topic ASA5510 SMTP problems in Network Security

ASA5510 SMTP problems

Adam Hudson — Mon, 11 Mar 2019 23:28:42 GMT

Up until recently one of my sites was able to get to a postini subnet. Then we started recieving "host unreachable" e-mails. Postini told us SMTP traffic was not getting let in. I've compared the current config to a config that was saved before the issue popped up and found really no noticeable difference.

I tried a packet tracer trace with no luck:

==============================

SiteB-Firewall# packet-tracer input outside tcp 11.2.2.36 12345 65.19.0.0 25

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

============================================

Attached is a sanitized config. I'm not entirely convinced it's a firewall issue, but I need to some successful testing to prove otherwise.

ASA5510 SMTP problems

Julio Carvajal — Mon, 09 Jul 2012 22:59:20 GMT

Hello,

So only the subnet 65.19.0.0 255.255.240.0 should be able to access the SMTP server?

The packet tracer is not properly build

Try this one

packet-tracer input outside tcp 65.19.0.30 1025 25.107.253.3 eq 25

Right now your ASA is setup to allow connections only from 65.19.0.0 255.255.240.0 to the SMTP server.

Rate all the helpful posts

Julio

ASA5510 SMTP problems

Adam Hudson — Tue, 10 Jul 2012 14:52:48 GMT

Julio, yes, only that subnet should be able to reach my SMTP server.

Here's the packet trace:

SiteB-Firewall# packet-tracer input outside tcp 65.19.0.30 1025 25.107.$

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

static (inside,outside) tcp interface smtp 11.2.2.36 smtp netmask 255.255.255.255

nat-control

match tcp inside host 11.2.2.36 eq 25 outside any

static translation to 25.107.253.3/25

translate_hits = 0, untranslate_hits = 9453

Additional Information:

NAT divert to egress interface inside

Untranslate 25.107.253.3/25 to 11.2.2.36/25 using netmask 255.255.255.255

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group incoming in interface outside

access-list incoming extended permit tcp object-group Postini interface outside eq smtp

object-group network Postini

network-object 65.19.0.0 255.255.240.0

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

static (inside,outside) tcp interface smtp 11.2.2.36 smtp netmask 255.255.255.255

nat-control

match tcp inside host 11.2.2.36 eq 25 outside any

static translation to 25.107.253.3/25

translate_hits = 0, untranslate_hits = 9453

Additional Information:

Phase: 7

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp interface smtp 11.2.2.36 smtp netmask 255.255.255.255

nat-control

match tcp inside host 11.2.2.36 eq 25 outside any

static translation to 25.107.253.3/25

translate_hits = 0, untranslate_hits = 9453

Additional Information:

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 41247, packet dispatched to next module

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: allow

If I'm understanding this right, we're testing to make sure the outside interface and my postini subnet can talk. That looks like that was successful, that's good, but only half of the communication.

Testing the other half of the coummuncation, if all of my assumptions have been correct, is making sure the outside interface passes the SMTP traffic back correctly to the inside network. Below is the packet trace I tried, it failed:

SiteB-Firewall# packet-tracer input inside tcp 24.106.253.3 1025 11.2.2$

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 11.2.2.0 255.255.255.0 inside

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 0 0.0.0.0 0.0.0.0

nat-control

match ip inside any BAD_INT_1 any

no translation group, implicit deny

policy_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 11.2.2.0 255.255.255.0

nat-control

match ip inside 11.2.2.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

What's our next step?

ASA5510 SMTP problems

Adam Hudson — Tue, 10 Jul 2012 15:14:10 GMT

Just got a Mail Host Unreachable email from Postini so were the packet tracer results incorrect then?

ASA5510 SMTP problems

Adam Hudson — Wed, 11 Jul 2012 13:22:28 GMT

Can anyone make heads or tails of that last packet tracer output?

ASA5510 SMTP problems

Julio Carvajal — Wed, 11 Jul 2012 13:49:06 GMT

Hello Adam,

Sorry I could not respond this before, I was working on some other things.

You are using Port-forwarding to make this happen.

Por-forwarding is only used for incoming connections, for outbound connections the server will use a PAT or NAT rule.

So as we can see on packet tracer 1 everything looks good from the ASA perspective.

1-Traffic arrives on the outside interface on por 25

2-ASA checks the ACL and allows the packet

3-ASA does the right nat tranlastion

4-ASA creates an entry on the XLATE, CONN and Local-Host table

5-ASA send's the packet out the right interface

6-ASA receives the response from the SMTP server, based on the entry on the XLATE and CONN table he will perform the nat for the reply

7-Packet will reach the outside client

Why is the second PT not working?

