09-21-2013 12:42 PM - edited 03-11-2019 07:41 PM
Hello everyone,
i am having trouble with my outbound SMTP traffic. i have 5510 ASA with IPS module. i also have three interfaces configured the inside, DMZ, and outside. my incoming email pass with no problemes but my outgoing onse do not they get stuck in my DMZ with the follwing message No route to host . from my email relay i can ping even telnet any other port of any server on the internet but when it comes to SNMP it gives me this error. also the same thing happens with the inside. the configuration hasen't changed i also did a packet trace witch gave the result allowed across the board. now i am really stuck and can't figure out what is going on here is my asa config:
ASA Version 8.2(1)
!
hostname dspasa2
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.165 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.3 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.0.0.101 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_in extended permit tcp host 192.168.0.1 any log disable inactive
access-list inside_access_in extended permit udp host 192.168.0.1 any log disable inactive
access-list inside_access_in extended permit ip host 192.168.0.4 any log disable
access-list inside_access_in extended permit tcp host 192.168.0.5 any log disable
access-list inside_access_in extended permit udp host 192.168.0.5 any log disable
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq ftp-data log disable
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq ftp log disable
access-list inside_access_in extended permit icmp 192.168.0.0 255.255.255.0 any log disable
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 10.0.0.100 eq 8445
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.128.0 255.255.192.0
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 172.18.2.0 255.255.255.192
access-list inside_access_in extended permit object-group TCPUDP host 192.168.0.201 host 81.80.56.164 log disable
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.198.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.128.0 255.255.192.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.18.2.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.198.0 255.255.255.0
access-list outside_access_in extended permit icmp any any log disable
access-list outside_access_in extended permit esp any any log disable
access-list outside_access_in extended permit ah any any log disable
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit tcp any host X.X.X.161 eq smtp
access-list outside_access_in extended permit tcp any host X.X.X.161 eq 8445
access-list outside_access_in extended permit tcp any host X.X.X.161 eq https
access-list outside_access_in extended permit object-group TCPUDP any host X.X.X.164
access-list dspgroup_splitTunnelAcl standard permit any
access-list dspgroup_splitTunnelAcl_1 standard permit any
access-list dspgroup_splitTunnelAcl_2 standard permit any
access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.128.0 255.255.192.0
access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 172.18.1.0 255.255.255.0
access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0
access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 172.18.2.0 255.255.255.192
access-list snimndb extended permit ip 192.168.0.0 255.255.255.0 192.168.198.0 255.255.255.0
access-list SPIL standard permit 192.168.0.0 255.255.255.0
access-list QOS extended permit ip 192.168.0.0 255.255.255.0 192.168.64.0 255.255.192.0
access-list dmz-in extended permit icmp any any
access-list dmz-in extended permit tcp host 10.0.0.100 any eq https
access-list dmz-in extended permit tcp host 10.0.0.100 any eq www
access-list dmz-in extended permit udp host 10.0.0.100 any eq domain
access-list dmz-in extended permit tcp host 10.0.0.100 any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool VPNPOOL 10.10.10.1-10.10.10.20 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (dmz,outside) X.X.X.161 10.0.0.100 netmask 255.255.255.255
static (outside,inside) 192.168.0.201 X.X.X.164 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz-in in interface dmz
route outside 0.0.0.0 0.0.0.0 X.X.X..166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.0.0 management
http 192.168.0.0 255.255.0.0 inside
snmp-server location DSP
no snmp-server contact
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address snimndb
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set transform-set myset
crypto map outside_map 1 set security-association lifetime seconds 1800
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 1800
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.64.0 255.255.255.0 inside
ssh 192.168.0.0 255.255.0.0 management
ssh timeout 60
console timeout 0
management-access inside
priority-queue outside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.0.4 source management
webvpn
group-policy dspgroup internal
group-policy dspgroup attributes
dns-server value 192.168.0.4 192.168.64.47
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPIL
default-domain value dsp.snim.com
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
tunnel-group RAPARIS type remote-access
tunnel-group RAPARIS general-attributes
address-pool VPNPOOL
default-group-policy dspgroup
tunnel-group RAPARIS ipsec-attributes
pre-shared-key *
!
class-map voix
match dscp ef
class-map IPS
match any
class-map QOS
match access-list QOS
class-map inspection_default
match default-inspection-traffic
class-map inspection_defautl
!
!
policy-map type inspect dns preset_dns_map
parameters
policy-map voix
class voix
priority
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class IPS
ips promiscuous fail-open
!
service-policy global_policy global
service-policy voix interface outside
prompt hostname context
Cryptochecksum:bb43480221ed20aafc3e397fd7432bc3
: end
Here is an ouput of the Packet Tracer
dspasa2# packet-tracer input dmz tcp 10.0.0.100 234 173.194.79.26 25
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz-in in interface dmz
access-list dmz-in extended permit tcp host 10.0.0.100 any eq smtp
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map IPS
match any
policy-map global_policy
class IPS
ips promiscuous fail-open
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (dmz,outside) X.X.X.161 10.0.0.100 netmask 255.255.255.255
match ip dmz host 10.0.0.100 outside any
static translation to X.X.X.161
translate_hits = 3540, untranslate_hits = 920
Additional Information:
Static translate 10.0.0.100/0 to 81.80.56.161/0 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) X.X.X.161 10.0.0.100 netmask 255.255.255.255
match ip dmz host 10.0.0.100 outside any
static translation to X.X.X.161
translate_hits = 3540, untranslate_hits = 920
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8470, packet dispatched to next module
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
please help
Solved! Go to Solution.
09-22-2013 08:23 AM
Hi Mohamed,
Can you please post the full log message(s) which point(s) to the SMTP communication problem ?
Also please get the SMTP captures at the dmz and outside:
capture dmz-smtp interface dmz match tcp host 10.0.0.100 any eq 25
capture out-smtp interface outside match tcp host X.X.X.161 any eq 25
Then initiate SMTP flow from the server and get the following :
show cap dmz-smtp
show cap out-smtp
---
Regards
Mashal Shboul
09-21-2013 04:21 PM
Hi,
I bealeve that you must to edit your policy map and add to your default inspection the smtp traffic.
policy-map global_policy
class inspection_default
inspect smtp
Because your dmz is more trustable than the outside interface, I think you must include this type of traffic to the global inspection.
Take care man.
09-22-2013 04:29 AM
thankx Antonio,
that didn't help because i had on before and removed in case it was giving me trouble along with an IPS class that i had under global_policy.
Thank you Antonio
09-22-2013 08:23 AM
Hi Mohamed,
Can you please post the full log message(s) which point(s) to the SMTP communication problem ?
Also please get the SMTP captures at the dmz and outside:
capture dmz-smtp interface dmz match tcp host 10.0.0.100 any eq 25
capture out-smtp interface outside match tcp host X.X.X.161 any eq 25
Then initiate SMTP flow from the server and get the following :
show cap dmz-smtp
show cap out-smtp
---
Regards
Mashal Shboul
09-22-2013 11:51 AM
Hi
Can u try
inspect esmtp
09-23-2013 04:00 AM
Hello Everyone,
thank you for all your help and replys. it ended up being my internet provider blocking the SMTP. i guess this is a good asa config to have here as an exmaple
Thank you ALL
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: