Allow Port 587 Traffic Out on ASA5505

Posted on 2014-02-08
Last Modified: 2014-02-09
I need to send email from the inside to outside over port 587.  In other words, allow email to go out port 587 from any computer on the inside.  I am new to the ASA.  Can someone help me with the command to run on my ASA to open that port?  Below is my running config:

vpn(config)# sh running-config
: Saved
ASA Version 8.2(1)
no names
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address 11.111.11
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
regex blockex1 "/tumblr/"
regex blockex2 "tumblr\.com"
boot system disk0:/asa821.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit
access-list outside-access-in extended permit tcp any host 11.111.11 eq ftp
access-list outside-access-in extended permit tcp any host 11.111.11 eq https

access-list outside-access-in extended permit tcp any host 11.111.11 eq ftp-d
access-list outside-access-in extended permit tcp any host 11.111.11 range 50
00 5010
access-list INSIDE extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
static (inside,outside) tcp interface https https netmask 255.255.25
static (inside,outside) tcp interface ftp ftp netmask
static (inside,outside) tcp interface ftp-data ftp-data netmask 255.
static (inside,outside) tcp interface 5000 5000 netmask 255.255.255.
static (inside,outside) tcp interface 5001 5001 netmask 255.255.255.
static (inside,outside) tcp interface 5002 5002 netmask 255.255.255.
static (inside,outside) tcp interface 5003 5003 netmask 255.255.255.
static (inside,outside) tcp interface 5004 5004 netmask 255.255.255.
static (inside,outside) tcp interface 5005 5005 netmask 255.255.255.
static (inside,outside) tcp interface 5006 5006 netmask 255.255.255.
static (inside,outside) tcp interface 5007 5007 netmask 255.255.255.
static (inside,outside) tcp interface 5008 5008 netmask 255.255.255.
static (inside,outside) tcp interface 5009 5009 netmask 255.255.255.
static (inside,outside) tcp interface 5010 5010 netmask 255.255.255.
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 11.111.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet timeout 5
ssh inside
ssh outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
 port 500
 enable inside
 enable outside
 svc image disk0:/anyconnect-win-3.1.02040-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy cisco internal
group-policy cisco attributes
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool

tunnel-group cisco ipsec-attributes
 pre-shared-key *
class-map global-class
 match default-inspection-traffic
class-map type inspect http match-any block-url-class
 match request uri regex blockex1
 match request header host regex blockex2
policy-map type inspect http block-tmb-policy
 class block-url-class
  drop-connection log
policy-map global_policy
 class global-class
  inspect pptp
  inspect http block-tmb-policy
  inspect ipsec-pass-thru
  inspect icmp

: end

Open in new window

Question by:obautista

Accepted Solution

ffleisma earned 500 total points
ID: 39845056
as shown from your configuration

access-list INSIDE extended permit ip any any

access-group INSIDE in interface inside

this is basically allowing everything (any-source, any destination, any-ports)

global (outside) 1 interface

nat (inside) 1

Now this is basically NATing everything

So basically, traffic towards port 587 should already be allowed in the firewall. But if you like a more specific command you can apply the following:

access-list INSIDE line 1 extended permit tcp any any eq 587

line 1, puts it on top of the current "INSIDE" ACL
this allows for source "any" destination "any" with equal to TCP port 587 "destination" port

Since the FW is currently allowing everything, adding the ACL should not make any different. But later on you should consider limiting the allowed source or limit traffic going to internet to ports 80-http, 443-https, snmp, etc. In current network state, someone plug in a torrent PC, it can download from your network :-)

hope this help, and let me know if you have any more questions

Author Closing Comment

ID: 39845430
Thank you

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco MRA Phones 4 15
Physical Network Design 11 87
Cisco ACS TACACS 2 39
cisco nexus experiance 2 29
How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now