A/Because as I said you have a port-forwarding rule for the SMTP server and that only works for incoming traffic

not outbound traffic ( to make it work you will need to add a Global statement but this will not solve the problem)

Please add the following

capture capout interface outside trace match tcp any host interface_ip eq 25

capture capin interface inside trace match tcp any host SMTP_SERVER_IP eq 25

Then generate the traffic and provide us the :

-Show cap capout

-Show cap capin

Regards,

Julio

Rate all the helpful posts

Re: ASA5510 SMTP problems

Adam Hudson — Wed, 11 Jul 2012 17:37:59 GMT

@jcarvaja I'll try that next.

Here's the test from the outside interface, it fails as well.

SiteB-Firewall# packet-tracer input outside tcp 24.106.253.3 1025 11.2.2.36 25 detail

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 11.2.2.0 255.255.255.0 inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7c09ef8, priority=11, domain=permit, deny=true

hits=39, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

What do I need to try next in this config?

Re: ASA5510 SMTP problems

Julio Carvajal — Wed, 11 Jul 2012 17:45:18 GMT

Hello Adam,

add the following

access-list incoming line 1 permit ip any host 11.2.2.36 25

Re: ASA5510 SMTP problems

Adam Hudson — Wed, 11 Jul 2012 18:40:45 GMT

Here's the results:

SiteB-Firewall# capture capout interface outside trace match tcp any host 25.107.253.3 eq 25

SiteB-Firewall# capture capin interface inside trace match tcp any host 11.2.2.36 eq 25

NOTE: I did not manually generate traffic here.

SiteB-Firewall# sh cap capin

2 packets captured

1: 14:26:39.200154 65.19.1.143.35442 > 11.2.2.36.25: S 1481583325:1481583325(0) win 5744

2: 14:26:39.682948 65.19.1.134.40522 > 11.2.2.36.25: S 688312206:688312206(0) win 5744

2 packets shown

SiteB-Firewall# sh cap capout

5 packets captured

1: 14:26:33.201710 65.19.1.143.35442 > 25.107.253.3.25: S 3750468370:3750468370(0) win 5744

2: 14:26:33.683085 65.19.1.134.40522 > 25.107.253.3.25: S 15701922:15701922(0) win 5744

3: 14:26:34.168051 65.19.1.159.33872 > 25.107.253.3.25: S 422177870:422177870(0) win 5744

4: 14:26:39.200062 65.19.1.143.35442 > 25.107.253.3.25: S 3750468370:3750468370(0) win 5744

5: 14:26:39.682871 65.19.1.134.40522 > 25.107.253.3.25: S 15701922:15701922(0) win 5744

5 packets shown

SiteB-Firewall#

====

SiteB-Firewall# SiteB-Firewall# packet-tracer input outside tcp 25.107.253.3 1025 11.2.2.36 25 detail

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd84e46f0, priority=12, domain=capture, deny=false

hits=4963, user_data=0xd7c01278, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7b31b58, priority=1, domain=permit, deny=false

hits=129043, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 11.2.2.0 255.255.255.0 inside

Phase: 5

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7b375a0, priority=500, domain=permit, deny=true

hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=25.107.253.3, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

====

SiteB-Firewall# sh cap capin

10 packets captured

1: 14:26:39.200154 65.19.1.143.35442 > 11.2.2.36.25: S 1481583325:1481583325(0) win 5744

2: 14:26:39.682948 65.19.1.134.40522 > 11.2.2.36.25: S 688312206:688312206(0) win 5744

3: 14:26:51.200276 65.19.1.143.35442 > 11.2.2.36.25: S 1481583325:1481583325(0) win 5744

4: 14:26:51.680201 65.19.1.134.40522 > 11.2.2.36.25: S 688312206:688312206(0) win 5744

5: 14:26:58.167883 65.19.1.159.33872 > 11.2.2.36.25: S 691920151:691920151(0) win 5744

6: 14:27:15.197774 65.19.1.143.35442 > 11.2.2.36.25: S 1326979564:1326979564(0) win 5744

7: 14:27:15.677867 65.19.1.134.40522 > 11.2.2.36.25: S 330226058:330226058(0) win 5744

8: 14:27:46.166983 65.19.1.159.33872 > 11.2.2.36.25: S 1755337294:1755337294(0) win 5744

9: 14:28:03.191899 65.19.1.143.35442 > 11.2.2.36.25: S 465997866:465997866(0) win 5744

10: 14:28:03.670299 65.19.1.134.40522 > 11.2.2.36.25: S 1234871544:1234871544(0) win 5744

