Cisco ASA 5505 is not passing SMTP traffic thru after office move and new ISP

After moving our office to a new location and getting a new ISP with a new static, our Exchange server doesnt get email. I recreated the ASA config, but it still doesnt work. At this point I need another set of eyes on it. I have attached the config, but cant figure what I am doing wrong. Please advise. Thanks,
asa-20130829-clean.txt
MEcadamsandersAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LibipappachenCommented:
Hi,

    can you try the following .


policy-map type inspect esmtp tls-esmtp
parameters
allow-tls
inspect esmtp tls-esmtp

let me know the update.

BR,
Libi
0
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi,

Did you check port 25 is reachable from the outside? (some ISPs block it) can you telnet into the server?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MEcadamsandersAuthor Commented:
Libi - Last line of your CLI I had to place under policy-map global_policy. After I entered all of it, I still have mail in queue.

Pat - I had the ISP turn off firewall, place the modem in a bridge mode, and turn off DHCP. I can get thru via RDP to the server.
I am able to get telnet into the server (port 25) internally and send email.
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

Patrick BogersDatacenter platform engineer LindowsCommented:
Clear! still we dont know if port 25 is usable.
Can you reach the SMTP server that belongs to your ISP by telnet from within the network?
0
MEcadamsandersAuthor Commented:
I can reach other SMTP servers, but not on port 25. I am not able to get out on port 25 from clients or server. Did you review my config? Is there anything in it that could be interfering with it? The ISP is Comcast in Chicago and they dont normally block port 25 for business class service. I will call now and check with Comcast technical support.
0
Patrick BogersDatacenter platform engineer LindowsCommented:
As far as i read the config correctly only the 192.168.1.10 is allowed to exit out the network on port 25

access-list inside_out extended permit tcp host 192.168.1.10 any eq smtp

So i can safely assume the exchange server is 192.168.1.10 right?!
You could try to alter this to access-list inside_out extended permit tcp any any eq smtp.
0
MEcadamsandersAuthor Commented:
For troubleshooting I added - and got no change.
access-list inside_out extended permit tcp any any
access-list inside_out extended permit udp any any
0
Patrick BogersDatacenter platform engineer LindowsCommented:
What if you test your server with http://mxtoolbox.com/diagnostic.aspx
0
LibipappachenCommented:
Hi,

    just 1 think,

please remove the following config. if its in.


policy-map type inspect esmtp tls-esmtp
parameters
allow-tls
inspect esmtp tls-esmtp

and try no inspect esmtp

Thanks,
Libi
0
MEcadamsandersAuthor Commented:
Libi- Completed, but no change.

Pat - I used DNS Stuff to check incoming during setup. IT did not work.
0
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Few questions:

1. Is the MX record updated to the new Exchange.  If you are using a third-party MX, are they forwarding the email to you
2.  Have you verified that Comcast allows port 25

Refer to following page for list of blocked ports for Comcast Business Internet customers:

http://customer.comcast.com/help-and-support/internet/list-of-blocked-ports/
0
LibipappachenCommented:
Hi,

   can we have this output please?

show ip access-list.

so we can verify the access list matches.


BR,
Libi
0
MEcadamsandersAuthor Commented:
It turns out that Comcast does place these business class modems in residential installations. When they do, they lock down port 25 in both directions. Even though this was a business installation, which I and tech support knew 25 should be free, the port was "hard coded" during preinstallation.
And the main technical support department cant escalate the issue. You must call Comcast Security Center for resolution. They place the resolution in a queue and it randomly started working.
I split the points because of the help on my CLI. Thanks guys.
0
Patrick BogersDatacenter platform engineer LindowsCommented:
Great! thank you for posting back your findings.
0
LibipappachenCommented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.