Email not flowing through Cisco ASA 5505 to Exchange
I am replacing a Cisco Pix 506e with an ASA 5505 and I'm not getting any mail flow through the firewall. could someone take a look at the config and let me know what is wrong or missing?
Thanks,
Brian
: Saved
:
ASA Version 8.2(5)
!
hostname gw
domain-name axisbenefits.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.15 SERVER
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.133 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name domain.com
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq https
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit udp any host xx.xx.xx.132 eq 25
access-list outside_access_in extended permit udp any host xx.xx.xx.132 eq 443
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp-data
access-list outside_access_in extended permit udp any interface outside eq 25
access-list outside_access_in extended permit udp any interface outside eq 443
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq ftp-data
access-list outside_access_in extended permit udp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit udp any interface outside eq www
access-list inside_nat0_outbound extended permit tcp host SERVER any eq smtp
access-list inside_nat0_outbound extended deny tcp any any eq smtp
access-list inside_nat0_outbound extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
static (inside,outside) udp interface 25 SERVER 25 netmask 255.255.255.255
static (inside,outside) udp interface www SERVER www netmask 255.255.255.255
static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255
static (inside,outside) udp interface 443 SERVER 443 netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data SERVER ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b183a3e43db
: end
asdm history enable
Thanks,
Brian
: Saved
:
ASA Version 8.2(5)
!
hostname gw
domain-name axisbenefits.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.15 SERVER
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.133 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name domain.com
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq https
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit udp any host xx.xx.xx.132 eq 25
access-list outside_access_in extended permit udp any host xx.xx.xx.132 eq 443
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp-data
access-list outside_access_in extended permit udp any interface outside eq 25
access-list outside_access_in extended permit udp any interface outside eq 443
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq ftp-data
access-list outside_access_in extended permit udp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit udp any interface outside eq www
access-list inside_nat0_outbound extended permit tcp host SERVER any eq smtp
access-list inside_nat0_outbound extended deny tcp any any eq smtp
access-list inside_nat0_outbound extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
static (inside,outside) udp interface 25 SERVER 25 netmask 255.255.255.255
static (inside,outside) udp interface www SERVER www netmask 255.255.255.255
static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255
static (inside,outside) udp interface 443 SERVER 443 netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data SERVER ftp-data netmask 255.255.255.255
static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b183a3e43db
: end
asdm history enable
ASKER
Thanks for the response. I made the suggested changes but I'm still not getting any mail flow.
Not sure what 'clear late' means.
Not sure what 'clear late' means.
oops typo 'clear xlate'
It you telnet to the outside of the firewall on port 25 do you get a response banner?
Cisco PIX / ASA Port Forwarding
Pete
It you telnet to the outside of the firewall on port 25 do you get a response banner?
Cisco PIX / ASA Port Forwarding
Pete
ASKER
I am able to telnet to the gateway of the firewall XX.XX.XX.133
I added the 'clear xlate' command.
Still no email flow.
I added the 'clear xlate' command.
Still no email flow.
Hi Brian,
by looking at your access-list it seems that you've been messing around with the configuration ...
I see access-list bound to both interface asa public ip and ip x.x.x.132, which makes me think you've changed something on the way ...
So chances are that your mailserver domain in dns registered on x.x.x.132 and NOT x.x.x.133: this would well explain why you can telnet interface asa ip on port 25, but you do not get mail flow through server (which is known from outside internet as x.x.x.132).
If this is the case, you need to static nat mailserver on x.x.x.132 and everything will work fine:
no static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
no static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
no static (inside,outside) udp interface 25 SERVER 25 netmask 255.255.255.255
no static (inside,outside) udp interface www SERVER www netmask 255.255.255.255
no static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255
no static (inside,outside) udp interface 443 SERVER 443 netmask 255.255.255.255
no static (inside,outside) tcp interface ftp-data SERVER ftp-data netmask 255.255.255.255
no static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
and then:
static (inside,outside) tcp x.x.x.132 smtp SERVER smtp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 www SERVER www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 ftp SERVER ftp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 ftp-data SERVER ftp-data netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 https SERVER https netmask 255.255.255.255
i did not include udp static nat which is useless (you can as well delete them from access-lists); the following is all you need after changing NAT as above:
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq https
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp-data
hope this helps
max
by looking at your access-list it seems that you've been messing around with the configuration ...
I see access-list bound to both interface asa public ip and ip x.x.x.132, which makes me think you've changed something on the way ...
So chances are that your mailserver domain in dns registered on x.x.x.132 and NOT x.x.x.133: this would well explain why you can telnet interface asa ip on port 25, but you do not get mail flow through server (which is known from outside internet as x.x.x.132).
If this is the case, you need to static nat mailserver on x.x.x.132 and everything will work fine:
no static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
no static (inside,outside) tcp interface www SERVER www netmask 255.255.255.255
no static (inside,outside) udp interface 25 SERVER 25 netmask 255.255.255.255
no static (inside,outside) udp interface www SERVER www netmask 255.255.255.255
no static (inside,outside) tcp interface ftp SERVER ftp netmask 255.255.255.255
no static (inside,outside) udp interface 443 SERVER 443 netmask 255.255.255.255
no static (inside,outside) tcp interface ftp-data SERVER ftp-data netmask 255.255.255.255
no static (inside,outside) tcp interface https SERVER https netmask 255.255.255.255
and then:
static (inside,outside) tcp x.x.x.132 smtp SERVER smtp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 www SERVER www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 ftp SERVER ftp netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 ftp-data SERVER ftp-data netmask 255.255.255.255
static (inside,outside) tcp x.x.x.132 https SERVER https netmask 255.255.255.255
i did not include udp static nat which is useless (you can as well delete them from access-lists); the following is all you need after changing NAT as above:
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq https
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq ftp-data
hope this helps
max
ASKER
Still not getting any email through the ASA. Here is the current config. Any help would be greatly appreciated.
