MEcadamsanders
asked on
Cisco ASA 5505 is not passing SMTP traffic thru after office move and new ISP
After moving our office to a new location and getting a new ISP with a new static, our Exchange server doesnt get email. I recreated the ASA config, but it still doesnt work. At this point I need another set of eyes on it. I have attached the config, but cant figure what I am doing wrong. Please advise. Thanks,
asa-20130829-clean.txt
asa-20130829-clean.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Clear! still we dont know if port 25 is usable.
Can you reach the SMTP server that belongs to your ISP by telnet from within the network?
Can you reach the SMTP server that belongs to your ISP by telnet from within the network?
ASKER
I can reach other SMTP servers, but not on port 25. I am not able to get out on port 25 from clients or server. Did you review my config? Is there anything in it that could be interfering with it? The ISP is Comcast in Chicago and they dont normally block port 25 for business class service. I will call now and check with Comcast technical support.
As far as i read the config correctly only the 192.168.1.10 is allowed to exit out the network on port 25
access-list inside_out extended permit tcp host 192.168.1.10 any eq smtp
So i can safely assume the exchange server is 192.168.1.10 right?!
You could try to alter this to access-list inside_out extended permit tcp any any eq smtp.
access-list inside_out extended permit tcp host 192.168.1.10 any eq smtp
So i can safely assume the exchange server is 192.168.1.10 right?!
You could try to alter this to access-list inside_out extended permit tcp any any eq smtp.
ASKER
For troubleshooting I added - and got no change.
access-list inside_out extended permit tcp any any
access-list inside_out extended permit udp any any
access-list inside_out extended permit tcp any any
access-list inside_out extended permit udp any any
What if you test your server with http://mxtoolbox.com/diagnostic.aspx
Hi,
just 1 think,
please remove the following config. if its in.
policy-map type inspect esmtp tls-esmtp
parameters
allow-tls
inspect esmtp tls-esmtp
and try no inspect esmtp
Thanks,
Libi
just 1 think,
please remove the following config. if its in.
policy-map type inspect esmtp tls-esmtp
parameters
allow-tls
inspect esmtp tls-esmtp
and try no inspect esmtp
Thanks,
Libi
ASKER
Libi- Completed, but no change.
Pat - I used DNS Stuff to check incoming during setup. IT did not work.
Pat - I used DNS Stuff to check incoming during setup. IT did not work.
Few questions:
1. Is the MX record updated to the new Exchange. If you are using a third-party MX, are they forwarding the email to you
2. Have you verified that Comcast allows port 25
Refer to following page for list of blocked ports for Comcast Business Internet customers:
http://customer.comcast.com/help-and-support/internet/list-of-blocked-ports/
1. Is the MX record updated to the new Exchange. If you are using a third-party MX, are they forwarding the email to you
2. Have you verified that Comcast allows port 25
Refer to following page for list of blocked ports for Comcast Business Internet customers:
http://customer.comcast.com/help-and-support/internet/list-of-blocked-ports/
Hi,
can we have this output please?
show ip access-list.
so we can verify the access list matches.
BR,
Libi
can we have this output please?
show ip access-list.
so we can verify the access list matches.
BR,
Libi
ASKER
It turns out that Comcast does place these business class modems in residential installations. When they do, they lock down port 25 in both directions. Even though this was a business installation, which I and tech support knew 25 should be free, the port was "hard coded" during preinstallation.
And the main technical support department cant escalate the issue. You must call Comcast Security Center for resolution. They place the resolution in a queue and it randomly started working.
I split the points because of the help on my CLI. Thanks guys.
And the main technical support department cant escalate the issue. You must call Comcast Security Center for resolution. They place the resolution in a queue and it randomly started working.
I split the points because of the help on my CLI. Thanks guys.
Great! thank you for posting back your findings.
Thanks
ASKER
Pat - I had the ISP turn off firewall, place the modem in a bridge mode, and turn off DHCP. I can get thru via RDP to the server.
I am able to get telnet into the server (port 25) internally and send email.