Mr. Michael Mutua

Mykheymutua — Tue, 12 Mar 2019 06:09:40 GMT

Hi Support,

I have a problem that i am trying to get a solution for.

In our domain, we can not receive EXTERNAL EMAILS except for the few individuals whose mail accounts have been hosted in the cloud.

Below are my ASA Configs

Password: ************
xxxxxx#
xxxxxx#
xxxxxx# sh ver

Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"

xxxxxx up 3 days 2 hours

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

xxxxxx#
xxxxxx#
xxxxxx# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname xxxxxx
domain-name media.com
enable password nM0K/bGRZ0p.5osG encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif External_Public
security-level 0
ip address 41.186.24.226 255.255.255.248
!
interface GigabitEthernet0/1
nameif Internal_Private
security-level 100
ip address 172.15.0.3 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
banner exec This is mulala ASA Firewall.Please do not Log if if you are not Authorised
banner login This is mulala ASA Firewall.Please do not Log if if you are not Authorised
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Fri Apr 0:00 last Fri Sep 0:00
dns domain-lookup External_Public
dns domain-lookup Internal_Private
dns server-group DefaultDNS
name-server 196.44.250.215
name-server 196.44.250.214
domain-name media.com
object network Internal_Private
subnet 172.15.0.0 255.255.255.0
description Inside
object service owa
service tcp source eq www destination eq 9090
description webmail
object service http_gen
service tcp destination eq 9090
description Generic HTTP Port
object service imap_sec
service tcp destination eq 993
description Secure IMAP
object service smtp_sub
service tcp destination eq 587
description SMTP Email Submission
object service smtps
service tcp destination eq 465
description Secure SMTP Port
object service 3389
service tcp destination eq 3389
description rdp
object network ASA
host 172.15.0.3
description Firewall
object network svr-mulalahq-mm-1
host 172.15.0.17
description Exchange Server
object network Internal_Network
subnet 172.15.0.0 255.255.255.0
object network mailserverHTTP
object network 41.186.24.227
host 41.186.24.227
object network NETWORK_OBJ_172.15.0.80_28
subnet 172.15.0.80 255.255.255.240
object network comrex
host 172.15.0.5
description comrex ip
object network svr-mulalahq-mm-1
host 172.15.0.15
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
service-object udp destination eq www
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp6
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object tcp-udp destination eq echo
service-object udp destination eq echo
object-group service DM_INLINE_SERVICE_3
service-object tcp destination eq ftp
service-object tcp destination eq ssh
service-object tcp destination eq telnet
service-object udp destination eq tftp
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service MailserverPorts
description Mailserver ports
service-object tcp destination eq imap4
service-object tcp destination eq pop2
service-object tcp destination eq pop3
service-object tcp destination eq smtp
service-object object http_gen
service-object object imap_sec
service-object object smtp_sub
service-object object smtps
service-object tcp destination eq https
service-object object 3389
object-group service DM_INLINE_SERVICE_7
service-object tcp destination eq domain
service-object tcp destination eq smtp
service-object udp destination eq domain
object-group service DM_INLINE_SERVICE_5
service-object tcp
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp-udp destination eq www
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_6
service-object tcp
service-object tcp destination eq pop2
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_8
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object tcp-udp destination eq echo
service-object tcp destination eq domain
service-object udp destination eq domain
object-group service DM_INLINE_SERVICE_9
service-object icmp
service-object icmp echo-reply
service-object tcp destination eq echo
service-object udp destination eq echo
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
port-object eq www
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_10
service-object icmp
service-object tcp-udp destination eq domain
service-object tcp destination eq domain
service-object tcp destination eq echo
service-object udp destination eq domain
object-group service DM_INLINE_SERVICE_11
service-object icmp
service-object icmp echo-reply
service-object tcp destination eq echo
service-object udp destination eq echo
access-list inside_access_in remark Allow SMTP Traffic (Outbound)
access-list inside_access_in extended permit tcp object Internal_Network object ASA eq smtp
access-list inside_access_in remark Allow HTTP Access
access-list inside_access_in remark Allow Ping to Internet
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 172.15.0.0 255.255.255.0 any
access-list inside_access_in remark Allow Management Access
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 172.15.0.0 255.255.255.0 any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 172.15.0.0 255.255.255.0 41.186.25.0 255.255.255.248
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit icmp any any echo-reply
access-list outside_access_in remark Allow ICMP Reply
access-list outside_access_in remark Allow ICMP Reply
access-list outside_access_in extended permit tcp interface External_Public object ASA eq https
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_4 any object Internal_Private
access-list External_Public_access_in extended permit tcp any object svr-mulalahq-mm-1 object-group DM_INLINE_TCP_1
access-list External_Public_access_in extended permit object-group DM_INLINE_SERVICE_9 any object Internal_Network
access-list External_Public_access_in extended permit object-group DM_INLINE_SERVICE_11 any object comrex
access-list Internal_Private_access_out extended permit object-group DM_INLINE_SERVICE_7 object svr-mulalahq-mm-1 any
access-list Internal_Private_access_out extended permit object-group DM_INLINE_SERVICE_5 object Internal_Network any
access-list Internal_Private_access_out extended permit object-group DM_INLINE_SERVICE_8 object Internal_Network any
access-list Internal_Private_access_out extended permit object-group DM_INLINE_SERVICE_10 any object comrex
pager lines 24
logging enable
logging asdm informational
mtu External_Public 1500
mtu Internal_Private 1500
mtu management 1500
ip local pool ipsec-pool 172.15.0.80-172.15.0.90 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (External_Public,External_Public) source dynamic any interface destination static svr-mulalahq-mm-1 svr-mulalahq-mm-1 service owa owa
nat (Internal_Private,External_Public) source static any any destination static NETWORK_OBJ_172.15.0.80_28 NETWORK_OBJ_172.15.0.80_28
nat (External_Public,Internal_Private) source static any any destination static comrex comrex
!
object network svr-mulalahq-mm-1
nat (Internal_Private,any) static 41.186.24.227 dns
object network comrex
nat (Internal_Private,External_Public) static 41.186.24.224 service udp 9000 9000
!
nat (Internal_Private,External_Public) after-auto source dynamic any interface
access-group External_Public_access_in in interface External_Public
access-group Internal_Private_access_out in interface Internal_Private
route External_Public 0.0.0.0 0.0.0.0 41.186.24.225 1
route Internal_Private 172.16.0.0 255.255.0.0 172.15.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.15.0.0 255.255.255.0 management
http 172.15.0.0 255.255.0.0 Internal_Private
http 172.16.0.0 255.255.0.0 Internal_Private
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map External_Public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map External_Public_map interface External_Public
crypto isakmp enable External_Public
crypto isakmp policy 10
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.15.0.0 255.255.0.0 Internal_Private
telnet 172.16.0.0 255.255.0.0 Internal_Private
telnet timeout 5
ssh 172.15.0.0 255.255.255.0 Internal_Private
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy tunnelgroup internal
group-policy tunnelgroup attributes
wins-server value 196.44.250.215 172.16.7.135
dns-server value 196.44.250.214 172.16.7.146
vpn-tunnel-protocol IPSec
client-access-rule none
group-policy ipsec-tunnel internal
group-policy ipsec-tunnel attributes
wins-server value 196.44.250.215
dns-server value 196.44.250.214 172.15.0.1
vpn-tunnel-protocol IPSec
username nmg123 password 9YDhIrAWgtNH6hRV encrypted privilege 15
username michael password pmq6bo0tJY2Mul49 encrypted
username user2 password 7/aJ4L5N26RYoCol encrypted
username user2 attributes
service-type nas-prompt
username mercy password fDTq5FrBs3bPXYOT encrypted
username root password iJ3E64kkkGdb7O5u encrypted privilege 15
tunnel-group ipsec-tunnel type remote-access
tunnel-group ipsec-tunnel general-attributes
address-pool ipsec-pool
default-group-policy ipsec-tunnel
tunnel-group tunnelgroup type remote-access
tunnel-group tunnelgroup general-attributes
address-pool ipsec-pool
default-group-policy tunnelgroup
tunnel-group tunnelgroup ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect esmtp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a2f1d375873b78c7173ca6911c0d3354
: end
xxxxxx#

How can i sort this out?

Do i need to creat a NAT to direct these external mails to the router?

Kindly help

Hi,What is your mail server

Vibhor Amrodia — Tue, 23 Jun 2015 11:59:02 GMT

Hi,

What is your mail server IP address ? Are you able to send outbound emails ? Is the issue only with the inbound emails ?

Thanks and Regards,

Vibhor Amrodia

The mail server ip address

Mykheymutua — Tue, 23 Jun 2015 12:09:08 GMT

The mail server ip address is 172.15.0.14 and we also have a mail marshal on ip 172.15.0.17 that basically checks external emails before they get to our domain.

We can not receive external emails (yahoomail and gmail) in to our domain.

I have also realised that port 25 is closed on checking at ping.eu

topic The mail server ip address in Network Security

Mr. Michael Mutua

Hi,What is your mail server

The mail server ip address