Thanks,
Brian
: Saved
:
ASA Version 8.2(5)
!
hostname gw
domain-name domain.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.15 AXISSERVER
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.133 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name domain.com
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq https
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit tcp host AXISSERVER any eq smtp
access-list inside_nat0_outbound extended deny tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xx.xx.xx.132 www AXISSERVER www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.132 https AXISSERVER https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.132 smtp AXISSERVER smtp netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6ffe82d4bcc
: end
no asdm history enable
Thanks,
Brian
: Saved
:
ASA Version 8.2(5)
!
hostname gw
domain-name domain.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.15 AXISSERVER
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.133 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name domain.com
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq www
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq https
access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit tcp host AXISSERVER any eq smtp
access-list inside_nat0_outbound extended deny tcp any any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp xx.xx.xx.132 www AXISSERVER www netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.132 https AXISSERVER https netmask 255.255.255.255
static (inside,outside) tcp xx.xx.xx.132 smtp AXISSERVER smtp netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6ffe82d4bcc
: end
no asdm history enable
Hi,
you have missed
access-group outside_access_in in interface outside
in your configuration
after doing that, if still no joy do a
show access-list
and check if you have hitcount increasing
hope this helps
max
you have missed
access-group outside_access_in in interface outside
in your configuration
after doing that, if still no joy do a
show access-list
and check if you have hitcount increasing
hope this helps
max
ASKER
Still no luck. hitcounts are 0.
gw(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 3 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host xx.xx.xx.132 eq www (hitcnt=0) 0x056a7d25
access-list outside_access_in line 2 extended permit tcp any host xx.xx.xx.132 eq https (hitcnt=0) 0x8b66fed4
access-list outside_access_in line 3 extended permit tcp any host xx.xx.xx.132 eq smtp (hitcnt=0) 0xf0465593
access-list inside_nat0_outbound; 2 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip any any (hitcnt=0) 0x6d7b904a
access-list inside_nat0_outbound line 2 extended permit tcp host AXISSERVER any eq smtp (hitcnt=0) 0xf3f28214
gw(config)#
gw(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 3 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host xx.xx.xx.132 eq www (hitcnt=0) 0x056a7d25
access-list outside_access_in line 2 extended permit tcp any host xx.xx.xx.132 eq https (hitcnt=0) 0x8b66fed4
access-list outside_access_in line 3 extended permit tcp any host xx.xx.xx.132 eq smtp (hitcnt=0) 0xf0465593
access-list inside_nat0_outbound; 2 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip any any (hitcnt=0) 0x6d7b904a
access-list inside_nat0_outbound line 2 extended permit tcp host AXISSERVER any eq smtp (hitcnt=0) 0xf3f28214
gw(config)#
then you need to check if mx record is correct.
nslookup with type = mx on the domain name
nslookup with type = mx on the domain name
ASKER
The nslookup finds the server but the DNS request times out.
> type=mx mail.axisbenefits.com
Server: mail.axisbenefits.com
Address: 50.193.80.132
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
***Request to mail.axisbenefits.com timed-out
> type=mx mail.axisbenefits.com
Server: mail.axisbenefits.com
Address: 50.193.80.132
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
***Request to mail.axisbenefits.com timed-out
mx record is ok
does your mailserver have ASA as default gateway ?
delete the following from ASA, it is probably harmless but useless anyway:
no access-list inside_nat0_outbound
can you ping ASA from mailserver and viceversa ?
max
does your mailserver have ASA as default gateway ?
delete the following from ASA, it is probably harmless but useless anyway:
no access-list inside_nat0_outbound
can you ping ASA from mailserver and viceversa ?
max
ASKER
There are two access-list inside_nat0_outbound commands. Delete both?
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit tcp host AXISSERVER any eq smtp
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit tcp host AXISSERVER any eq smtp
yes they are useLess
ASKER
Yes, I can pint the internal ip address of the ASA from the Exchange server and viceversa.
ASKER
Mail is going out but not coming in.
ASKER
Yes, the default gateway of the mail server is 192.168.0.1 (firewall).
access-list hitcount?
ASKER
Still 0.
gw(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 3 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host 50.193.80.132 eq www (hitcnt=0) 0x056a7d25
access-list outside_access_in line 2 extended permit tcp any host 50.193.80.132 eq https (hitcnt=0) 0x8b66fed4
access-list outside_access_in line 3 extended permit tcp any host 50.193.80.132 eq smtp (hitcnt=0) 0xf0465593
gw(config)#
gw(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_access_in; 3 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host 50.193.80.132 eq www (hitcnt=0) 0x056a7d25
access-list outside_access_in line 2 extended permit tcp any host 50.193.80.132 eq https (hitcnt=0) 0x8b66fed4
access-list outside_access_in line 3 extended permit tcp any host 50.193.80.132 eq smtp (hitcnt=0) 0xf0465593
gw(config)#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The problem is resolved. After making all of the suggested changes, I rebooted the Comcast cable modem and email started flowing through. Thanks for all of your help.
no access-list outside_access_in extended permit tcp any host xx.xx.xx.132 eq smtp
no access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any any eq smtp
clear late
Then try again
You've already narrowed it down in the static NAT