topic Hello Nkarthikeyan, The in Network Security

NAT , ASA 9.1

apapakons — Tue, 12 Mar 2019 04:24:58 GMT

Hello,

Outside

ip: 10.7.128.172

-DMZ |

Ironport --------- ASA

10.2.129.95 |

Inside

Exchange Server

10.2.128.43

I wanted to migrate from ASA 5520 (version 8.4.2) to ASA 5515-X (version 9.1.3). The ASA is configured with the following interfaces: Inside, Outside and DMZ. In the inside zone I have the exchange server and in the DMZ Zone I have cisco Ironport which relays the smtp packets to the internal exchange server.

With 5520 I used the following commands and Nat worked perfectly:

object CultexMail-1

host 10.2.128.43

nat (internal,outside) static 10.7.128.172 service tcp pop3 pop3

object CultexMail-2

host 10.2.128.43
nat (linternal,outside) static 10.7.128.172 service tcp www www

object ironport

host 10.2.129.95
nat (dmz,outside) static 10.7.128.172 service tcp smtp smtp

e.t.c

After replacing the firewall with the new one I could receive emails but I could not access the web interface of exchange from outside and I could not send outgoing emails.

After adding the following commands I was able to access the web interface of my exchange but no luck with sending outgoing emails:

object ironport-test

host 10.2.129.95

nat (dmz,outside) dynamic 10.7.128.172

object cultexmail-test

host 10.2.128.43

nat (inside, outside) dynamic 10.7.128.172

Do you have any idea for this implementation how Nat rules should be (for Cisco ASA version 9.1)? Thank you.

I would first suggest that

Marius Gunnerud — Wed, 02 Jul 2014 19:34:41 GMT

I would first suggest that you change your NAT rules from dynamic to static, as you only have one IP. Also you will need to specify ports that you are translating otherwise you will be NATing all ports to the one server and no other PC on the network will be able to reach the internet.

object cultexmail-test
host 10.2.128.43
nat (inside, outside) static 10.7.128.172 service tcp http http

change this first, and then test. Report back the results please.

Please remember to select a correct answer and rate helpful posts

Also this document may shed

Yadhu Tony — Thu, 03 Jul 2014 04:32:13 GMT

Also this document may shed some light https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Regards,

Yadhu

Hi, Do you see any logs for

nkarthikeyan — Thu, 03 Jul 2014 05:12:02 GMT

Hi,

Do you see any logs for NAT removal or some error messages related to NAT?

Because there is a bug which might be related to this issue.

CSCun95075 - ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule

Symptom:
Once a twice NAT rule with a service translation is added, other traffic on the interface may also be dropped with a reason of nat-no-xlate-to-pat-pool. This is expected behavior and more details can be found here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/access_fwaaa.html#wp1331733

However, if the NAT rule references an object-group and that object-group is changed while the NAT rule is still configured, traffic may still be dropped even after removing the NAT rule.

Conditions:
All of the following conditions must be matched to see this issue:

1) The ASA is configured with a twice NAT rule that uses a service translation
2) The object-group referenced in the NAT rule is edited (i.e. a new network-object is added to it) while the NAT rule is still configured
3) The NAT rule is removed from the configuration

Workaround:
Reloading the ASA after the offending NAT rule is removed will resolve the issue.

Bug Fixed in release : 9.1.5(1) or 9.1.2(100)

Regards

Karthik

Hello MAriusGurrerud

apapakons — Thu, 03 Jul 2014 07:43:34 GMT

Hello MAriusGurrerud,

Initially, as you suggested, I used the static NAT rules with my new firewall 5515. The same rules I have now at my cisco 5520 and the mail servers work right:

nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL // exempt wan mail traffic from use translation - because branches use internal dns server

// port forwarding incoming smtp traffic to ironport and the other protocols (http,https,imap) to internal exchange server.

nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135 135

The result with asa 5515 version 9.1.3 was tha I could get incoming mail but nothing else. I found out an article at web "http://tsbraindump.blogspot.gr/2013/04/port-address-translation-and-nat-in.html" that proposed (as weird it seems to be - with ASA 9.1) to create dynamic NAT rule for outgoing mail traffic. Then I added to the above configuration the rule:

object cultexmail-test

host 10.2.128.43

nat (inside, outside) dynamic 10.7.128.172

After the addition of the above command I could access the exchange server webpage but still cannot send mails from my internal exchange to outside (for example from my mail server to yahoo mail).

Dear Karthik, First of all

apapakons — Thu, 03 Jul 2014 08:01:06 GMT

Dear Karthik,

First of all thank you for your help. In my new firewall initially I had those rules:

nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL
nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135 135

I copied them from my old 5520 ASA firewall (version 8.4.2) whith my network objects. From my configuratiion do you think that I may have problem with this bug? I used asa real time logging at the migration time but did not see any weird logs about nat and I would like to add that with the command "sh nat detail" I could see "counts" of "untranslated_hits" to be increasing for the right rules. This is correct as I have NAt rules of type "NAT (inside,outside)" and I had incoming traffic.

Seems to be the bug only as

nkarthikeyan — Thu, 03 Jul 2014 08:44:08 GMT

Seems to be the bug only as per my knowledge while looking at the issue.

Can you remove all the rules and object-group once and restart the firewall.... then you configure once again with the object-group and NAT rules..... and then try to access all the required access.

Either you can go with TAC case or you can try with next OS version which has the fixed release of this bug.

Regards

Karthik

In your original post you had

Marius Gunnerud — Thu, 03 Jul 2014 08:59:27 GMT

In your original post you had this configurtion posted:

object ironport

host 10.2.129.95
nat (dmz,outside) static 10.7.128.172 service tcp smtp smtp

This makes me assume that both incoming and outgoing email should be passing through the email security appliance. Then when you added the following commands:

nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4

nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3

Depending on what email you are using (local exchange server or an external provider) your incomming mail will bypass the ironport but your mail server is still sending to the ironport before it is leaving the network.

Are you able to send and receive successfully within your network? If this is an exchange server that is configured correctly mail within the domain and within the LAN should be successful.

Does the ironport have a connection to both the LAN and the DMZ? or does all mail traffic flow through the ASA to the Ironport?

Please remember to select a correct answer and rate helpful posts

Although this could be a bug.

Marius Gunnerud — Thu, 03 Jul 2014 09:06:00 GMT

Although this could be a bug...though I doubt it since there is an email security appliance involved here...I would rule out the ironport first before starting to remove configs and reload..etc.

Please remember to select a correct answer and rate helpful posts

Hello MariusGunnerud,You

apapakons — Thu, 03 Jul 2014 09:36:51 GMT

Hello MariusGunnerud,

You assumed right.All mail communication (incoming,outgoing) passes through cisco ASA. The protocols (http,https, imap,pop3) bypass ironport to my internal exchange server. The smtp is forwarded to ironport with the rule:

nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp

ironport is connected to the dmz zone (for mail traffic) and management vlan (for control traffic). I used "show run | include nat" to copy the configuration from my firewall...that is why I refered only about "nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp". The complete configuation is:

object network ironport

host 10.2.129.95

nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp

At the mean time I use my old firewall (ASA version 8.4.2) with all the above commands and I can receive and send e-mails.Though with ASA 5515-X this configuration does not work right.

From what to metioned

apapakons — Thu, 03 Jul 2014 09:39:48 GMT

From what to metioned KarthiKI think the best option is to upgrade my firmware. In Cisco site I found only one version 9.1.5. Is 9.1.5(1) a special OS version and where can I founf it?

Would you be able to post the

Marius Gunnerud — Thu, 03 Jul 2014 09:51:07 GMT

Would you be able to post the full running configs (sanitised) of both firewalls, perhaps we will catch something that you missed (though doubtful but worth a look).

Also, when you get the chance, could you run a packet capture on the ASA for the mail server to see if the outgoing traffic actually hits the inside interface.

Please remember to select a correct answer and rate helpful posts

Hi,You can use 9.2.2 version

nkarthikeyan — Thu, 03 Jul 2014 09:54:31 GMT

Hi,

You can use 9.2.2 version where it got fixed.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html#pgfId-762517

Lets see if the issue gets resolved for you. Hoping for the best.

Regards

Karthik

I will post tommorow the full

apapakons — Thu, 03 Jul 2014 10:10:19 GMT

I will post tommorow the full configuration of both firewalls to ckeck if the is a difference. May be I have missed something.Two or three pair of eyes is better than one.

Hello MariusGunneud,I send

apapakons — Fri, 04 Jul 2014 08:46:04 GMT

Hello MariusGunneud,

I send you the full configuration of the firewall that I currently use (cisco ASA 5520) and of my new firewall (cisco ASA 5515)....I omitted the configuration of remote ssl vpn for security reasons. Commands with blue colors are related with NAT. In the new firewall configuration I have some commands with red colors.I have added these commands and the http to my exchange worked (for version 9.1). There might be some different commands because I use every day ASA5520 and I perform changes but NAT configuration is the same.

If you see any error or mistake please inform me. Thank You.

Hello MariusGunneud,I send

apapakons — Fri, 04 Jul 2014 08:47:42 GMT

Hello MariusGunneud,

If you see any error or mistake please inform me. Thank You.

Hello nkarthikeyan,I upgraded

apapakons — Fri, 04 Jul 2014 10:23:50 GMT

Hello nkarthikeyan,

I upgraded the ASA version to 9.2.2 and I think it got fixed. I am not sure yet. I removed any extra NAT commands that I added the last week and I left the original NAT commands of my 5520 firewall. I created a lab environment to check the http protocol (http forwarding) and it worked. This sunday I will try again the migration and I hope the smtp protocol to work fine for both incoming and outgoing mail traffic.

I will let you know about the results of 5515 integration and I will rate all answers. Thank you in advance.

Hi, Great to hear that issue

nkarthikeyan — Fri, 04 Jul 2014 15:38:57 GMT

Hi,

Great to hear that issue is getting resolved. You can validate the same in production environment and do let know if any concerns. Thanks!!!

Regards

Karthik

could you a packet tracer to

Marius Gunnerud — Sat, 05 Jul 2014 08:36:18 GMT

could you a packet tracer to see how the flow of traffic is through the firewall:

packet-tracer input lan_Servers tcp 10.2.128.43 12345 4.2.2.2 25 detail

packet-tracer input outside1 tcp 4.2.2.2 12345 10.7.128.172 25 detail

Post the result here please.

Please remember to select a correct answer and rate helpful posts

Hi!I tried at last the

apapakons — Mon, 14 Jul 2014 06:45:28 GMT

Hi!

I tried at last the firewall with the new firmware 9.2 version and I was dissapointed. The Nat did not work at all either for incoming or outgoing flows.. As I was advised I left only the static nat rules for the port forwarding of incoming flows...Though I could not send an outgoing email, I could not get an incoming email and I could not access the exchange owa. In addition I observed that cisco changed the nat rules a bit at version 9.2.

But this time I have logs and I have used the packet tracer commands tha you told me to use.So using:

asayppo# packet-tracer input lan_Servers tcp 10.2.128.43 12345 4.2.2.2 25 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b275070, priority=1, domain=permit, deny=false
        hits=609599, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=lan_Servers, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 10.7.128.169, outside1

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group lan_servers_list in interface lan_Servers
access-list lan_servers_list extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b993090, priority=13, domain=permit, deny=false
        hits=11859, user_data=0x7fff2430ab80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=lan_Servers, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
        hits=73294, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b27cd60, priority=0, domain=inspect-ip-options, deny=true
        hits=28792, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=lan_Servers, output_ifc=any

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c67dbf0, priority=13, domain=dynamic-filter, deny=false
        hits=9911, user_data=0x7fff2c67d120, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=lan_Servers, output_ifc=any

