Cisco ASA 5506 - Port forwarding for SMTP and HTTPS not working

Mark2016
Mark2016 used Ask the Experts™
on
Implementing a new Cisco ASA 5506 and I'm unable to get port forwarding for HTTPS and SMTP to work. In the Access Rules area I can see that I am getting port hits on the rules but the pass through from the outside to the inside is failing.

Following is the general config details I have at the moment. Thank you for any assistance you might be able to offer.

 
:
: Serial Number: ##########
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 03:46:58.616 CDT Wed Sep 7 2016
!
ASA Version 9.5(1)
!
hostname FIREWALL
domain-name domain.com
enable password ***************
names
ip local pool Mail_Datacenter_VPN_Pool 10.0.1.225-10.0.1.245 mask 255.255.255.0
!
interface GigabitEthernet1/1
 description Datcenter subnet 1
 nameif outside
 security-level 0
 ip address XX.XX.XX.76 255.255.255.248
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.1.100.1 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.1.100.20 inside
 name-server 10.1.100.21 inside
 domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network MSG1
 host 10.1.100.30
object network MSG2
 host 10.1.100.31
object network MSG3
 host 10.1.100.32
object network obj_Mail_Datacenter
 subnet 10.1.100.0 255.255.255.0
object network obj_Remote subnet 10.0.0.0 255.255.255.0
object network obj_Ouside_smtp
 host 10.1.100.30
object network obj_MSG1_smtp
 host 10.1.100.30
object network 10.0.0.0
 subnet 10.0.0.0 255.255.255.0
object network obj_Remote_Network
 subnet 10.0.0.0 255.255.255.0
object service mapped_SMTP_2500
 service tcp destination eq 2500
object network obj_MSG1_https
 host 10.1.100.30
object network InsideOut
 subnet 10.1.1.0 255.255.255.0
object network obj_XX.XX.XX.78
 host XX.XX.XX.78
object network outside-network2
 subnet XX.XX.XX.80 255.255.255.248
object network outside-network
 subnet XX.XX.XX.72 255.255.255.248
object network obj_MailServer_outside
 host XX.XX.XX.74
object network General_Datacenter
 subnet 10.1.1.0 255.255.255.0
object network obj_Outside_https
 host 10.1.100.30
object-group network DM_INLINE_NETWORK_1
 network-object object obj_MSG1_https
 network-object object obj_Outside_https
 network-object object obj_Ouside_smtp
access-list inside_access_in extended permit tcp any object obj_MSG1_smtp eq smtp inactive
access-list inside_access_in extended permit ip object obj_Mail_Datacenter object 10.0.0.0
access-list inside_access_in extended permit ip object Mail_Datacenter any
access-list outside_cryptomap_1 extended permit ip object obj_Mail_Datacenter object obj_RemoteNet
access-list outside_cryptomap_2 extended permit ip object obj_Mail_Datacenter object obj_Remote_Network
access-list outside_access_in extended permit tcp any object MSG1 eq https
access-list outside_access_in extended permit tcp any object MSG1 eq smtp
access-list outside_authentication extended deny tcp any4 object-group DM_INLINE_NETWORK_1 eq https
access-list outside_authentication extended deny tcp any4 object obj_MSG1_smtp eq smtp
access-list outside_authentication extended deny tcp any4 object obj_Ouside_smtp
access-list outside_authentication extended permit tcp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (any,outside) dynamic interface
object network obj_Ouside_smtp
 nat (outside,inside) static XX.XX.XX.74 service tcp smtp smtp
object network Indiana_Datacenter
 nat (inside,outside) dynamic XX.XX.XX.77
object network obj_Outside_https
 nat (inside,outside) static XX.XX.XX.75 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server DC protocol ldap
aaa-server DC (inside) host 10.1.100.20
 timeout 5
 ldap-base-dn dc=domain.com
 ldap-scope subtree
 server-type auto-detect
aaa-server DC (inside) host 10.1.100.21
 ldap-base-dn dc=domain,dc=com
 ldap-scope subtree
 server-type microsoft
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host Blah.duosecurity.com
 server-port 636
 ldap-base-dn dc=BLAH,dc=duosecurity,dc=com
 ldap-naming-attribute cn
 ldap-login-password ####
 ldap-login-dn dc=####,dc=duosecurity,dc=com
 ldap-over-ssl enable
 server-type auto-detect
user-identity default-domain LOCAL
aaa authentication match outside_authentication outside DC
http server enable 444
http 10.1.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn FIREWALL
 subject-name CN=FIREWALL
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0

  quit

crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10

 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015
Commented:
Have you run packet tracer?

packet-tracer input outside tcp 8.8.8.8 12345 10.1.100.30 80 detail

and do the same for port 25.
Most Valuable Expert 2015

Commented:
This question should be closed with no solution and no points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial