egalois
asked on
Exchange email not getting through to server
We have a 2003 exchange server internal. We were contracting Postini but have chosen to let the contract lapse. In the meanwhile, we are trying now to route email directly to the internal server. DNS Pointer "MX" records have been changed.
I've added access-list commands to the Cisco ASA firewall. I've created an MX record in the local DNS server along with an A record.
Still no email. It's been 8 plus hours so the DNS changes (at networksolutions) are probably good by now?
Can someone look at my firewall config and tell me if it looks correct?
Of particular interest is the entries concerning ipaddress 209.XXX.XXX.147
e.g. access-list outside extended permit tcp any host 209.XXX.XXX.147 eq smtp
Also, I've telneted to the server internally and made a connection on port 25. But when I try to do this from outside, my putty terminal closes on me immediately - not sure if it worked or not. Not sure why it closes.
ourASA(config)# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ourASA
domain-name default.domain.invalid
enable password xxxxxxxxx encrypted
names
name 192.168.17.9 Domain2
name 192.168.17.10 Domain1
name 192.168.17.8 Domain1VPN
name 192.168.21.5 CicDomain01
name 192.168.21.1 CicRouter
name 192.168.22.5 cosDomain01
name 192.168.22.1 cosRouter
name 192.168.20.5 CWDomain1
name 192.168.20.6 CWDomain2
name 192.168.20.1 CWRouter
name 192.168.17.1 HQRouter
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.XXX.XXX.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif Providerdata
security-level 0
ip address 209.XXX.XXX.146 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd XXXXXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside extended permit icmp any any echo-reply
access-list outside remark "Microsoft VPN"
access-list outside extended permit tcp any host 66.XXX.XXX.19 eq pptp
access-list outside extended permit tcp any host 66.XXX.XXX.19 eq 47
access-list outside remark "Microsoft Exchange OWA"
access-list outside extended permit tcp any host 66.XXX.XXX.20 eq www
access-list outside extended permit tcp any host 66.XXX.XXX.20 eq https
access-list outside extended permit tcp any host 66.XXX.XXX.20 eq smtp
access-list outside extended permit tcp any host 209.XXX.XXX.147 eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in remark "Microsoft VPN"
access-list outside_in extended permit tcp any host 209.XXX.XXX.148 eq pptp
access-list outside_in extended permit tcp any host 209.XXX.XXX.148 eq 47
access-list outside_in remark "Postini"
access-list outside_in remark "Microsoft Exchange OWA"
access-list outside_in extended permit tcp any host 209.XXX.XXX.147 eq www
access-list outside_in extended permit tcp any host 209.XXX.XXX.147 eq https
access-list inside extended permit icmp any any echo
pager lines 24
mtu outside 1500
mtu inside 1500
mtu ProviderData 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 1440020
global (outside) 1 interface
global (ProviderData) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 66.XXX.XXX.19 Domain1VPN netmask 255.255.255.255
static (inside,outside) 66.XXX.XXX.20 Domain2 netmask 255.255.255.255
static (inside,outside) 66.XXX.XXX.21 Domain1 netmask 255.255.255.255
static (inside,outside) 66.XXX.XXX.29 HQRouter netmask 255.255.255.255
static (inside,ProviderData) 209.XXX.XXX.148 Domain1VPN netmask 255.255.255.255
static (inside,ProviderData) 209.XXX.XXX.147 Domain2 netmask 255.255.255.255
access-group outside in interface outside
access-group outside_in in interface ProviderData
route inside 192.168.0.0 255.255.0.0 192.168.16.2 1
route ProviderData 0.0.0.0 0.0.0.0 209.XXX.XXX.145 100
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
url-server (inside) vendor websense host 192.168.17.14 timeout 30 protocol TCP v
ersion 1 connections 5
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 ProviderData
ssh timeout 60
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect http
!
service-policy global_policy global
url-block url-mempool 1500
url-block url-size 4
url-block block 128
prompt hostname context
Cryptochecksum:XXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX
: end
ourASA(config)#
I've added access-list commands to the Cisco ASA firewall. I've created an MX record in the local DNS server along with an A record.
Still no email. It's been 8 plus hours so the DNS changes (at networksolutions) are probably good by now?
Can someone look at my firewall config and tell me if it looks correct?
