Re: smtp being blocked- ASA 5525x v9.61-smp-k8

Greg Dowdy · ‎08-30-2021

Doing a conversion to office 365. O365 needs access to barracuda archiver on inside network.

Inside archiver is at 192.168.1.240

outside address 199.36.135.99

Created translation and access rules.

Access rules allow port 443, 80 , 8000 and 25.

https:/ and http and http to port 8000 all work

Port 25 shows to translate and connect. but nothing ever happens. Stuck waiting for SYN ack. Data below is working 443 connection and non working 25 connection. SMTP fixup is off.

TCP Outside 199.36.132.62:24256 Inside 192.168.1.240:25, idle 0:00:01, bytes 0, flags SaAXB
TCP Outside 199.36.132.62:24090 Inside 192.168.1.240:443, idle 0:01:04, bytes 21982, flags UIOXB

Access list:

access-list Outside_access_in extended permit tcp any object Archiver object-group DM_INLINE_TCP_4
access-list Outside_access_in extended permit tcp any host 199.36.135.199 object-group DM_INLINE_TCP_5

Any ideas on what is blocking port 25?

Thanks in advance.

balaji.bandi · ‎08-30-2021

SMTP fixup is off.

need fix on to work as per the guide :

https://docs.microsoft.com/en-us/exchange/troubleshoot/mailflow/cannot-send-receive-email-behind-cisco-firewall

O365 using SMTP TLS:

may be worth looking below config :

https://arjanlobbezoo.nl/asa-5505-force-smtp-tls-connection-to-office-365-relay/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Greg Dowdy · ‎08-30-2021

Thanks for the Suggestion. I am just trying to telnet to port 25 from an outside computer. Haven't tried the Microsoft verification yet. Do you think smtp fixup would block a regular old telnet to port 25? If so will try turning it back on and creating maps tomorrow. Thanks for your reply.

balaji.bandi · ‎08-30-2021

first is your Local SMTP running ok ? are you able to locally do the same telnet x.x.x.x 25 port ? and you see SMTP replies and you get smtp open connection?

once that is confirmed then try other options.

Look at the flags meaning :

flags SaAXB

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ken Stieers · ‎08-30-2021

You just contradicted the doc you posted...

Greg Dowdy · ‎08-31-2021

Hi Ken, Thanks for the reply. Not sure where the contradiction is?

Greg Dowdy · ‎08-31-2021

Never mind, I see what you are saying. Anyways SMTP fixup is off. I dont think I am getting far enough into the box for that to make a difference yet.

balaji.bandi · ‎08-31-2021

is that locally working ? as i have asked before go to next leve ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Greg Dowdy · ‎08-31-2021

Yes on the inside network you can telnet into the server on port 25 with no problem. Only on the outside you cannot, through a NAT. The NAT is working and the access rules work because you can http:// or https:// into the outside address and everything works fine.

balaji.bandi · ‎08-31-2021

@Ken Stieers suggesting that worth disable as mentioned in the document and test it.

https://www.petenetlive.com/KB/Article/0000536

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ken Stieers · ‎08-30-2021

Do you have any inspection policy in place?
And if so, does that policy have ESMTP inspection turned on?
That will also break it.

Aref Alsouqi · ‎09-01-2021

Could you please run packet capture on the inside interface for the traffic destined and coming from the host 192.168.1.240 on port 25 and share the output?

A side note, you wouldn't need this rule as it is using the public IP, but this shouldn't affect anything as this rule won't have any hits:

access-list Outside_access_in extended permit tcp any host 199.36.135.199 object-group DM_INLINE_TCP_5