VPN Hair-pinning and External SMTP to internal not working

Chris R — Tue, 12 Mar 2019 08:26:54 GMT

I have been beating my head against the wall for the last four days trying to figure out why my VPN clients cannot access the Internet when connected AND why my internal SMTP server cannot receive outside traffic. I have replaced an ASA 5510 with an ASA 5512 which was doing these things without issue. I'm hoping someone will see what I've missed and can help me out before I rip out what's left of my hair. The only major differences between ASAs are

ASA 5510 (working)	ASA 5512-X (not working)
SW V 8.4(7)	SW V 9.4(3)11
AnyConnect Essentials	APEX Licenses
No additional modules/hardware	FirePOWER Service Module

I've run the packet-tracer for my SMTP issue and it claims traffic will get through, but when I monitor both sides of the new ASA I see the connection try to come in from the outside but there is nothing on the inside.

ASA Version 9.4(3)11
!
hostname asa5512
domain-name dmz.***.***
enable password *** encrypted
names
ip local pool ASA_VPN_Pool 10.1.101.2-10.1.101.62 mask 255.255.255.192
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address PublicAddress
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.1.11 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa943-11-smp-k8.bin
boot system disk0:/asa943-8-smp-k8.bin
ftp mode passive
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 10.1.8.20
name-server 10.1.8.30
domain-name dmz.***.***
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Admin
subnet 10.1.0.0 255.255.255.0
description Administration workstations network
object network Clients_Wired
subnet 10.1.60.0 255.255.254.0
description Wired Local Site Clients
object network Clients_Wireless
subnet 10.1.100.0 255.255.255.0
description Legacy Wireless Clients
object network Servers
subnet 10.1.8.0 255.255.252.0
description Server Infrastructure
object network Phones
subnet 10.1.2.0 255.255.255.0
description VoIP Phones
object network Clients_Partner_Org
subnet 10.1.200.0 255.255.255.0
description Partner Organization Clients
object network smtp_incoming
host 10.1.1.105
description Incomming SMTP Server
object network Sandboxes
range 192.168.198.11 192.168.198.19
description Virtual Routers for Sandboxed environments
object network DNS1
host 10.1.8.10
description DNS Filter 1
object network DNS2
host 10.1.8.15
description DNS Filter 2
object network DNS3
host 192.168.1.55
description Emergency DNS Access
object network VPN_Junos
subnet 10.1.101.64 255.255.255.192
description Junos Provided VPN connections
object network DMZ
subnet 192.168.1.0 255.255.255.0
description Local Site DMZ
object network smtp_outgoing
host 10.1.11.106
object network VoIP_Provider
subnet AnotherPublicAddress 255.255.248.0
description Commercial VoIP Provider
object network VPN_Cisco_Anyconnect
subnet 10.1.101.0 255.255.255.192
object network Backup_Site
subnet 10.2.0.0 255.255.255.0
description Offsite DR-COOP location
object service ExternalSMTP
service tcp destination eq smtp
description Outside SMTP
object network NAS_SAN
subnet 10.1.12.0 255.255.252.0
description Local Site NAS and SAN network
object network VPN_Old_ASA
subnet 10.1.101.128 255.255.255.192
description Old Cisco ASA's AnyConnect IP Pool
object-group network Authorized_DNS
description Hosts permitted to do DNS queries from the Local Site
network-object object DNS1
network-object object DNS2
network-object object DNS3
object-group network Authorized_Internet
description Network IP Addresses authorized Internet access
network-object object Admin
network-object object Clients_Partner_Org
network-object object Clients_Wired
network-object object Clients_Wireless
network-object object Phones
network-object object Sandboxes
network-object object VPN_Junos
network-object object VPN_Cisco_Anyconnect
network-object object DMZ
network-object object Servers
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
service-object icmp echo
service-object icmp echo-reply
service-object icmp unreachable
service-object tcp-udp destination eq sip
service-object tcp destination eq ftp
service-object tcp destination eq ftp-data
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq ntp
object-group service Extended-SMTP tcp
description Both published SMTP ports
port-object eq 587
port-object eq smtp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VoIP-UDP-Services udp
description UDP ports for VoIP traffic
port-object range 8192 65535
access-list SFR extended permit ip any any
access-list Inside_access_in extended deny ip host 192.168.3.3 any log disable
access-list Inside_access_in extended deny ip host 10.1.8.100 interface Inside log disable
access-list Inside_access_in remark Permit SMTP out of SMTP-outgoing.
access-list Inside_access_in extended permit tcp object smtp_incoming any eq smtp log critical
access-list Inside_access_in remark Permit SMTP into SMTP-incoming
access-list Inside_access_in extended permit tcp object smtp_outgoing any object-group Extended-SMTP log disable
access-list Inside_access_in remark Permit authorized DNS servers to receive queries
access-list Inside_access_in extended permit object-group TCPUDP object-group Authorized_DNS any eq domain log disable
access-list Inside_access_in remark Permit VoIP network access to VoIP provider's networks and protocols
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Phones object VoIP_Provider log disable
access-list Inside_access_in remark Additonal UDP port ranges permitted for VoIP phones
access-list Inside_access_in extended permit udp object Phones object VoIP_Provider object-group VoIP-UDP-Services log disable
access-list Inside_access_in remark VoIP phones pull NTP data from multiple points on the Internet
access-list Inside_access_in extended permit udp object Phones any eq ntp log disable
access-list Inside_access_in remark Restrict VoIP phones to VoIP provider's network and services and NTP only.
access-list Inside_access_in extended deny ip object Phones any
access-list Inside_access_in remark Restrict DNS to authorized DNS hosts only.
access-list Inside_access_in extended deny object-group TCPUDP any any eq domain
access-list Inside_access_in remark Restrict SMTP to SMTP relay servers
access-list Inside_access_in extended deny tcp any any object-group Extended-SMTP log critical
access-list Inside_access_in remark Permit authorized IP addresses to access the Internet
access-list Inside_access_in extended permit ip object-group Authorized_Internet any log disable
access-list Inside_access_in extended permit ip object NAS_SAN object Backup_Site log disable
access-list Inside_access_in remark Block all non-authorized IP addresses.
access-list Inside_access_in extended deny ip any any log critical
access-list Outside_access_in remark Permit incoming SMTP traffic to the appropriate host
access-list Outside_access_in extended permit tcp any object smtp_incoming eq smtp log notifications
access-list Outside_access_in remark Permit ping and traceroute to traverse the system
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 log disable
access-list Inside_cryptomap_1 extended permit ip object Servers object Backup_Site
access-list Outside_cryptomap extended permit ip object Servers object Backup_Site
access-list Servers extended permit ip any object Servers
access-list Outside_cryptomap_65535.65535 extended permit ip any any
access-list Outside_cryptomap_65535.65535_1 extended permit ip any any
access-list Inside_cryptomap_65535.65535 extended permit ip any any
access-list Outside_cryptomap_65535.65535_2 extended permit ip any any
access-list Outside_cryptomap_65535.65535_3 extended permit ip any any
access-list Inside_cryptomap_65535.65535_1 extended permit ip any any
access-list global_mpc extended permit icmp any any
pager lines 24
logging enable
logging console emergencies
logging monitor notifications
...
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static any any destination static VPN_Cisco_Anyconnect VPN_Cisco_Anyconnect no-proxy-arp route-lookup
!
object network Admin
nat (Inside,Outside) dynamic interface
object network Clients_Wired
nat (Inside,Outside) dynamic interface
object network Clients_Wireless
nat (Inside,Outside) dynamic interface
object network Servers
nat (Inside,Outside) dynamic interface
object network Phones
nat (Inside,Outside) dynamic interface
object network Clients_Partner_Org
nat (Inside,Outside) dynamic interface
object network smtp_incoming
nat (Inside,Outside) static interface service tcp smtp smtp
object network Sandboxes
nat (Inside,Outside) dynamic interface
object network VPN_Junos
nat (Inside,Outside) dynamic interface
object network DMZ
nat (Inside,Outside) dynamic interface
object network VPN_Cisco_Anyconnect
nat (Outside,Outside) dynamic interface
object network VPN_Old_ASA
nat (Inside,Outside) dynamic interface
!
nat (Outside,Outside) after-auto source dynamic any interface
nat (Inside,Outside) after-auto source static any any no-proxy-arp
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 66.83.238.177 1
route Inside 10.1.0.0 255.255.0.0 192.168.1.10 1
route Inside 10.1.101.64 255.255.255.192 192.168.1.3 1
route Inside 10.1.101.128 255.255.255.192 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
...
!
class-map SFR
match access-list SFR
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect ip-options
class SFR
sfr fail-open
!
service-policy global_policy global
...
: end

Hi ,

MANI .P — Thu, 27 Oct 2016 06:32:20 GMT

Hi ,

can you check below .

Following point you have to check .

01. Identity NAT . ( Inside nw to VPN Nw)

02.Dynamic NAT ( VPN nw to outside interface)

03.option 1 - static NAT for smtp server ( static NAT)

option 2 - Dynamic NAT with PAT for smtp server ( outside interface with service smtp port policy defined or Any IP address )

Thanks. As it turns out, I

Chris R — Thu, 27 Oct 2016 21:01:26 GMT

Thanks. As it turns out, I had the wrong IP address for my smtp_incoming network object. The ASA was trying to forward it to an unused IP address and I never caught it on my tcpdump scans because THAT filter was looking for only dst 10.1.11.105 dst port 25.

I had tried Option 2, but the network object was wrong.

Now to get the VPN hair-pinning ironed out (I'll open a new discussion in the VPN group for that).

topic Hi , in Network Security

VPN Hair-pinning and External SMTP to internal not working

Hi ,

Thanks. As it turns out, I