ASA: SMTP Outbound Blocked

mohamedheyine — Tue, 12 Mar 2019 02:41:48 GMT

Hello everyone,

i am having trouble with my outbound SMTP traffic. i have 5510 ASA with IPS module. i also have three interfaces configured the inside, DMZ, and outside. my incoming email pass with no problemes but my outgoing onse do not they get stuck in my DMZ with the follwing message No route to host . from my email relay i can ping even telnet any other port of any server on the internet but when it comes to SNMP it gives me this error. also the same thing happens with the inside. the configuration hasen't changed i also did a packet trace witch gave the result allowed across the board. now i am really stuck and can't figure out what is going on here is my asa config:

ASA Version 8.2(1)

hostname dspasa2

names

interface Ethernet0/0

nameif outside

security-level 0

ip address X.X.X.165 255.255.255.248

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.3 255.255.255.0

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.0.0.101 255.255.255.240

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list inside_access_in extended permit tcp host 192.168.0.1 any log disable inactive

access-list inside_access_in extended permit udp host 192.168.0.1 any log disable inactive

access-list inside_access_in extended permit ip host 192.168.0.4 any log disable

access-list inside_access_in extended permit tcp host 192.168.0.5 any log disable

access-list inside_access_in extended permit udp host 192.168.0.5 any log disable

access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq ftp-data log disable

access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq ftp log disable

access-list inside_access_in extended permit icmp 192.168.0.0 255.255.255.0 any log disable

access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.100 eq 8445

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.128.0 255.255.192.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 172.18.1.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 172.18.2.0 255.255.255.192

access-list inside_access_in extended permit object-group TCPUDP host 192.168.0.201 host 81.80.56.164 log disable

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.198.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.128.0 255.255.192.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.18.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.18.2.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.198.0 255.255.255.0

access-list outside_access_in extended permit icmp any any log disable

access-list outside_access_in extended permit esp any any log disable

access-list outside_access_in extended permit ah any any log disable

access-list outside_access_in extended permit udp any any eq isakmp

access-list outside_access_in extended permit tcp any host X.X.X.161 eq smtp

access-list outside_access_in extended permit tcp any host X.X.X.161 eq 8445

access-list outside_access_in extended permit tcp any host X.X.X.161 eq https

access-list outside_access_in extended permit object-group TCPUDP any host X.X.X.164

access-list dspgroup_splitTunnelAcl standard permit any

access-list dspgroup_splitTunnelAcl_1 standard permit any

access-list dspgroup_splitTunnelAcl_2 standard permit any

access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.128.0 255.255.192.0

access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 172.18.1.0 255.255.255.0

access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0

access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 172.18.2.0 255.255.255.192

access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.198.0 255.255.255.0

access-list SPIL standard permit 192.168.0.0 255.255.255.0

access-list QOS extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0

access-list dmz-in extended permit icmp any any

access-list dmz-in extended permit tcp host 10.0.0.100 any eq https

access-list dmz-in extended permit tcp host 10.0.0.100 any eq www

access-list dmz-in extended permit udp host 10.0.0.100 any eq domain

access-list dmz-in extended permit tcp host 10.0.0.100 any eq smtp

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool VPNPOOL 10.10.10.1-10.10.10.20 mask 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0

static (dmz,outside) X.X.X.161 10.0.0.100 netmask 255.255.255.255

static (outside,inside) 192.168.0.201 X.X.X.164 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 X.X.X..166 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.0.0 255.255.0.0 management

http 192.168.0.0 255.255.0.0 inside

snmp-server location DSP

no snmp-server contact

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set myset esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 1 match address snimndb

crypto map outside_map 1 set peer X.X.X.X

crypto map outside_map 1 set transform-set myset

crypto map outside_map 1 set security-association lifetime seconds 1800

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 1800

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh 192.168.64.0 255.255.255.0 inside

ssh 192.168.0.0 255.255.0.0 management

ssh timeout 60

console timeout 0

management-access inside

priority-queue outside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.0.4 source management

webvpn

group-policy dspgroup internal

group-policy dspgroup attributes

dns-server value 192.168.0.4 192.168.64.47

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPIL

default-domain value dsp.snim.com

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 10 retry 2

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

authentication eap-proxy

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key *

tunnel-group RAPARIS type remote-access

tunnel-group RAPARIS general-attributes

address-pool VPNPOOL

default-group-policy dspgroup

tunnel-group RAPARIS ipsec-attributes

pre-shared-key *

class-map voix

match dscp ef

class-map IPS

match any

class-map QOS

match access-list QOS

class-map inspection_default

match default-inspection-traffic

class-map inspection_defautl

policy-map type inspect dns preset_dns_map

parameters

policy-map voix

class voix

priority

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class IPS

ips promiscuous fail-open

service-policy global_policy global

service-policy voix interface outside

prompt hostname context

Cryptochecksum:bb43480221ed20aafc3e397fd7432bc3

: end

Here is an ouput of the Packet Tracer

dspasa2# packet-tracer input dmz tcp 10.0.0.100 234 173.194.79.26 25

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz-in in interface dmz
access-list dmz-in extended permit tcp host 10.0.0.100 any eq smtp
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map IPS
match any
policy-map global_policy
class IPS
ips promiscuous fail-open
service-policy global_policy global
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (dmz,outside) X.X.X.161 10.0.0.100 netmask 255.255.255.255
match ip dmz host 10.0.0.100 outside any
static translation to X.X.X.161
translate_hits = 3540, untranslate_hits = 920
Additional Information:
Static translate 10.0.0.100/0 to 81.80.56.161/0 using netmask 255.255.255.255

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) X.X.X.161 10.0.0.100 netmask 255.255.255.255
match ip dmz host 10.0.0.100 outside any
static translation to X.X.X.161
translate_hits = 3540, untranslate_hits = 920
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8470, packet dispatched to next module

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

please help

ASA: SMTP Outbound Blocked

Antonio Simoes — Sat, 21 Sep 2013 23:21:17 GMT

Hi,

I bealeve that you must to edit your policy map and add to your default inspection the smtp traffic.

policy-map global_policy

class inspection_default

inspect smtp

Because your dmz is more trustable than the outside interface, I think you must include this type of traffic to the global inspection.

Take care man.

Re: ASA: SMTP Outbound Blocked

malshbou — Sun, 22 Sep 2013 15:23:20 GMT

Hi Mohamed,

Can you please post the full log message(s) which point(s) to the SMTP communication problem ?

Also please get the SMTP captures at the dmz and outside:

capture dmz-smtp interface dmz match tcp host 10.0.0.100 any eq 25

capture out-smtp interface outside match tcp host X.X.X.161 any eq 25

Then initiate SMTP flow from the server and get the following :

show cap dmz-smtp

show cap out-smtp

---

Regards
Mashal Shboul

topic Re: ASA: SMTP Outbound Blocked in Network Security

ASA: SMTP Outbound Blocked

ASA: SMTP Outbound Blocked

ASA: SMTP Outbound Blocked

Re: ASA: SMTP Outbound Blocked

Re: ASA: SMTP Outbound Blocked

Re: ASA: SMTP Outbound Blocked