Link to home
Start Free TrialLog in
Avatar of albmed7589

asked on

Cisco asa blocking exchange

Hey guys I have a Cisco ASA 5505 and to be quite honest I have no idea what im doing with it.

sure I know how to forward ports and so forth on a regular router but here where I work we use a asa that manages nat rules and our firewall.

Long story short it's blocking my exchange server from receiving external emails. I can email internally happily but I cant get emails from yahoo,gmail,aol and such. Also the "outlook web access" is being blocked externally from the intranet, I can view and use it inside the intranet but not out I can also send out emails to external addresses but not receive them.

I've just started using the cisco asa and so far the only way I know you to interface with it is by using cisco asdm.

worst part is everything was working fine yesterday but  deleated some of the rules that seemed out of date in the nat settings from the asa

the exchange server lives on and this is my config

: Saved
ASA Version 8.4(2) 
hostname ORMILA-ASA
enable password oolzv7Sjg9JinOyO encrypted
passwd oolzv7Sjg9JinOyO encrypted
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address 
boot system disk0:/asa842-k8.bin
ftp mode passive
object network MAIL-
object network OBJ-
object network MAILHTTPSSL-
object network NETWORK_OBJ_192.168.1.0
object network
object network RDProute
 description RDProute
object service RDProute2
 service tcp source eq 3389 destination eq 3389 
 description RDProute2
object network
 description Cone Cam
object network mail
object network
object-group network obj_any
object-group network MXLogic
object-group service RDP tcp
 port-object eq 3389
object-group service Cams tcp
 description Security Cams
 port-object eq 8000
access-list OUTSIDE extended permit tcp any host eq www 
access-list OUTSIDE extended permit tcp any host eq https 
access-list OUTSIDE extended permit tcp any host eq smtp 
access-list OUTSIDE extended permit tcp any host eq www 
access-list OUTSIDE extended permit tcp any host eq https 
access-list OUTSIDE extended permit tcp object-group MXLogic host eq smtp 
access-list split_tunnel extended permit ip 
access-list NETFLOW-EXPORT-ACL extended permit ip any any 
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination outside 2055
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu inside 1500
mtu outside 1500
ip local pool DHCP-for-VPN mask
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.0 NETWORK_OBJ_192.168.1.0
object network OBJ-
 nat (inside,outside) dynamic interface
object network mail
 nat (inside,outside) static
object network
 nat (inside,outside) static MXLogic
access-group OUTSIDE in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication http console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http server idle-timeout 30
http inside
http outside
snmp-server host outside community *****
snmp-server location Oakridge, NC
snmp-server contact NITOR NOC 888-357-8880
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set XFORMSET-AES-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set XFORMSET-AES-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map CRYPTO-DYN-MAP 30 set ikev1 transform-set XFORMSET-AES-SHA XFORMSET-AES-MD5
crypto dynamic-map CRYPTO-DYN-MAP 30 set security-association lifetime seconds 28800
crypto dynamic-map CRYPTO-DYN-MAP 30 set security-association lifetime kilobytes 4608000
crypto map CRYPTO_MAP 65535 ipsec-isakmp dynamic CRYPTO-DYN-MAP
crypto map CRYPTO_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
telnet inside
telnet timeout 5
ssh inside
ssh outside
ssh timeout 30
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1
group-policy OAKRIDGE-TUNNELGROUP internal
group-policy OAKRIDGE-TUNNELGROUP attributes
 dns-server value
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value
username twilliams password MDfDWXozYe2pRqRx encrypted privilege 15
username nitor password d5UTYysRFncPT9j0 encrypted privilege 15
username enable password FeYAF7dLGj2Y64qx encrypted
tunnel-group OAKRIDGE-TUNNELGROUP type remote-access
tunnel-group OAKRIDGE-TUNNELGROUP general-attributes
 address-pool DHCP-for-VPN
 default-group-policy OAKRIDGE-TUNNELGROUP
tunnel-group OAKRIDGE-TUNNELGROUP ipsec-attributes
 ikev1 pre-shared-key *****
class-map default-policy
 match default-inspection-traffic
 match access-list NETFLOW-EXPORT-ACL
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect icmp error 
  inspect ip-options 
  flow-export event-type all destination
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
asdm image disk0:/asdm-645.bin
asdm history enable

Open in new window

Avatar of csg-unit
Flag of United States of America image

You are missing the NAT, for your mail server to the outside.  In ASDM with 8.4 code, you need to go to the object for and add the NAT for the outside IP you are using for mail.  Same for
Avatar of albmed7589


its strange the exchange server is on where did you get those ips?
Avatar of fgasimzade
Flag of Azerbaijan image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
im guessing is an out of date configuration by IT guys of the past
so I've made an access list for any source can use the smtp port with,  but ive not noticed any changes
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial