05-01-2018 01:18 AM - edited 02-21-2020 07:41 AM
Hi All,
I have an ASA5510 running IOS 8.2. I want to experiment with allowing a server on our network to SMTP to our Office 365 exchange service. I have configured the access list on the inside interface to allow our server to telnet out on port 25. Packet-Tracer of the inside interface with our server IP and port 25 to exchange IP and port 25 is successful. Howerver, when I perform a test telnet, it eventually times out and I get a Connect Failed message. Console logging with level 6 only logs the following:
Built outbound TCP connection ####### for outside:<exchange IP>/25 (<exchange IP>/25) to inside:<server IP/<rand port> (<server IP>/rand port)
I have done a tcpdump on the server connected to the outside interface and it sees nothing. I have also temporarily turned off mailguard by issuing the following command:
no fixup protocol smtp 25
However, I have not restarted the ASA. Do I need to restart the ASA for it to take affect?
Edit: I have restarted the ASA 5510 and still the same result as above.
TIA,
Vlad
Solved! Go to Solution.
05-03-2018 09:40 PM
All fixed now. All of a sudden, logging showed "failed to locate next hop for UDP from NP Identity for 65.XX.XX.138. I added a route for it to go to the ISP gateway and it is working now.
Cheers for the various input on how to diagnose the issue.
05-01-2018 02:10 AM
you do not need to reboot the asa after you make such a change; as soon as you put the config in, it becomes active.
now 3 things:
is your access list getting hit at all? (do you see hit count increasing?
also, run a packet capture on your outside interface to the 0365 destination and see if traffic is actually leaving the ASA.
thirdly, can you add a sanitised version of the asa's config and add sourceip of the server?
cheers
05-01-2018 02:17 AM
Check the connection table as well as set up a capture on the interface going towards the exchange server and on the interface closest to the test PC.
show conn address <test pc ip>
cap capexchange interface dmz match ip host <exchange server IP> host <test pc ip>
cap cappc interface inside match ip host <test pc ip> host <exchange server IP>
show cap capexchange
show cap cappc
If you see traffic leaving the interface closest to the exchange but nothing coming back, there is an issue either on the exchange server or in the network between the ASA and the exchange server.
If you do not see packets leaving the interface closest to the exchange server but you see them on the inside interface then there could be a NAT statement messing things up.
If you do not see packets on any of the interfaces then there is either an ACL dropping the traffic or a network issue between the ASA and the test PC.
05-01-2018 03:20 AM
Hi guys,
Cheers for the quick responses and tips. Will try them tomorrow and reply here.
05-01-2018 06:26 PM
Update:
I rang the capture on the inside interface and got the following:
1: 09:19:33.818805 Server_IP.65241 > ExchangeIP.25: S 1862711459:1862711459(0) win 8192 <mss 1360,nop,wscale 8,nop,nop,sackOK> 2: 09:19:36.823977 Server_IP.65241 > ExchangeIP.25: S 1862711459:1862711459(0) win 8192 <mss 1360,nop,wscale 8,nop,nop,sackOK> 3: 09:19:42.823870 ServerIP.65241 > ExchangeIP.25: S 1862711459:1862711459(0) win 8192 <mss 1360,nop,nop,sackOK>
I then ran the capture on the outside interface and got nothing. So it is not leaving the outside interface.
Below is the cut-down version with altered IP address showing the important bits. 10.89.10.4 is our server that we want to be able to smtp to 65.XX.XX.138.
interface Ethernet0/0 description outside nameif outside security-level 0 ip address 10.89.30.1 255.255.255.0 ! interface Ethernet0/3 description inside nameif inside security-level 100 ip address 10.89.20.12 255.255.255.0 ! access-list inside_in remark Known proxy port. access-list inside_in extended permit tcp any any eq 3128 access-list inside_in extended permit udp any any eq ntp access-list inside_in remark Allow traffic from other site access-list inside_in extended permit ip 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0 access-list inside_in extended permit ip 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0 access-list inside_in extended permit icmp 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0 echo-reply access-list inside_in extended permit icmp 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0 echo-reply access-list inside_in extended permit tcp host 10.89.10.4 any eq smtp access-list inside_in extended deny tcp any any eq smtp access-list inside_in extended permit ip any any access-list outside_1_cryptomap extended permit ip 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0 access-list outside_1_cryptomap extended permit ip 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0 access-list outside_in extended permit tcp host 65.XX.XX.138 any eq smtp access-list outside_in extended deny tcp any any eq smtp access-list outside_in extended permit ip any any mtu outside 1500 mtu onside 1500 access-group outside_in in interface outside access-group inside_in in interface inside ! interoffice VPN routes route outside 0.0.0.0 0.0.0.0 10.89.30.1 1 route outside 10.47.30.1 255.255.255.255 10.89.30.12 1 route outside 10.47.30.12 255.255.255.255 10.89.30.12 1 route inside 10.89.10.0 255.255.255.0 10.89.20.11 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 10.47.30.1 crypto map outside_map 1 set transform-set ESP-AES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal telnet timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp authenticate ntp server 10.89.30.12 source outside tunnel-group 10.47.30.1 type ipsec-l2l tunnel-group 10.47.30.1 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp
TIA,
Vlad
05-01-2018 07:27 PM
Update:
Done a capture on the inside interface and got the following:
1: 11:49:02.063259 10.89.10.4.50459 > 65.XX.XX.138.25: S 1608552475:1608552475(0) win 8192 <mss 1360,nop,wscale 8,nop,nop,sackOK> 2: 11:49:05.069729 10.89.10.4.50459 > 65.XX.XX.138.25: S 1608552475:1608552475(0) win 8192 <mss 1360,nop,wscale 8,nop,nop,sackOK> 3: 11:49:11.085261 10.89.10.4.50459 > 65.XX.XX.138.25: S 1608552475:1608552475(0) win 8192 <mss 1360,nop,nop,sackOK> 3 packets shown
Done a capture of the outside interface and got nothing.
The following is the config with altered IP addresses:
interface Ethernet0/0 nameif outside security-level 0 ip address 10.89.30.1 255.255.255.0 ! interface Ethernet0/3 nameif inside security-level 100 ip address 10.89.20.12 255.255.255.0 ! access-list inside_in remark Known proxy port. access-list inside_in extended permit tcp any any eq 3128 access-list inside_in extended permit udp any any eq ntp access-list inside_in remark Allow traffic from other site access-list inside_in extended permit ip 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0 access-list inside_in extended permit ip 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0 access-list inside_in extended permit icmp 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0 echo-reply access-list inside_in extended permit icmp 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0 echo-reply access-list inside_in extended permit tcp host 10.89.10.4 any eq smtp access-list inside_in extended deny tcp any any eq smtp access-list inside_in extended permit ip any any access-list outside_in extended permit tcp host 65.XX.XX.138 any eq smtp access-list outside_in extended deny tcp any any eq smtp access-list outside_in extended permit ip any any ! VPN access-list outside_1_cryptomap extended permit ip 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0 access-list outside_1_cryptomap extended permit ip 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0 mtu outside 1500 mtu inside 1500 access-group outside_in in interface outside access-group inside_in in interface inside route outside 0.0.0.0 0.0.0.0 10.89.30.1 1 route outside 10.47.30.1 255.255.255.255 10.89.30.12 1 route outside 10.47.30.12 255.255.255.255 10.89.30.12 1 route inside 10.89.10.0 255.255.255.0 10.89.20.11 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 10.47.30.1 crypto map outside_map 1 set transform-set ESP-AES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal telnet timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp authenticate ntp server 10.89.30.12 source outside tunnel-group 10.47.30.1 type ipsec-l2l tunnel-group 10.47.30.1 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp !
TIA,
Vlad
05-01-2018 10:48 PM - edited 05-01-2018 10:50 PM
Is there any NAT configuration on this ASA? or is all NAT done on 10.89.30.1?
Could you do a packet tracer also.
packet-tracer input inside tcp 10.89.10.4 12345 65.XX.XX.138 25 detail
Please post the full output, including the command you entered for the packet tracer.
05-01-2018 11:31 PM
Hi Marius,
There are no explicit NAT rules defined as per above config. The result of the packet tracer is as follows:
ciscoasa# packet-tracer input inside tcp 10.89.10.4 12345 65.xx.xx.138 25 detail Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab4a9f48, priority=12, domain=capture, deny=false hits=7549947, user_data=0xab4a90c0, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0xab7f46e8, priority=1, domain=permit, deny=false hits=4716627, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 4 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 5 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group inside_in in interface inside access-list inside_in extended permit tcp host 10.89.10.4 any eq smtp Additional Information: Forward Flow based lookup yields rule: in id=0xab84eff8, priority=12, domain=permit, deny=false hits=19, user_data=0xa89f6940, cs_id=0x0, flags=0x0, protocol=6 src ip=10.89.10.4, mask=255.255.255.255, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=25, dscp=0x0 Phase: 6 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab7f6ef8, priority=0, domain=permit-ip-option, deny=true hits=45208, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 7 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xab4aa240, priority=12, domain=capture, deny=false hits=40, user_data=0xab4a90c0, cs_id=0xa763c190, reverse, flags=0x0, protocol=0 src ip=10.89.10.4, mask=255.255.255.255, port=0 dst ip=65.xx.xx.138, mask=255.255.255.255, port=0, dscp=0x0 Phase: 8 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0xa76a9c70, priority=12, domain=capture, deny=false hits=0, user_data=0xab4a90c0, cs_id=0xa763c190, reverse, flags=0x0, protocol=0 src ip=10.89.10.4, mask=255.255.255.255, port=0 dst ip=65.xx.xx.138, mask=255.255.255.255, port=0, dscp=0x0 Phase: 9 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xab4a9478, priority=12, domain=capture, deny=false hits=0, user_data=0xab4a90c0, cs_id=0xa763c190, reverse, flags=0x0, protocol=0 src ip=65.xx.xx.138, mask=255.255.255.255, port=0 dst ip=10.89.10.4, mask=255.255.255.255, port=0, dscp=0x0 Phase: 10 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0xab7b0890, priority=0, domain=permit-ip-option, deny=true hits=45542, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0 Phase: 11 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0xab4aa1a8, priority=12, domain=capture, deny=false hits=0, user_data=0xab4a90c0, cs_id=0xa763c190, reverse, flags=0x0, protocol=0 src ip=65.xx.xx.138, mask=255.255.255.255, port=0 dst ip=10.89.10.4, mask=255.255.255.255, port=0, dscp=0x0 Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 45714, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_tcp_normalizer snp_fp_translate snp_fp_adjacency snp_fp_fragment snp_ifc_stat Module information for reverse flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_translate snp_fp_tcp_normalizer snp_fp_adjacency snp_fp_fragment snp_ifc_stat Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow
Cheers,
Vlad
05-01-2018 11:37 PM
Very odd that you are not seeing anything in the captures on the outside interface. Have you checked the connection table (show conn address 65.xx.xx.138 detail) perhaps there are som stale connections that are messing things up.
05-01-2018 11:49 PM
Hi Marius,
The show conn is as follows:
ciscoasa(config)# show conn address 65.xx.xx.138 detail 130 in use, 291 most used Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, K - GTP t3-response k - Skinny media, M - SMTP data, m - SIP media, n - GUP O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection, q - SQL*Net data, R - outside acknowledged FIN, R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN, s - awaiting outside SYN, T - SIP, t - SIP transient, U - up, V - VPN orphan, W - WAAS, X - inspected by service module
Cheers,
Vlad
05-02-2018 12:04 AM
Are you sure you applied the capture correctly on the outside interface? Please double check it and try again.
cap capout interface outside match ip host 65.xx.xx.138 host 10.89.10.4
show cap capout
05-02-2018 04:35 PM
Hi Marius,
Yes. I did the following:
ciscoasa# capture outbound interface outside match ip host 65.xx.xx.138 host 10.89.10.4
I then did telnet 65.xx.xx.138 25 from 10.89.10.4 and showed the capture as follows after it failed to connect:
ciscoasa# show capture outbound 0 packet captured 0 packet shown
Cheers,
Vlad
05-02-2018 08:08 PM - edited 05-02-2018 09:36 PM
Update: Still no luck. However, I have made a slight change. I removed the outside_in access-list as it is really not required as connection request is from inside to outside. I have also made a separate access-list as follows:
access-list SMTP_out extended permit tcp host 10.89.10.4 any eq smtp global (outside) 1 interface nat (inside) 1 access-list SMTP_out
Telnet to 65.XX.XX.138 25 still fails but it fails.
Cheers,
Vlad
05-03-2018 01:25 AM
05-03-2018 05:24 PM
Hi Florin,
All other traffic are fine. Have been using this ASA for a couple of years. We have just moved to Office 365 and want to be able to have our various services send emails to the admins via Office 365. We had our own internal mail server so had no such issues before.
Also, port 443 is not open and unfortunately, the nature of our business does not allow remote management.
Cheers,
Vlad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide