Cisco ASA 5505 is not passing SMTP traffic thru after office move and new ISP

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

Libi - Last line of your CLI I had to place under policy-map global_policy. After I entered all of it, I still have mail in queue.

Pat - I had the ISP turn off firewall, place the modem in a bridge mode, and turn off DHCP. I can get thru via RDP to the server.
I am able to get telnet into the server (port 25) internally and send email.

Clear! still we dont know if port 25 is usable.
Can you reach the SMTP server that belongs to your ISP by telnet from within the network?

ASKER

I can reach other SMTP servers, but not on port 25. I am not able to get out on port 25 from clients or server. Did you review my config? Is there anything in it that could be interfering with it? The ISP is Comcast in Chicago and they dont normally block port 25 for business class service. I will call now and check with Comcast technical support.

As far as i read the config correctly only the 192.168.1.10 is allowed to exit out the network on port 25

access-list inside_out extended permit tcp host 192.168.1.10 any eq smtp

So i can safely assume the exchange server is 192.168.1.10 right?!
You could try to alter this to access-list inside_out extended permit tcp any any eq smtp.

ASKER

For troubleshooting I added - and got no change.
access-list inside_out extended permit tcp any any
access-list inside_out extended permit udp any any

What if you test your server with http://mxtoolbox.com/diagnostic.aspx

Hi,

just 1 think,

please remove the following config. if its in.

policy-map type inspect esmtp tls-esmtp
parameters
allow-tls
inspect esmtp tls-esmtp

and try no inspect esmtp

Thanks,
Libi

ASKER

Libi- Completed, but no change.

Pat - I used DNS Stuff to check incoming during setup. IT did not work.

Mohammed Khawaja

Few questions:

1. Is the MX record updated to the new Exchange. If you are using a third-party MX, are they forwarding the email to you
2. Have you verified that Comcast allows port 25

Refer to following page for list of blocked ports for Comcast Business Internet customers:

http://customer.comcast.com/help-and-support/internet/list-of-blocked-ports/

Hi,

can we have this output please?

show ip access-list.

so we can verify the access list matches.

BR,
Libi

ASKER

It turns out that Comcast does place these business class modems in residential installations. When they do, they lock down port 25 in both directions. Even though this was a business installation, which I and tech support knew 25 should be free, the port was "hard coded" during preinstallation.
And the main technical support department cant escalate the issue. You must call Comcast Security Center for resolution. They place the resolution in a queue and it randomly started working.
I split the points because of the help on my CLI. Thanks guys.

Great! thank you for posting back your findings.