取消
显示结果 
搜索替代 
您的意思是: 
cancel
5280
查看次数
2
有帮助
4
回复

ASA5515 SMTP 被block,求高手

Neko-Chen
Level 1
Level 1

网络内的用户的outlook都无法通过smtp发送邮件,服务器在外网, telnet 也失败。已经在ASA 上关闭了 inspect ESMTP. 但是问题依旧存在。路由器上也没有做policy-map.
请高手帮我看看,以下是asa的配置:

:
ASA Version 8.6(1)2
!
hostname ASA
domain-name ***
enable password K** encrypted
passwd *encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address *** 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address *** 255.255.254.0
!
interface GigabitEthernet0/2
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif mgmt
security-level 100
ip address ***255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone peking 8
dns domain-lookup outside
dns server-group DefaultDNS
name-server ***
domain-name ***
same-security-traffic permit intra-interface
object network my-inside-nat
subnet ***
object network vpnaddress
subnet ***
object network LAN
subnet ***
object network NETWORK_OBJ_***
subnet ****
object network FTP_Address
host ***
object network ftp_internal
host ***
object network CM
subnet ***
description CM
object network FTP
host ***
object network FTP_server
host ***
object-group network DM_INLINE_NETWORK_1
network-object ***
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list 102 extended permit tcp any any eq smtp
access-list 102 extended permit icmp any any
access-list 102 extended permit tcp any host **** object-group DM_INLINE_TCP_1
access-list testgroup_splitTunnelAcl standard permit ***255.255.254.0
access-list outside_cryptomap_10.10 extended permit ip any any
access-list outside_cryptomap_10.10_1 extended permit ip object vpnaddress ****
access-list 00_SplitTunnelAcl standard permit ***
access-list 00_SplitTunnelAcl standard permit ***
access-list 00A_SplitTunnelAcl standard permit ***
access-list inside_access_in extended permit ip any any
access-list Test_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list 101 extended permit tcp any any eq smtp
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm informational
logging host inside ****
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside ****
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
ip local pool VPNPool **** mask 255.255.255.0
ip local pool TestPool ****-**** mask 255.255.255.0
no failover
icmp unreachable rate-limit 10 burst-size 5
icmp permit ***255.255.254.0 inside
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static vpnaddress vpnaddress
!
object network my-inside-nat
nat (inside,outside) dynamic interface
object network FTP_server
nat (inside,outside) static*** service tcp ftp ftp
access-group 102 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 ***1
route outside ** 255.255.255.0 ** 1
route inside *** 255.255.255.0 ** 1
route outside *** 255.255.255.0 **1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http ***255.255.255.255 mgmt
http *** 255.255.255.255 inside
http ****255.255.255.255 inside
http *** 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
virtual telnet***
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map cisco 10 set ikev1 transform-set ESP-DES-MD5
crypto dynamic-map cisco 10 set ikev2 ipsec-proposal DES
crypto dynamic-map cisco 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic cisco
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=***
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 7f26c050
***
quit
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share*****
encryption des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet ** ** inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption des-sha1
ssl trust-point ASDM_TrustPoint0 outside
tunnel-group-list enable
tunnel-group-preference group-url
group-policy testgroup internal
group-policy testgroup attributes
dns-server value ****
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testgroup_splitTunnelAcl
default-domain value p1add.radd.lan
group-policy "GroupPolicy_00 0A00VPN" internal
group-policy "GroupPolicy_000 VPN" internal
group-policy "GroupPolicy_00 VPN" attributes
wins-server none
dns-server value ****
vpn-tunnel-protocol ***-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ***_SplitTunnelAcl
default-domain value ***
address-pools value TestPool
group-policy ***internal
group-policy ***attributes
dns-server value ****
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 000_SplitTunnelAcl
address-pools value VPNPool


tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *** type remote-access
tunnel-group **** general-attributes
address-pool VPNPool
authorization-server-group LOCAL
default-group-policy ***
tunnel-group *** ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group "AnyConnect VPN" type remote-access
tunnel-group "AnyConnect VPN" general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group "AnyConnect VPN" webvpn-attributes
group-alias "AnyConnect VPN" enable
tunnel-group "AnyConnect VPN" type remote-access
tunnel-group "AnyConnect VPN" general-attributes
address-pool TestPool
default-group-policy "GroupPolicy_AnyConnect VPN"
tunnel-group "AnyConnect VPN" webvpn-attributes
group-alias "AnyConnect VPN" enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map global-policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:d7d6c3e7ed9892285702aab47319fd95
: end


4 条回复4

fechao
Cisco Employee
Cisco Employee
建议先开启log(informational level),然后测试,看是否有明显提示。
如果没有,建议下一步在ASA 的inside和outside抓包,看看交互流程

xzmchina
Level 1
Level 1
inspect ESMTP 需要开启才能允许SMTP数据通过,不开就意味着SMTP全部丢弃。

hanren
Level 1
Level 1
不开启inspect esmtp 应该所有email流量都允许通过

Binbin Liu
Level 1
Level 1
默认ASA不会block SMTP 流量的,你们网络里ASA前头还有设备么?
开不开inspection esmtp 都不碍事的。
ASA上capture 下outside 接口的数据包,就一切都清楚了
快捷链接