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c682620, priority=12, domain=UNKNOWN:59, deny=false
        hits=10632, user_data=0x7fff2c6825c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=lan_Servers, output_ifc=any

Phase: 8
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map ips
match access-list IPS
policy-map my-ips-policy
class ips
ips inline fail-open
service-policy my-ips-policy interface outside1
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff3034f1c0, priority=51, domain=ids, deny=false
        hits=19652, user_data=0x7fff3034d9c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside1

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2c67b480, priority=13, domain=dynamic-filter, deny=false
        hits=19652, user_data=0x7fff2c679050, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside1

Phase: 10
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2c6815d0, priority=12, domain=UNKNOWN:59, deny=false
        hits=19652, user_data=0x7fff2c6811d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside1

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
        hits=73296, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
        hits=30666, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 49672, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: lan_Servers
input-status: up
input-line-status: up
output-interface: outside1
output-status: up
output-line-status: up
Action: allow

-----------------------------------------

Also:

packet-tracer input outside1 tcp 4.2.2.2 12345 10.7.128.172 25 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b122cd0, priority=1, domain=permit, deny=false
        hits=630195, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside1, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network CultEmailEDGE
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
Additional Information:
NAT divert to egress interface dmz_webservers
Untranslate 10.7.128.172/25 to 10.2.129.95/25

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_INBOUND in interface outside1
access-list OUTSIDE_INBOUND extended permit tcp any object ironport eq smtp
access-list OUTSIDE_INBOUND remark *** ALLOW PACKETS FROM OUTSIDE INWARDS ***
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b8a6070, priority=13, domain=permit, deny=false
        hits=1135, user_data=0x7fff24326080, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.2.129.95, mask=255.255.255.255, port=25, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
        hits=83579, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
        hits=35237, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map ips
match access-list IPS
policy-map my-ips-policy
class ips
ips inline fail-open
service-policy my-ips-policy interface outside1
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3034df10, priority=51, domain=ids, deny=false
        hits=12295, user_data=0x7fff3034d9c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c608460, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=12235, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c679b20, priority=13, domain=dynamic-filter, deny=false
        hits=12295, user_data=0x7fff2c679050, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c681230, priority=12, domain=UNKNOWN:59, deny=false
        hits=12295, user_data=0x7fff2c6811d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 10
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map CONNS
match access-list CONNS
policy-map CONNS
class CONNS
set connection conn-max 0 embryonic-conn-max 500 random-sequence-number enable
set connection timeout idle 1193:02:47 embryonic 0:20:00 half-closed 0:10:00
        embryonic 0:20:00
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
service-policy CONNS interface dmz_webservers
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2cfa4340, priority=8, domain=conn-set, deny=false
        hits=10059, user_data=0x7fff2cf9c8f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.2.129.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=dmz_webservers

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network CultEmailEDGE
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2b87c580, priority=6, domain=nat-reverse, deny=false
        hits=748, user_data=0x7fff2b87aa60, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.2.129.95, mask=255.255.255.255, port=25, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=dmz_webservers

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
        hits=83581, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2b5ae440, priority=0, domain=inspect-ip-options, deny=true
        hits=19775, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=dmz_webservers, output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56870, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside1
input-status: up
input-line-status: up
output-interface: dmz_webservers
output-status: up
output-line-status: up
Action: allow

-------------------------------------------------

In addition I saw two stange logs:

1.The first one had to do with assymetric nat

5 Jul 13 2014 11:34:34 305013 65.55.111.141 51143 10.2.129.95 25 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside1:65.55.111.141/51143 dst dmz_webservers:10.2.129.95/25 denied due to NAT reverse path failure

----------

2.Secondly I was getting a lot of smtp incoming traffic to an internal address that I do not use at all and of course the flow was denied.

4 Jul 13 2014 11:34:29 106023 95.211.122.21 43456 10.2.145.22 25 Deny tcp src outside1:95.211.122.21/43456 dst inside_data:10.2.145.22/25 by access-group "OUTSIDE_INBOUND" [0x0, 0x0]

-------------------------