Solved: Allow smtp through ASA 5510

Vladimir Bednikov · ‎05-01-2018

Hi All,

I have an ASA5510 running IOS 8.2. I want to experiment with allowing a server on our network to SMTP to our Office 365 exchange service. I have configured the access list on the inside interface to allow our server to telnet out on port 25. Packet-Tracer of the inside interface with our server IP and port 25 to exchange IP and port 25 is successful. Howerver, when I perform a test telnet, it eventually times out and I get a Connect Failed message. Console logging with level 6 only logs the following:

Built outbound TCP connection ####### for outside:<exchange IP>/25 (<exchange IP>/25) to inside:<server IP/<rand port> (<server IP>/rand port)

I have done a tcpdump on the server connected to the outside interface and it sees nothing. I have also temporarily turned off mailguard by issuing the following command:

no fixup protocol smtp 25

However, I have not restarted the ASA. Do I need to restart the ASA for it to take affect?

Edit: I have restarted the ASA 5510 and still the same result as above.

TIA,

Vlad

Vladimir Bednikov · ‎05-03-2018

All fixed now. All of a sudden, logging showed "failed to locate next hop for UDP from NP Identity for 65.XX.XX.138. I added a route for it to go to the ISP gateway and it is working now.

Cheers for the various input on how to diagnose the issue.

View solution in original post

Dennis Mink · ‎05-01-2018

you do not need to reboot the asa after you make such a change; as soon as you put the config in, it becomes active.

now 3 things:

is your access list getting hit at all? (do you see hit count increasing?

also, run a packet capture on your outside interface to the 0365 destination and see if traffic is actually leaving the ASA.

thirdly, can you add a sanitised version of the asa's config and add sourceip of the server?

cheers

Please remember to rate useful posts, by clicking on the stars below.

Marius Gunnerud · ‎05-01-2018

Check the connection table as well as set up a capture on the interface going towards the exchange server and on the interface closest to the test PC.

show conn address <test pc ip>

cap capexchange interface dmz match ip host <exchange server IP> host <test pc ip>

cap cappc interface inside match ip host <test pc ip> host <exchange server IP>

show cap capexchange

show cap cappc

If you see traffic leaving the interface closest to the exchange but nothing coming back, there is an issue either on the exchange server or in the network between the ASA and the exchange server.

If you do not see packets leaving the interface closest to the exchange server but you see them on the inside interface then there could be a NAT statement messing things up.

If you do not see packets on any of the interfaces then there is either an ACL dropping the traffic or a network issue between the ASA and the test PC.

--
Please remember to select a correct answer and rate helpful posts

Vladimir Bednikov · ‎05-01-2018

Hi guys,

Cheers for the quick responses and tips. Will try them tomorrow and reply here.

Vladimir Bednikov · ‎05-01-2018

Update:

I rang the capture on the inside interface and got the following:

1: 09:19:33.818805 Server_IP.65241 > ExchangeIP.25: S 1862711459:1862711459(0) win 8192 <mss 1360,nop,wscale 8,nop,nop,sackOK>
2: 09:19:36.823977 Server_IP.65241 > ExchangeIP.25: S 1862711459:1862711459(0) win 8192 <mss 1360,nop,wscale 8,nop,nop,sackOK>
3: 09:19:42.823870 ServerIP.65241 > ExchangeIP.25: S 1862711459:1862711459(0) win 8192 <mss 1360,nop,nop,sackOK>

I then ran the capture on the outside interface and got nothing. So it is not leaving the outside interface.

Below is the cut-down version with altered IP address showing the important bits. 10.89.10.4 is our server that we want to be able to smtp to 65.XX.XX.138.

interface Ethernet0/0
 description outside
 nameif outside
 security-level 0
 ip address 10.89.30.1 255.255.255.0
!
interface Ethernet0/3
 description inside
 nameif inside
 security-level 100
 ip address 10.89.20.12 255.255.255.0
!
access-list inside_in remark Known proxy port.
access-list inside_in extended permit tcp any any eq 3128
access-list inside_in extended permit udp any any eq ntp
access-list inside_in remark Allow traffic from other site
access-list inside_in extended permit ip 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0
access-list inside_in extended permit ip 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0
access-list inside_in extended permit icmp 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0 echo-reply
access-list inside_in extended permit icmp 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0 echo-reply
access-list inside_in extended permit tcp host 10.89.10.4 any eq smtp
access-list inside_in extended deny tcp any any eq smtp
access-list inside_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0
access-list outside_in extended permit tcp host 65.XX.XX.138 any eq smtp
access-list outside_in extended deny tcp any any eq smtp
access-list outside_in extended permit ip any any
mtu outside 1500
mtu onside 1500
access-group outside_in in interface outside
access-group inside_in in interface inside
! interoffice VPN routes
route outside 0.0.0.0 0.0.0.0 10.89.30.1 1
route outside 10.47.30.1 255.255.255.255 10.89.30.12 1
route outside 10.47.30.12 255.255.255.255 10.89.30.12 1
route inside 10.89.10.0 255.255.255.0 10.89.20.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 10.47.30.1
crypto map outside_map 1 set transform-set ESP-AES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.89.30.12 source outside
tunnel-group 10.47.30.1 type ipsec-l2l
tunnel-group 10.47.30.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp

TIA,

Vlad

Vladimir Bednikov · ‎05-01-2018

Update:

Done a capture on the inside interface and got the following:

   1: 11:49:02.063259 10.89.10.4.50459 > 65.XX.XX.138.25: S 1608552475:1608552475(0) win 8192 <mss 1360,nop,wscale 8,nop,nop,sackOK>
   2: 11:49:05.069729 10.89.10.4.50459 > 65.XX.XX.138.25: S 1608552475:1608552475(0) win 8192 <mss 1360,nop,wscale 8,nop,nop,sackOK>
   3: 11:49:11.085261 10.89.10.4.50459 > 65.XX.XX.138.25: S 1608552475:1608552475(0) win 8192 <mss 1360,nop,nop,sackOK>
3 packets shown

Done a capture of the outside interface and got nothing.

The following is the config with altered IP addresses:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 10.89.30.1 255.255.255.0
!
interface Ethernet0/3
 nameif inside
 security-level 100
 ip address 10.89.20.12 255.255.255.0
!
access-list inside_in remark Known proxy port.
access-list inside_in extended permit tcp any any eq 3128
access-list inside_in extended permit udp any any eq ntp
access-list inside_in remark Allow traffic from other site
access-list inside_in extended permit ip 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0
access-list inside_in extended permit ip 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0
access-list inside_in extended permit icmp 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0 echo-reply
access-list inside_in extended permit icmp 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0 echo-reply
access-list inside_in extended permit tcp host 10.89.10.4 any eq smtp
access-list inside_in extended deny tcp any any eq smtp
access-list inside_in extended permit ip any any
access-list outside_in extended permit tcp host 65.XX.XX.138 any eq smtp
access-list outside_in extended deny tcp any any eq smtp
access-list outside_in extended permit ip any any
! VPN
access-list outside_1_cryptomap extended permit ip 10.89.0.0 255.255.0.0 10.47.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 10.47.0.0 255.255.0.0 10.89.0.0 255.255.0.0
mtu outside 1500
mtu inside 1500
access-group outside_in in interface outside
access-group inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.89.30.1 1
route outside 10.47.30.1 255.255.255.255 10.89.30.12 1
route outside 10.47.30.12 255.255.255.255 10.89.30.12 1
route inside 10.89.10.0 255.255.255.0 10.89.20.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 10.47.30.1
crypto map outside_map 1 set transform-set ESP-AES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 10.89.30.12 source outside
tunnel-group 10.47.30.1 type ipsec-l2l
tunnel-group 10.47.30.1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!

TIA,

Vlad

Marius Gunnerud · ‎05-01-2018

Is there any NAT configuration on this ASA? or is all NAT done on 10.89.30.1?

Could you do a packet tracer also.

packet-tracer input inside tcp 10.89.10.4 12345 65.XX.XX.138 25 detail

Please post the full output, including the command you entered for the packet tracer.

--
Please remember to select a correct answer and rate helpful posts

Vladimir Bednikov · ‎05-01-2018

Hi Marius,

There are no explicit NAT rules defined as per above config. The result of the packet tracer is as follows:

ciscoasa# packet-tracer input inside tcp 10.89.10.4 12345 65.xx.xx.138 25 detail

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab4a9f48, priority=12, domain=capture, deny=false
        hits=7549947, user_data=0xab4a90c0, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab7f46e8, priority=1, domain=permit, deny=false
        hits=4716627, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_in in interface inside
access-list inside_in extended permit tcp host 10.89.10.4 any eq smtp
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab84eff8, priority=12, domain=permit, deny=false
        hits=19, user_data=0xa89f6940, cs_id=0x0, flags=0x0, protocol=6
        src ip=10.89.10.4, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=25, dscp=0x0

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab7f6ef8, priority=0, domain=permit-ip-option, deny=true
        hits=45208, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xab4aa240, priority=12, domain=capture, deny=false
        hits=40, user_data=0xab4a90c0, cs_id=0xa763c190, reverse, flags=0x0, protocol=0
        src ip=10.89.10.4, mask=255.255.255.255, port=0
        dst ip=65.xx.xx.138, mask=255.255.255.255, port=0, dscp=0x0

Phase: 8
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xa76a9c70, priority=12, domain=capture, deny=false
        hits=0, user_data=0xab4a90c0, cs_id=0xa763c190, reverse, flags=0x0, protocol=0
        src ip=10.89.10.4, mask=255.255.255.255, port=0
        dst ip=65.xx.xx.138, mask=255.255.255.255, port=0, dscp=0x0

Phase: 9
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xab4a9478, priority=12, domain=capture, deny=false
        hits=0, user_data=0xab4a90c0, cs_id=0xa763c190, reverse, flags=0x0, protocol=0
        src ip=65.xx.xx.138, mask=255.255.255.255, port=0
        dst ip=10.89.10.4, mask=255.255.255.255, port=0, dscp=0x0

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0xab7b0890, priority=0, domain=permit-ip-option, deny=true
        hits=45542, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 out id=0xab4aa1a8, priority=12, domain=capture, deny=false
        hits=0, user_data=0xab4a90c0, cs_id=0xa763c190, reverse, flags=0x0, protocol=0
        src ip=65.xx.xx.138, mask=255.255.255.255, port=0
        dst ip=10.89.10.4, mask=255.255.255.255, port=0, dscp=0x0

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 45714, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Cheers,

Vlad

Marius Gunnerud · ‎05-01-2018

Very odd that you are not seeing anything in the captures on the outside interface. Have you checked the connection table (show conn address 65.xx.xx.138 detail) perhaps there are som stale connections that are messing things up.

--
Please remember to select a correct answer and rate helpful posts

Vladimir Bednikov · ‎05-01-2018

Hi Marius,

The show conn is as follows:

ciscoasa(config)# show conn address 65.xx.xx.138 detail
130 in use, 291 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
       B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
       D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
       k - Skinny media, M - SMTP data, m - SIP media, n - GUP
       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
       q - SQL*Net data, R - outside acknowledged FIN,
       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
       V - VPN orphan, W - WAAS,
       X - inspected by service module

Cheers,

Vlad

Marius Gunnerud · ‎05-02-2018

Are you sure you applied the capture correctly on the outside interface? Please double check it and try again.

cap capout interface outside match ip host 65.xx.xx.138 host 10.89.10.4

show cap capout

--
Please remember to select a correct answer and rate helpful posts

Vladimir Bednikov · ‎05-02-2018

Hi Marius,

Yes. I did the following:

ciscoasa# capture outbound interface outside match ip host 65.xx.xx.138 host 10.89.10.4

I then did telnet 65.xx.xx.138 25 from 10.89.10.4 and showed the capture as follows after it failed to connect:

ciscoasa# show capture outbound

0 packet captured

0 packet shown

Cheers,

Vlad

Vladimir Bednikov · ‎05-02-2018

Update: Still no luck. However, I have made a slight change. I removed the outside_in access-list as it is really not required as connection request is from inside to outside. I have also made a separate access-list as follows:

access-list SMTP_out extended permit tcp host 10.89.10.4 any eq smtp
global (outside) 1 interface
nat (inside) 1 access-list SMTP_out

Telnet to 65.XX.XX.138 25 still fails but it fails.

Cheers,

Vlad

Florin Barhala · ‎05-03-2018

Except SMTP traffic, is any other kind of traffic working for you?
Can you telnet on 443 instead of 25 (assuming 443 is opened).
This thread has gone back and forth - I would perform a remote session if you agree and solve this out.

Vladimir Bednikov · ‎05-03-2018

Hi Florin,

All other traffic are fine. Have been using this ASA for a couple of years. We have just moved to Office 365 and want to be able to have our various services send emails to the admins via Office 365. We had our own internal mail server so had no such issues before.

Also, port 443 is not open and unfortunately, the nature of our business does not allow remote management.

Cheers,

Vlad