cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4559
Views
0
Helpful
11
Replies

smtp being blocked- ASA 5525x v9.61-smp-k8

Greg Dowdy
Level 1
Level 1

Doing a conversion to office 365. O365 needs access to barracuda archiver on inside network.

Inside archiver is at 192.168.1.240

outside address 199.36.135.99

Created translation and access rules.

Access rules allow port 443, 80 , 8000 and 25.

https:/ and http and http to port 8000 all work

Port 25 shows to translate and connect. but nothing ever happens. Stuck waiting for SYN ack. Data below is working 443 connection and non working 25 connection. SMTP fixup is off.


TCP Outside 199.36.132.62:24256 Inside 192.168.1.240:25, idle 0:00:01, bytes 0, flags SaAXB
TCP Outside 199.36.132.62:24090 Inside 192.168.1.240:443, idle 0:01:04, bytes 21982, flags UIOXB

Access list:

access-list Outside_access_in extended permit tcp any object Archiver object-group DM_INLINE_TCP_4
access-list Outside_access_in extended permit tcp any host 199.36.135.199 object-group DM_INLINE_TCP_5

 

Any ideas on what is blocking port 25?

 

Thanks in advance.

 

 

11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

 

SMTP fixup is off.

need fix on to work as per the guide :

 

https://docs.microsoft.com/en-us/exchange/troubleshoot/mailflow/cannot-send-receive-email-behind-cisco-firewall

 

O365 using SMTP TLS:

 

may be worth looking below config :

 

https://arjanlobbezoo.nl/asa-5505-force-smtp-tls-connection-to-office-365-relay/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the Suggestion. I am just trying to telnet to port 25 from an outside computer. Haven't tried the Microsoft verification yet. Do you think smtp fixup would block a regular old telnet to port 25? If so will try turning it back on and creating maps tomorrow. Thanks for your reply.

first is your Local SMTP running ok ? are you able to locally do the same telnet x.x.x.x 25 port ? and you see SMTP replies and you get smtp open connection?

 

once that is confirmed then try other options.

 

Look at the flags  meaning :

flags SaAXB

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

You just contradicted the doc you posted...

Hi Ken, Thanks for the reply. Not sure where the contradiction is?

Never mind, I see what you are saying. Anyways SMTP fixup is off. I dont think I am getting far enough into the box for that to make a difference yet.

is that locally working ? as i have asked before go to next leve ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes on the inside network you can telnet into the server on port 25 with no problem. Only on the outside you cannot, through a NAT. The NAT is working and the access rules work because you can http:// or https:// into the outside address and everything works fine.

@Ken Stieers suggesting that worth disable as mentioned in the document and test it.

 

https://www.petenetlive.com/KB/Article/0000536

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Do you have any inspection policy in place?
And if so, does that policy have ESMTP inspection turned on?
That will also break it.

Could you please run packet capture on the inside interface for the traffic destined and coming from the host 192.168.1.240 on port 25 and share the output?

A side note, you wouldn't need this rule as it is using the public IP, but this shouldn't affect anything as this rule won't have any hits:

access-list Outside_access_in extended permit tcp any host 199.36.135.199 object-group DM_INLINE_TCP_5