10 packets shown

SiteB-Firewall# sh cap capout

13 packets captured

1: 14:26:33.201710 65.19.1.143.35442 > 25.107.253.3.25: S 3750468370:3750468370(0) win 5744

2: 14:26:33.683085 65.19.1.134.40522 > 25.107.253.3.25: S 15701922:15701922(0) win 5744

3: 14:26:34.168051 65.19.1.159.33872 > 25.107.253.3.25: S 422177870:422177870(0) win 5744

4: 14:26:39.200062 65.19.1.143.35442 > 25.107.253.3.25: S 3750468370:3750468370(0) win 5744

5: 14:26:39.682871 65.19.1.134.40522 > 25.107.253.3.25: S 15701922:15701922(0) win 5744

6: 14:26:51.200200 65.19.1.143.35442 > 25.107.253.3.25: S 3750468370:3750468370(0) win 5744

7: 14:26:51.680125 65.19.1.134.40522 > 25.107.253.3.25: S 15701922:15701922(0) win 5744

8: 14:26:58.167639 65.19.1.159.33872 > 25.107.253.3.25: S 422177870:422177870(0) win 5744

9: 14:27:15.197530 65.19.1.143.35442 > 25.107.253.3.25: S 3750468370:3750468370(0) win 5744

10: 14:27:15.677653 65.19.1.134.40522 > 25.107.253.3.25: S 15701922:15701922(0) win 5744

11: 14:27:46.166769 65.19.1.159.33872 > 25.107.253.3.25: S 422177870:422177870(0) win 5744

12: 14:28:03.191670 65.19.1.143.35442 > 25.107.253.3.25: S 3750468370:3750468370(0) win 5744

13: 14:28:03.670070 65.19.1.134.40522 > 25.107.253.3.25: S 15701922:15701922(0) win 5744

13 packets shown

Re: ASA5510 SMTP problems

Julio Carvajal — Wed, 11 Jul 2012 18:44:26 GMT

Hello Adam,

Can you install wireshark on the server and run a capture?

Based on the captures packets are reaching the server but there is no reply

Regards,

Julio

Re: ASA5510 SMTP problems

Adam Hudson — Wed, 11 Jul 2012 21:24:50 GMT

Results:

SiteB-Firewall# packet-tracer input outside tcp 25.107.253.3 1025 11.2.2.36 25 detail

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd84e46f0, priority=12, domain=capture, deny=false

hits=245849, user_data=0xd7c01278, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7b31b58, priority=1, domain=permit, deny=false

hits=131772, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 11.2.2.0 255.255.255.0 inside

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group incoming in interface outside

access-list incoming extended permit tcp any host 11.2.2.36 eq smtp

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7b3c5f8, priority=12, domain=permit, deny=false

hits=0, user_data=0xd6874100, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=11.2.2.36, mask=255.255.255.255, port=25, dscp=0x0

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd7b347d0, priority=0, domain=permit-ip-option, deny=true

hits=14315, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd83106c8, priority=12, domain=ipsec-tunnel-flow, deny=true

hits=11490, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd84e3c28, priority=12, domain=capture, deny=false

hits=372, user_data=0xd7c01bf8, cs_id=0xd84e3538, reverse, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=11.2.2.36, mask=255.255.255.255, port=25, dscp=0x0

Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

static (inside,outside) tcp interface smtp 11.2.2.36 smtp netmask 255.255.255.255

nat-control

match tcp inside host 11.2.2.36 eq 25 outside any

static translation to 25.107.253.3/25

translate_hits = 0, untranslate_hits = 11143

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd7bfb070, priority=5, domain=nat-reverse, deny=false

hits=11104, user_data=0xd7bfacf0, cs_id=0x0, flags=0x0, protocol=6

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=11.2.2.36, mask=255.255.255.255, port=25, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Re: ASA5510 SMTP problems

Adam Hudson — Thu, 12 Jul 2012 12:13:41 GMT

@jcarvaja: That last capture was after adding the line: access-list incoming line 1 permit ip any host 11.2.2.36 25

To my ACL.

Do you see anything on the captures or packet-trace that would help me out or at least point me in the right direction?

