Email not flowing through Cisco ASA 5505 to Exchange

I am replacing a Cisco Pix 506e with an ASA 5505 and I'm not getting any mail flow through the firewall.  could someone take a look at the config and let me know what is wrong or missing?

Thanks,
Brian

: Saved
:
ASA Version 8.2(5)
!
hostname gw
domain-name axisbenefits.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.15 SERVER
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.133 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name domain.com
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq https
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit udp any host xx.xx.xx.132 eq 25
access-list outside_access_in extended permit udp any host xx.xx.xx.132 eq 443
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp-data
access-list outside_access_in extended permit udp any interface outside eq 25
access-list outside_access_in extended permit udp any interface outside eq 443
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq ftp-data
access-list outside_access_in extended permit udp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit udp any interface outside eq www
access-list inside_nat0_outbound extended permit tcp host SERVER any eq smtp
access-list inside_nat0_outbound extended deny tcp any any eq smtp
access-list inside_nat0_outbound extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
static (inside,outside) udp interface 25 SERVER 25 netmask 255.255.255.255
static (inside,outside) udp interface www SERVER www netmask 255.255.255.255
static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255
static (inside,outside) udp interface 443 SERVER 443 netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data SERVER ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b183a3e43dbba907830e981e206c709c
: end
asdm history enable
K5-TechIT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Do This

no access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
no access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any any eq smtp
clear late

Then try again

You've already narrowed it down in the static NAT
0
K5-TechIT ConsultantAuthor Commented:
Thanks for the response.  I made the suggested changes but I'm still not getting any mail flow.

Not sure what 'clear late' means.
0
Pete LongTechnical ConsultantCommented:
oops typo 'clear xlate'

It you telnet to the outside of the firewall on port 25 do you get a response banner?

Cisco PIX / ASA Port Forwarding

Pete
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

K5-TechIT ConsultantAuthor Commented:
I am able to telnet to the gateway of the firewall XX.XX.XX.133
I added the 'clear xlate' command.
Still no email flow.
0
max_the_kingCommented:
Hi Brian,
by looking at your access-list it seems that you've been messing around with the configuration ...

I see access-list bound to both interface asa public ip and ip x.x.x.132, which makes me think you've changed something on the way ...
So chances are that your mailserver domain in dns registered on x.x.x.132 and NOT x.x.x.133: this would well explain why you can telnet interface asa ip on port 25, but you do not get mail flow through server (which is known from outside internet as x.x.x.132).
If this is the case, you need to static nat mailserver on x.x.x.132 and everything will work fine:

no static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
no static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
no static (inside,outside) udp interface 25 SERVER 25 netmask 255.255.255.255
no static (inside,outside) udp interface www SERVER www netmask 255.255.255.255
no static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255
no static (inside,outside) udp interface 443 SERVER 443 netmask 255.255.255.255
no static (inside,outside) tcp interface ftp-data SERVER ftp-data netmask 255.255.255.255
no static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255

and then:

static (inside,outside) tcp x.x.x.132 smtp SERVER smtp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 www SERVER www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 ftp SERVER ftp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 ftp-data SERVER ftp-data netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 https SERVER https netmask 255.255.255.255

i did not include udp static nat which is useless (you can as well delete them from access-lists); the following is all you need after changing NAT as above:

access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq https
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp-data

hope this helps
max
0
K5-TechIT ConsultantAuthor Commented:
Still not getting any email through the ASA.  Here is the current config.  Any help would be greatly appreciated.

Thanks,
Brian

: Saved
:
ASA Version 8.2(5)
!
hostname gw
domain-name domain.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.15 AXISSERVER
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.133 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name domain.com
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq https
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit tcp host AXISSERVER any eq smtp
access-list inside_nat0_outbound extended deny tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xx.xx.xx.132 www AXISSERVER www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.132 https AXISSERVER https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.132 smtp AXISSERVER smtp netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6ffe82d4bcc6a1c6ceae45ec322429ca
: end
no asdm history enable
0
max_the_kingCommented:
Hi,
you have missed
access-group outside_access_in in interface outside
in your configuration
after doing that, if still no joy do a
show access-list
and check if you have hitcount increasing

hope this helps
max
0
K5-TechIT ConsultantAuthor Commented:
Still no luck.  hitcounts are 0.

gw(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_access_in; 3 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host xx.xx.xx.132 eq www (hitcnt=0) 0x056a7d25
access-list outside_access_in line 2 extended permit tcp any host xx.xx.xx.132 eq https (hitcnt=0) 0x8b66fed4
access-list outside_access_in line 3 extended permit tcp any host xx.xx.xx.132 eq smtp (hitcnt=0) 0xf0465593
access-list inside_nat0_outbound; 2 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip any any (hitcnt=0) 0x6d7b904a
access-list inside_nat0_outbound line 2 extended permit tcp host AXISSERVER any eq smtp (hitcnt=0) 0xf3f28214
gw(config)#
0
max_the_kingCommented:
then you need to check if mx record is correct.
nslookup with type = mx on the domain name
0
K5-TechIT ConsultantAuthor Commented:
The nslookup finds the server but the DNS request times out.

> type=mx mail.axisbenefits.com
Server: mail.axisbenefits.com
Address: 50.193.80.132

DNS request timed out.
         timeout was 2 seconds.
DNS request timed out.
         timeout was 2 seconds.
***Request to mail.axisbenefits.com timed-out
0
max_the_kingCommented:
mx record is ok

does your mailserver have ASA as default gateway ?

delete the following from ASA, it is probably harmless but useless anyway:

no access-list inside_nat0_outbound

can you ping ASA from mailserver and viceversa ?

max
0
K5-TechIT ConsultantAuthor Commented:
There are two access-list inside_nat0_outbound commands.  Delete both?

access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit tcp host AXISSERVER any eq smtp
0
max_the_kingCommented:
yes they are useLess
0
K5-TechIT ConsultantAuthor Commented:
Yes, I can pint the internal ip address of the ASA from the Exchange server and viceversa.
0
K5-TechIT ConsultantAuthor Commented:
Mail is going out but not coming in.
0
K5-TechIT ConsultantAuthor Commented:
Yes, the default gateway of the mail server is 192.168.0.1 (firewall).
0
max_the_kingCommented:
access-list hitcount?
0
K5-TechIT ConsultantAuthor Commented:
Still 0.

gw(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list outside_access_in; 3 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host 50.193.80.132 eq www (hitcnt=0) 0x056a7d25
access-list outside_access_in line 2 extended permit tcp any host 50.193.80.132 eq https (hitcnt=0) 0x8b66fed4
access-list outside_access_in line 3 extended permit tcp any host 50.193.80.132 eq smtp (hitcnt=0) 0xf0465593
gw(config)#
0
max_the_kingCommented:
you can try and clear the static with port forwarding. then you can nat 1-to-1.

static (inside,outside) publicIP privateIP

then do a clear xlate and See if hitcount increases
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
K5-TechIT ConsultantAuthor Commented:
The problem is resolved.  After making all of the suggested changes, I rebooted the Comcast cable modem and email started flowing through.  Thanks for all of your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.