Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
1
Replies

Setting up a ASA 5510 cannot get SMTP to come in

Go to solution
rwhanna96
Level 1
Level 1

‎03-22-2013 07:28 PM - edited ‎03-11-2019 06:18 PM

I have a ASA 5510 (ver 8.4) and I have been all over the support sites looking for what I am doing wrong. I have a sanitized cut n paste of the OBJECT, NAT, ACCESS-LIST and Packet Tracer output and it keeps failing on the NAT with a rpf-check. Once i get the SMTP flowing I have to open up HTTP and HTTPS to one of the servers also.

Any help greatly appreciated!!!

Here it is:

RVGW# sh run object

object network WiFi

subnet 172.17.100.0 255.255.255.0

description WiFi

object network inside-net

subnet 172.17.1.0 255.255.255.0

object network NOSPAM

host 172.17.1.49

object network BH2

host 172.17.1.60

RVGW# sh run nat

!

object network inside-net

nat (Inside,Outside) dynamic interface

object network NOSPAM

nat (Inside,Outside) static 5.29.79.12

object network BH2

nat (Inside,Outside) static 5.29.79.11 service tcp smtp smtp

RVGW# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list Outside_access_in; 2 elements; name hash: 0xe796c137

access-list Outside_access_in line 1 extended permit tcp any object NOSPAM eq sm                                     tp 0x49e8de7d

  access-list Outside_access_in line 1 extended permit tcp any host 172.17.1.49                                      eq smtp (hitcnt=3) 0x49e8de7d

access-list Outside_access_in line 2 extended permit tcp any object BH2 eq smtp                                      0xddf3d54c

  access-list Outside_access_in line 2 extended permit tcp any host 172.17.1.60                                      eq smtp (hitcnt=2) 0xddf3d54c

RVGW# packet-tracer input outside tcp 4.2.2.2 25 172.17.1.49 25

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   172.17.1.0      255.255.255.0   Inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Outside_access_in in interface Outside

access-list Outside_access_in extended permit tcp any object NOSPAM eq smtp

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: inspect-smtp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect esmtp _default_esmtp_map

service-policy global_policy global

Additional Information:

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network NOSPAM

nat (Inside,Outside) static 5.29.79.12

Additional Information:

Result:

input-interface: Outside

input-status: up

input-line-status: up

output-interface: Inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

RVGW#

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mabuarja
Level 1
Level 1

‎03-23-2013 06:12 AM

hi

Please use the public IP (5.29.79.12) in packet tracer command as a destination , not the private 172.17.1.49

regards,

Mohammad

View solution in original post

0 Helpful
1 Reply 1

Go to solution
mabuarja
Level 1
Level 1

‎03-23-2013 06:12 AM

hi

Please use the public IP (5.29.79.12) in packet tracer command as a destination , not the private 172.17.1.49

regards,

Mohammad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card