Re: ASA5510 SMTP problems

Julio Carvajal — Thu, 12 Jul 2012 17:03:25 GMT

Hello Adam,

The packet tracer's and captures are not the right ones:

no cap capout

no cap capin

cap capout interface outside trace match tcp any host 11.255.2.1 eq 25

cap capin interface inside trace match tcp any host 11.2.2.36 eq 25

packet-tracer input tcp 25.107.253.3 1025 11.255.2.1 25

Regards,

Julio

Re: ASA5510 SMTP problems

Adam Hudson — Thu, 12 Jul 2012 20:54:35 GMT

cap capout interface outside trace match tcp any host 11.255.2.1 eq 25

cap capin interface inside trace match tcp any host 11.2.2.36 eq 25

SiteB-Firewall# packet-tracer input outside tcp 25.107.253.3 1025 11.255.2.1 25

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 11.255.2.1 255.255.255.255 identity

Phase: 5

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

SiteB-Firewall# sh capture capin

0 packet captured

0 packet shown

SiteB-Firewall# sh capture capout

1 packet captured

1: 16:39:58.911543 24.106.253.3.1025 > 10.255.2.1.25: S 1576173544:1576173544(0) win 8192

1 packet shown

ASA5510 SMTP problems

Julio Carvajal — Fri, 13 Jul 2012 20:04:46 GMT

Hello Adam,

I just reviewed the entire configuration one more time and I saw what is going on here.

Please remove the entire captures one more time:

no cap capin

no cap capout

You are trying to connect from the outside world to the following IP:11.255.2.1

-That ip belongs to the inside interface.

*****ASA speaking, you will not be able to access a distant interface***********

example: from a inside host you cannot ping or ssh or telnet the outside interface

example 2: from the outside world you will not be able to ping or ssh or telnet the outside interface

You will need to connect to this IP address 25.107.253.3

That is why you have : static (inside,outside) tcp interface smtp 11.2.2.36 smtp netmask 255.255.255.255

So:

1-access-list incoming permit tcp any host 11.2.2.36

2- packet-tracer input outside tcp 4.2.2.2 1025 25.107.253.3 and provide me the result

3- cap capout interface outside match tcp any host 25.107.253.3 eq 25

4-cap capin interface inside match tcp any host 11.2.2.36 eq 25

5-Generate real traffic

6-Send me the show cap capin, show cap capout

Julio

CSC it's a free support community take your time to rate all the engineer's responses that help you resolving your problems.

Re: ASA5510 SMTP problems

Adam Hudson — Thu, 19 Jul 2012 14:19:13 GMT

Reconfigured NAT to use seperate public IP addresses for our mail (SMTP) and RDP, using the following commands on the existing config:

===============

no static (inside,outside) tcp interface 3389 11.22.33 3389 netmask 255.255.255.255

no static (inside,outside) tcp interface smtp access-list postini-nat

static (inside,outside) 25.107.253.4 11.22.33 netmask 255.255.255.255

static (inside,outside) 25.107.253.5 11.22.36 netmask 255.255.255.255

access-list incoming extended permit tcp any host 25.107.253.4 eq 3389

access-list incoming extended permit tcp 65.19.0.0 255.255.240.0 host 25.107.253.5 eq smtp

access-list incoming extended permit icmp any any

access-group incoming in interface outside

=================

These commands did not let the mail through. In addition, after restarting the router, now the firewall can't get to anything on the internal network and I can't remote directly into it. I have to telnet into it through the local router.

Attached is sanitized config of that router. I need to figure out why the mail isn't getting through and additionally why now the firewall can't get into the internal network.

Re: ASA5510 SMTP problems

Adam Hudson — Thu, 19 Jul 2012 14:30:06 GMT

Ping results:

Router to inside int of Firewall: Good

Rtr to outside int of FW: Good

Rtr to IPS address (past FW): Good

Firewall to router on int that connects the 2: Good

FW to RTR int on the internal network: Fail

FW to RTR's mpls port: Fail

FW to internal network address (it's own Site): Fail

FW to internal network address (another site): Fail

Re: ASA5510 SMTP problems

Adam Hudson — Thu, 19 Jul 2012 17:34:20 GMT

Tried "clear xlate", have not power cycled the ASA though.

More output:

SiteB-Firewall# sh eigrp neighbors

EIGRP-IPv4 neighbors for process 102

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

0 11.255.2.2 Et0/1 14 19:25:28 2 200 0 11

=-=

SiteB-Firewall# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 25.107.253.1 to network 0.0.0.0

C 25.107.253.0 255.255.255.248 is directly connected, outside

C 11.255.2.0 255.255.255.252 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 25.107.253.1, outside

=-=

SiteB-Firewall# sh eigrp topology

EIGRP-IPv4 Topology Table for AS(102)/ID(25.107.253.3)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,

r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 1 successors, FD is 28160

via Rstatic (28160/0)

P 11.255.2.0 255.255.255.252, 1 successors, FD is 2816

via Connected, Ethernet0/1

Re: ASA5510 SMTP problems

Adam Hudson — Thu, 19 Jul 2012 17:35:06 GMT

Complete updated ASA config attached.