ASA smtp and pop3 problem

Farooq Muhammad · ‎10-16-2012

Hi all !

I am new in security and am facing a problem for testing asa 5510 to allow smtp and pop3 both using their standard ports .My first question is that is it necessary to configure NAT if i am using private addresses in my scenario both inside and outside ? which IMO is not necessary.

The visio diag is attached to elaborate the scenario when the firewall is not installed all users can successfully connect to the mail server.but when the firewall is brought in all stops.

I have configured the asa to allow only smtp and pop3 without nat and also tried to use esmtp option given in the cisco example document but still not working.

ip add of the server is 172.16.0.2/28

ip add of int e 0/0 of asa 172.16.0.14/28

ip add of e 0/1 of asa 172.16.0.29/30

ip add of fa 0/1 of layer 3 sw is 172.16.0.30/30 it is ospf enabled

on the firewall i have configured a default route to pointing to 172.16.0.30 so reachability is not an issue

the ACL IS

access-list SMTP-POP3 extended permit tcp any host 172.16.0.2 eq smtp

access-list SMTP-POP3 exteended permit tcp any host 172.16.0.2 eq pop3

!

access-grou[ smtp in int outside ----------> e 0/1

!

also tried

no inspect esmtp but still not working

PLZ HELP !

Regards.

cadet alain · ‎10-16-2012

Hi,

the machine trying to reach the server is on e0/1 side? which security level has this interface? if it is lower than e0/0 then you need to put the ACL inbound on this interface and not on the inside interface.

Regards.

Alain

Don't forget to rate helpful posts.

Farooq Muhammad · ‎10-16-2012

yes , cadet alian !

The machine trying to reach the server is on e0/1 which is nameif out side and has a security level of Zero

where as the server is attached to the e0/0 nameif in side and security level of 100. The scenario is similar to cisco document id 70031.

cadet alain · ‎10-16-2012

Hi,

then if nat-control is disabled( OS version >7.1 and < 8.3) , get rid of the access-list on inside interface and put it on outside interface and it shall work.

Regards.

Alain

Don't forget to rate helpful posts.

Farooq Muhammad · ‎10-16-2012

HI,

i havn't configured any thing related to NAT and have not noted if nat-control is disabled or not so i will check it and will update you but in my original post i have asked is it necessary to configure NAT if i do not need to transition from private to public addresses in the context of asa.

Thanks for your help and prompt replies.

Farooq Muhammad · ‎10-16-2012

Hi cadet alain,

configuring no nat-control

didn't work still the same problem and unable to connect to mail server.

cadet alain · ‎10-16-2012

Hi,

post the output of this command:

packet-tracer input outside tcp x.x.x.x 2000 172.16.0.2 110 where x.x.x.x is the IP address of the PC trying to reach the server

Can you also post your sanitized running config from all L3 devices.

Regards.

Alain

Don't forget to rate helpful posts.

cadet alain · ‎10-16-2012

Hi,

no, it is not necessary to configure NAT.

Regards.

Alain

Don't forget to rate helpful posts.