        NEW_CONN_SERVER                      2181   Summary
SSLNP        IN_PKTS_RX                          10641   Summary
SSLNP        IN_PKTS_TX                           3475   Summary
<--- More --->
             
SSLNP        OUT_PKTS_RX                        648051   Summary
SSLNP        OUT_PKTS_TX                        652448   Summary
SSLNP        SESSIONS_CLEARED                       42   Summary
EmWeb        IN_PKTS                                75   Summary
EmWeb        OUT_PKTS                              321   Summary
DNS          IN_PKTS                                 1   Summary
DNS          OUT_PKTS                                1   Summary
NPSHIM       READ_CTX_CLOSED                         1   Summary
NPSHIM       READ_NOBLOCK_NO_BUF                  3822   Summary
NPSHIM       READ_RECV                            1641   Summary
NPSHIM       READ_EOF                                3   Summary
NPSHIM       SLCT_REQUEST                            9   Summary
NPSHIM       SLCT_EVENT                              7   Summary
NPSHIM       CTX_ALLOC                            1807   Summary
NPSHIM       CTX_FREE                             1798   Summary
NPSHIM       CLOSE_LISTEN                            2   Summary
VPIF         NOT_FOUND                          518879   Summary
SSLENC       CONTEXT_CREATED                      2181   Summary
SSLENC       CONTEXT_UPDATED                        53   Summary
SSLENC       CONTEXT_DESTROYED                    2177   Summary

------------------ show service-policy ------------------


<--- More --->
             
------------------ show history ------------------

  en
  sh tech

------------------ show firewall ------------------

Firewall mode: Router

------------------ show running-config ------------------

: Saved
:
ASA Version 8.2(2)
!
hostname FHQ-ASA-01
domain-name
enable password <removed>
passwd <removed>
names
name 192.168.0.5 SERVER.L description Exchange 2003
!
interface Vlan1
 nameif inside
<--- More --->
             
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
<--- More --->
             
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server SERVER
 domain-name stalcoconstruct.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq netbios-ssn
 service-object udp eq netbios-dgm
 service-object udp eq netbios-ns
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended deny icmp any any
<--- More --->
             
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq imap4
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq smtp
access-list inside_access_in extended permit icmp 192.168.0.0 255.255.255.0 any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.0.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
access-group inside_access_in in interface inside
<--- More --->
             
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http server idle-timeout 15
http server session-timeout 15
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 inside
<--- More --->
             
telnet timeout 15
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 5
dhcpd address 192.168.0.100-192.168.0.150 inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username vgulino password <removed> privilege 15
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
!
prompt hostname context
Cryptochecksum:8c4ef31972f82c67954e3a9564e1d374
<--- More --->
             
: end

------------------ show startup-config errors ------------------

INFO: No configuration errors

------------------ console logs ------------------

Message #1 : Message #2 :
Total SSMs found: 0
Message #3 :
Total NICs found: 10
Message #4 : 88E6095 rev 2 Gigabit Ethernet @ index 09Message #5 :  MAC: 0000.0003.0002
Message #6 : 88E6095 rev 2 Ethernet @ index 08Message #7 :  MAC: 001d.7007.1797
Message #8 : 88E6095 rev 2 Ethernet @ index 07Message #9 :  MAC: 001d.7007.1796
Message #10 : 88E6095 rev 2 Ethernet @ index 06Message #11 :  MAC: 001d.7007.1795
Message #12 : 88E6095 rev 2 Ethernet @ index 05Message #13 :  MAC: 001d.7007.1794
Message #14 : 88E6095 rev 2 Ethernet @ index 04Message #15 :  MAC: 001d.7007.1793
Message #16 : 88E6095 rev 2 Ethernet @ index 03Message #17 :  MAC: 001d.7007.1792
Message #18 : 88E6095 rev 2 Ethernet @ index 02Message #19 :  MAC: 001d.7007.1791
Message #20 : 88E6095 rev 2 Ethernet @ index 01Message #21 :  MAC: 001d.7007.1790
Message #22 : y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 001d.7007.1798
Message #23 :
Licensed features for this platform:
<--- More --->
             
Message #24 : Maximum Physical Interfaces    : 8        
Message #25 : VLANs                          : 3, DMZ Restricted
Message #26 : Inside Hosts                   : 50        
Message #27 : Failover                       : Disabled
Message #28 : VPN-DES                        : Enabled  
Message #29 : VPN-3DES-AES                   : Enabled  
Message #30 : SSL VPN Peers                  : 10        
Message #31 : Total VPN Peers                : 10        
Message #32 : Dual ISPs                      : Disabled  
Message #33 : VLAN Trunk Ports               : 0        
Message #34 : Shared License                 : Disabled
Message #35 : AnyConnect for Mobile          : Disabled  
Message #36 : AnyConnect for Cisco VPN Phone : Disabled  
Message #37 : AnyConnect Essentials          : Disabled  
Message #38 : Advanced Endpoint Assessment   : Disabled  
Message #39 : UC Phone Proxy Sessions        : 2        
Message #40 : Total UC Proxy Sessions        : 2        
Message #41 : Botnet Traffic Filter          : Disabled  
Message #42 :
This platform has a Base license.
Message #43 :
Message #44 : Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Message #45 :                              Boot microcode   : CN1000-MC-BOOT-2.00
Message #46 :                              SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
<--- More --->
             