Of particular interest is the entries concerning ipaddress 209.XXX.XXX.147
e.g. access-list outside extended permit tcp any host 209.XXX.XXX.147 eq smtp
Also, I've telneted to the server internally and made a connection on port 25. But when I try to do this from outside, my putty terminal closes on me immediately - not sure if it worked or not. Not sure why it closes.
ourASA(config)# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ourASA
domain-name default.domain.invalid
enable password xxxxxxxxx encrypted
names
name 192.168.17.9 Domain2
name 192.168.17.10 Domain1
name 192.168.17.8 Domain1VPN
name 192.168.21.5 CicDomain01
name 192.168.21.1 CicRouter
name 192.168.22.5 cosDomain01
name 192.168.22.1 cosRouter
name 192.168.20.5 CWDomain1
name 192.168.20.6 CWDomain2
name 192.168.20.1 CWRouter
name 192.168.17.1 HQRouter
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.XXX.XXX.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif Providerdata
security-level 0
ip address 209.XXX.XXX.146 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd XXXXXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list outside extended permit icmp any any echo-reply
access-list outside remark "Microsoft VPN"
access-list outside extended permit tcp any host 66.XXX.XXX.19 eq pptp
access-list outside extended permit tcp any host 66.XXX.XXX.19 eq 47
access-list outside remark "Microsoft Exchange OWA"
access-list outside extended permit tcp any host 66.XXX.XXX.20 eq www
access-list outside extended permit tcp any host 66.XXX.XXX.20 eq https
access-list outside extended permit tcp any host 66.XXX.XXX.20 eq smtp
access-list outside extended permit tcp any host 209.XXX.XXX.147 eq smtp
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in remark "Microsoft VPN"
access-list outside_in extended permit tcp any host 209.XXX.XXX.148 eq pptp
access-list outside_in extended permit tcp any host 209.XXX.XXX.148 eq 47
access-list outside_in remark "Postini"
access-list outside_in remark "Microsoft Exchange OWA"
access-list outside_in extended permit tcp any host 209.XXX.XXX.147 eq www
access-list outside_in extended permit tcp any host 209.XXX.XXX.147 eq https
access-list inside extended permit icmp any any echo
pager lines 24
mtu outside 1500
mtu inside 1500
mtu ProviderData 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 1440020
global (outside) 1 interface
global (ProviderData) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 66.XXX.XXX.19 Domain1VPN netmask 255.255.255.255
static (inside,outside) 66.XXX.XXX.20 Domain2 netmask 255.255.255.255
static (inside,outside) 66.XXX.XXX.21 Domain1 netmask 255.255.255.255
static (inside,outside) 66.XXX.XXX.29 HQRouter netmask 255.255.255.255
static (inside,ProviderData) 209.XXX.XXX.148 Domain1VPN netmask 255.255.255.255
static (inside,ProviderData) 209.XXX.XXX.147 Domain2 netmask 255.255.255.255
access-group outside in interface outside
access-group outside_in in interface ProviderData
route inside 192.168.0.0 255.255.0.0 192.168.16.2 1
route ProviderData 0.0.0.0 0.0.0.0 209.XXX.XXX.145 100
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
url-server (inside) vendor websense host 192.168.17.14 timeout 30 protocol TCP v
ersion 1 connections 5
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.0.0 255.255.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 ProviderData
ssh timeout 60
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect http
!
service-policy global_policy global
url-block url-mempool 1500
url-block url-size 4
url-block block 128
prompt hostname context
Cryptochecksum:XXXXXXXXXXX
: end
ourASA(config)#
ASKER
Thanks for the quick reply. nslookup shows our server so that part looks right.
The access list command that I pasted into my question is the one I'm using to allow all mail to go directly to my server.
I'm using a static route to the server and I think that takes care of the Nat that you mention. But I'm not certain of this.
The access list command that I pasted into my question is the one I'm using to allow all mail to go directly to my server.
I'm using a static route to the server and I think that takes care of the Nat that you mention. But I'm not certain of this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Try this:
Take out the following line:
inspect esmtp
Basically, tell the ASA to leave SMTP traffic alone.
(If that doesn't work, you can always put it back)
Take out the following line:
inspect esmtp
Basically, tell the ASA to leave SMTP traffic alone.
(If that doesn't work, you can always put it back)
ASKER
The server was configured to allow emails from only a specific block of addresses. Excellent answer - thanks so much.
I strongly recommend some kind of gateway between your Hub Exchange server and the internet, though. The previous configuration of only allowing mail from the Postini servers is the right way to go about it.
If Postini is too expensive there are other gateway services - e.g. DynDNS's Email Gateway.
If Postini is too expensive there are other gateway services - e.g. DynDNS's Email Gateway.
I'm not a cisco expert, but if you had your rules locked down so that smtp was only allowed from postini, you would need to open it so port 25 is open from all (assuming you are allowing all mail to go directly to exchange).