Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9910
Views
0
Helpful
18
Replies

ASA 5505 Inbound SMTP NAT

vgulinolite
Level 1
Level 1

‎12-07-2010 08:45 AM - edited ‎03-11-2019 12:19 PM

Hello All,

I have been trying to get my ASA to forward port 25 for 3 weeks now. I have created a ACL & NAT for port 3389 and that works flawlessly. When I mimic the rule and change the port to 25 I cannot telnet to the public IP over 25. I can though with 3389. I have attached my config hopefully someone can help. This is a very basic network. All traffic out and only SMTP in. I do not have a DMZ. The exchange server is natted. thanks in advanced. SMTP inspection is disabled as well. I even tried turning it on and it still fails.

: Saved
:
ASA Version 8.2(2)
!
hostname FHQ-ASA-01
domain-name

enable password 3w9rraOp1nonSieY encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name "removed" Public description Public
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Public 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 5
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.0.5
domain-name stalcoconstruct.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object tcp eq netbios-ssn
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list outside_access_in extended permit tcp any host Public eq smtp log debugging
access-list outside_access_in extended permit tcp host HOME host Public eq 3389
access-list outside_access_in extended deny icmp any any
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq imap4
access-list inside_access_in extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 any eq www
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq smtp log debugging
access-list inside_access_in extended permit icmp 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 192.168.0.0 255.255.255.0 any
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp interface 3389 192.168.0.105 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.0.105 smtp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.127.190.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
http server idle-timeout 15
http server session-timeout 15
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 15
console timeout 5
dhcpd address 192.168.0.100-192.168.0.150 inside
!

threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username vgulino password EiHOUlrCWe6CgZtf encrypted privilege 15
!
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
parameters
  no mask-banner
match sender-address length gt 320
  log
match MIME filename length gt 255
  log
match cmd line length gt 512
  log
match cmd RCPT count gt 100
  log
match body line length gt 998
  log
policy-map global_policy
class inspection_default
!
smtp-server 192.168.0.5
prompt hostname context
Cryptochecksum:20c691b56c00b8a1a836747de9837c29
: end
asdm image disk0:/asdm-625.bin
no asdm history enable

Labels:
0 Helpful
18 Replies 18

vgulinolite
Level 1
Level 1
In response to Kureli Sankar

‎12-08-2010 06:06 AM

I tested port 25 with no firewall and I was able to connect to the port. We have a "Business" class service. all ports are open

.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to vgulinolite

‎12-08-2010 06:39 AM

This is very interesting. When you remove the firewall from the picture who answers for the public IP address? You have a router or do you give the public IP directly to the server?

You are running 8.2.2 so captures are very easy to do. You do not need any access-list for collecting captures.

cap capout int outside match tcp any any eq 25

You can remove any other capture that you have on the unit presently and apply the one above.

If the packets do not arrive on the captures like I read on the thread up above, the ASA cannot do anything about that.

Try the telnet test and do "sh cap capout" and see if you see the packets.

-KS

0 Helpful

vgulinolite
Level 1
Level 1
In response to Kureli Sankar

‎12-08-2010 06:43 AM

There is a bridge that is attached to the modem. When I called my provider they said everythign is wide open. Tonight I am going to try hookip up the server to the modem with the bridge connected last time I just connected the modem with the server.

0 Helpful

Hamzah Kardame
Cisco Employee
Cisco Employee
In response to vgulinolite

‎12-08-2010 06:46 AM

Sounds good! Let us know how it goes!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card