Message #47 :                              IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
Message #48 :
Cisco Adaptive Security Appliance Software Version 8.2(2)
Message #49 :
Message #50 :   ****************************** Warning *******************************
Message #51 :   This product contains cryptographic features and is
Message #52 :   subject to United States and local country laws
Message #53 :   governing, import, export, transfer, and use.
Message #54 :   Delivery of Cisco cryptographic products does not
Message #55 :   imply third-party authority to import, export,
Message #56 :   distribute, or use encryption. Importers, exporters,
Message #57 :   distributors and users are responsible for compliance
Message #58 :   with U.S. and local country laws. By using this
Message #59 :   product you agree to comply with applicable laws and
Message #60 :   regulations. If you are unable to comply with U.S.
Message #61 :   and local laws, return the enclosed items immediately.
Message #62 :
Message #63 :   A summary of U.S. laws governing Cisco cryptographic
Message #64 :   products may be found at:
Message #65 :   http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
Message #66 :
Message #67 :   If you require further assistance please contact us by
Message #68 :   sending email to export@cisco.com.
Message #69 :   ******************************* Warning *******************************
<--- More --->
             
Message #70 :
Message #71 : Copyright (c) 1996-2010 by Cisco Systems, Inc.

Message #72 :                 Restricted Rights Legend

Message #73 : Use, duplication, or disclosure by the Government is
Message #74 : subject to restrictions as set forth in subparagraph
Message #75 : (c) of the Commercial Computer Software - Restricted
Message #76 : Rights clause at FAR sec. 52.227-19 and subparagraph
Message #77 : (c) (1) (ii) of the Rights in Technical Data and Computer
Message #78 : Software clause at DFARS sec. 252.227-7013.

Message #79 :                 Cisco Systems, Inc.
Message #80 :                 170 West Tasman Drive
Message #81 :                 San Jose, California 95134-1706



FHQ-ASA-01#                      
Ernie Beek

I tried this rule:

access-list outside_access_in extended permit tcp any interface outside eq smtp

in my own asa and don't trust it. Shows kinda weird. Could you replace 'interface outside' with 'host x.x.x.x' in that rule? offcourse x.x.x.x being your public ip.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
LANadmn

changed it still no good
ASKER
LANadmn

so wierd I dont even see the public IP that I am relnetting from in my logs
Ernie Beek

Saw something else, dunno if that is something:

name 192.168.0.5 SERVER.L description Exchange 2003

static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255

You see: SERVER.L vs SERVER ?

Lets disable names and see if all the addresses are correct.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
LANadmn

Now its just ips doest make sense why one nat for remote desktop works and the same nat config for smtp doesnt
ASKER
LANadmn

has anyone ever seen this issue
Ernie Beek

I think we may safely assume that the firewall is not the problem. After all the reconfiguring there should be something lik these lines in you configuration:

access-list outside_access_in extended permit tcp any host 75.x.x.2 eq smtp

static (inside,outside) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

You might want to have a closer look at your mail server. Any firewall running there? Is exchange allowing incoming connections from all ip's? Assuming you have exchange offcourse.

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
LANadmn

I have also hooked up a Windows XP machne installed IIS and SMTP and I am getting the same results. Tonight I am gong to hook up the PC directly to the modem bypassing the Firewall and also change my public facing IP.
ASKER
LANadmn

Latest Config:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.12.06 09:34:54 =~=~=~=~=~=~=~=~=~=~=~=
login as:
@192.168.0.1's password:
Type help or '?' for a list of available commands.

FHQ-ASA-01> en
Password: *********

FHQ-ASA-01# sh running-config
: Saved
:
ASA Version 8.2(2)
!
hostname FHQ-ASA-01
domain-name
enable password  encrypted
passwd encrypted
names
name  description Public
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Public 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
<--- More --->
             
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.0.5
 domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
<--- More --->
             
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object tcp eq netbios-ssn
 service-object udp eq netbios-dgm
 service-object udp eq netbios-ns
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list outside_access_in extended permit tcp any any eq smtp log debugging
access-list outside_access_in extended permit tcp host 68.195.37.44 any eq 3389
access-list outside_access_in extended deny icmp any any
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq imap4
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq smtp log debugging
access-list inside_access_in extended permit icmp 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.0.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp interface 3389 192.168.0.131 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.0.5 smtp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.127.190.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL            
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http server idle-timeout 15
http server session-timeout 15
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 5
dhcpd address 192.168.0.100-192.168.0.150 inside
!

threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics port        
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username
!
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
!
prompt hostname context
Cryptochecksum:
: end

FHQ-ASA-01#  exit

Logoff


Ernie Beek

So, any results on the direct hookup?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
LANadmn

Direct hookup to the modem with the SMTP service running on the PC I was successful. The Modem is hooked up to a provided CISCO 800 to create the Static IP subnet with the Provider. This box seems to be the issue. They are replacing the device today. As soon as I added the CISCO 800 to the mix I was blocked on port 25.  The provider claims that this is a bridge, but I am sure there is some sort of ACL that the support tech or 3rd level for that matter did not see, or the device coud be faulty. I just wonder why only port 25. Must be an ACL somewhere.
Ernie Beek

Looks like this is getting somewhere.

Let me know how it works out.
Ernie Beek

So, how are things turning out?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
LANadmn

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
LANadmn

solved issue working with my ISP