topic Thanks for the quick reply! in Network Security

Can't Ping outlook.office365.com from inside

Ryan Palmer — Tue, 12 Mar 2019 06:25:16 GMT

I'm trying to ping outlook.office365.com from inside through an ASA 5505. I found this in the log:

4 Aug 12 2015 16:06:41 106023 132.245.23.146 x.x.x.x Deny icmp src outside:132.245.23.146 dst inside:x.x.x.x (type 0, code 0) by access-group "outside_access_in" [0x0, 0x0]

I'm trying to figure out why a program we use can send email via smtp.office365.com:587 but not through outlook.office365.com. I can't ping smtp.office365.com either so I'm not sure it is related but I have to start somewhere. Is the ping going out but not being let back inside? If that is case that's fine but what is blocking my program from reaching outlook.office365.com. I can reach it via any web browser just not through this program which I need to send email with.

Any help with this is greatly appreciated and please let me know any more information that is needed.

Hi Ryan,The log entry implies

Niels van der Made — Thu, 13 Aug 2015 12:41:21 GMT

Hi Ryan,

The log entry implies that the icmp-echo-reply is blocked by your outside_access_in acl.

So yes "the ping is going out, but nog being let back inside"

You can solve this by adding "access-list outside_access_in permit icmp any any"
(before an deny any rule if present).

Also you could specify the rule to "permit icmp any any echo-reply" but that's up to you.

When you're trying to reach the url in your browser, you'll be making an https connection instead of tcp/587, that's a big difference.

Maybe your inside acl is blocking tcp/587 traffic because of a deny rule?

Could you please post your running config?.

Also do you see any connections to tcp/587 in the logging when you're trying to send an email?

Thanks for the quick reply!

Ryan Palmer — Thu, 13 Aug 2015 13:12:47 GMT

Thanks for the quick reply! I'm not having trouble with tcp/587 but with 993. While I'm not able to ping either I am able to send email via smtp.office365.com:587 but not via outlook.office.com which should use 993. The program that needs the outlook.office.com requires and imap connection to save sent mail in sent items. I've attached my config. I can paste it here if that is better and thanks for your help. I'm very new with Cisco and did not setup this router. I've added a few things here and there but am not knowledgeable at all.

Config looks fine.First

Niels van der Made — Thu, 13 Aug 2015 13:43:56 GMT

Config looks fine.

First enable logging on the ASA.

conf t
logging buffered informational
logging buffer-size 1048576
end

Then try to send an email and check if there is something in the logs about the connection by executing "show log | include x.x.x.x" where x.x.x.x is the source IP of your client.

Please provide us the output.

I'm not sure the command

Ryan Palmer — Thu, 13 Aug 2015 14:08:05 GMT

I'm not sure the command worked. It said sent for all but at the end it said command failed. I probably did something wrong but here are the results. RTS is the object name for the client IP. I believe outlook.office.com resolves to 132.x.x.x shown below. Thanks again for the help.

Result of the command: "show log | include RTS"

%ASA-6-305011: Built dynamic TCP translation from inside:RTS/51770 to outside:x.x.x.x/25672
%ASA-6-302013: Built outbound TCP connection 21356047 for outside:184.185.113.61/80 (184.185.113.61/80) to inside:RTS/51770 (x.x.x.x/25672)
%ASA-6-305011: Built dynamic TCP translation from inside:RTS/51771 to outside:x.x.x.x/25673
%ASA-6-302013: Built outbound TCP connection 21356048 for outside:x.186.29.26/80 (x.186.29.26/80) to inside:RTS/51771 (x.x.x.x/25673)
%ASA-6-302014: Teardown TCP connection 21356048 for outside:x.186.29.26/80 to inside:RTS/51771 duration 0:00:00 bytes 1230 TCP FINs
%ASA-6-302014: Teardown TCP connection 21356047 for outside:184.185.113.61/80 to inside:RTS/51770 duration 0:00:16 bytes 12795 TCP FINs
%ASA-6-305012: Teardown dynamic TCP translation from inside:RTS/51770 to outside:x.x.x.x/25672 duration 0:00:30
%ASA-6-305012: Teardown dynamic TCP translation from inside:RTS/51771 to outside:x.x.x.x/25673 duration 0:00:30
%ASA-6-305011: Built dynamic TCP translation from inside:RTS/51772 to outside:x.x.x.x/25951
%ASA-6-302013: Built outbound TCP connection 21356473 for outside:132.245.63.226/25 (132.245.63.226/25) to inside:RTS/51772 (x.x.x.x/25951)
%ASA-6-302014: Teardown TCP connection 21356473 for outside:132.245.63.226/25 to inside:RTS/51772 duration 0:00:05 bytes 464 TCP FINs
%ASA-6-305012: Teardown dynamic TCP translation from inside:RTS/51772 to outside:x.x.x.x/25951 duration 0:00:30

%ASA-6-302013: Built outbound

Niels van der Made — Thu, 13 Aug 2015 14:16:24 GMT

%ASA-6-302013: Built outbound TCP connection 21356473 for outside:132.245.63.226/25

Looks like the connection is made to port 25 instead of 993, looks like an application issue.
Make sure the mailclient has port 993 configured, probably a "override default port setting".

If I use outlook.office365

Ryan Palmer — Thu, 13 Aug 2015 14:33:01 GMT

If I use outlook.office365.com:993 I get this:

Result of the command: "show log | include RTS"

%ASA-6-305011: Built dynamic TCP translation from inside:RTS/51788 to outside:x.x.x.x/29549
%ASA-6-302013: Built outbound TCP connection 21362034 for outside:132.245.23.146/993 (132.245.23.146/993) to inside:RTS/51788 (x.x.x.x/29549)
%ASA-6-302014: Teardown TCP connection 21362034 for outside:132.245.23.146/993 to inside:RTS/51788 duration 0:00:30 bytes 0 TCP FINs

The email client throws an error as well. But when I use smtp.office365.com:587 there is no error and the log looks like this:

%ASA-6-305012: Teardown dynamic TCP translation from inside:RTS/51788 to outside:x.x.x.x/29549 duration 0:01:00
%ASA-6-305011: Built dynamic TCP translation from inside:RTS/51798 to outside:x.x.x.x/29822
%ASA-6-302013: Built outbound TCP connection 21362572 for outside:157.56.239.194/587 (157.56.239.194/587) to inside:RTS/51798 (x.165.74.166/29822)
%ASA-6-302014: Teardown TCP connection 21362572 for outside:157.56.239.194/587 to inside:RTS/51798 duration 0:00:09 bytes 6140 TCP FINs

Based on the TCP FIN, it

Niels van der Made — Thu, 13 Aug 2015 14:57:44 GMT

Based on the TCP FIN, it looks like the tcp handshake is not completed, but based on the logging I can't see why.

If you do a telnet outlook.office365.com 993 from te client, do you get a connection then?
Also what kind of error message are you getting on the mailclient?

I'm still not convinced it is an asa related issue.

I'm not convinced it is an

Ryan Palmer — Thu, 13 Aug 2015 16:00:04 GMT

I'm not convinced it is an ASA related issue either.

When I telnet to outlook.office365.com it just hangs at "Connecting To outlook.office365.com..." and comes back with "Could not open connection to the host, on port 23: Connect failed"

When I telnet to outlook.office365.com 993 the connection seems to go right through but the terminal is just blank and after 30 seconds or so goes back to the command prompt.

telnet to smtp.office365.com 587 I get 220 BLUPR0301CA0004.outlook.office365.com Microsoft ESMTP MAIL Service ready at Thu, 13 Aug 2015 15:22:02 +0000

The program uses java to send mail. When using outlook.office365.com:993 the error from the program when sending a test message is "An Error Occurred: Exception Reading Response". The java window which comes up and shows progress does not even appear.

When using outlook.office365.com (the recommended setting from the dev) the error is "An error occurred: 530 5.7.57 SMTP; Client was not authenticated to send anonymous mail during MAIL FROM"