ASA5510 how to open port 25 - Page 3

Edward Luna · ‎02-15-2012

Hello

We have an ASA5510 that we need to open port 25 to allow mail traffic to our internal Exchange server.

We have 2 interfaces defined... one named Internal on eth0/3 ip 10.1.x.x and one named Internet on eth 0/0 ip 96.56.x.x

We followed the instructions in ASDM for allowing access to a public server but confusion over definitions have stopped us.

ASDM asks for the internal interface and the internal server IP... no problem there because the internal interface and server have two different IP addresses. The Internal interface is eth 0/3 (10.1.1.1) and the server is 10.1.1.2.

However, when we get to the External interface (eth 0/1) there is only a single IP address 96.56.x.x but the ASDM asks for an Interface IP and the IP people would use to get to the mail server from the outside. Inasmuch as we have only 1 external IP address (which connects to our upstream Cisco router which in turn connects to the ISP modem) we used the same IP for both but the ASDM returns an error indicating they must be different.

Apparently we do not have a clear understanding of what the ASDM is actually asking for. When the ASDM asks for the external interface we assumed it was asking for the named value we gave the interface (which is Internet). The named value "Internet" has an ip associated with it 96.56.x.x. But when the ASDM asks for the ip people on the outside would use to get to the mail server (we created a named value called "mail server" and gave it the same ip address as the external named value. This duplication of ip address causes the ASDM to return the error stating that external Interface to be used and the external ip to be used cannot be the same.

Have we made an error when we assumed that when the ASDM asked for the external interface it meant the ip of the external interface or was it asking for the eth number (as in eth 0/0) for the interface?

Thanks

Edward Luna · ‎02-19-2012

Well... I've tried just about everything I can think of and nothing I do will allow me to access my mail server from the outside.

When I telnet in from the inside network I get a response of 220 followed by the name of the server and the domain, also the date and time are displayed.

When I telnet in from the outside (with a PC on the same subnet as the external adapter of the asa) I get the same 220 response but instead of being followed by the server name and domain... I get two lines of asterisks. *******************

Three days down and I still don't know if the problem is in the asa5510 or the server itself. Tomorrow morning I am going to remove the asa5510 and replace it with a known good Linksys router. If I can access the server through the Linksys then I'll know the problem is in the asa, but if I still can't access the server from the outside then I'll know it is something in the server configuration.

I'll post my results.

Thanks for all the help.

Ed

Edward Luna · ‎02-20-2012

I removed the ASA5510 and substituted a Linksys router... with that the external email began to work fine, so we can assume the problem is in the configuration of the ASA5510.

With the ASA5510 connected... when I telnet into the mail server I get a 220 response followed by 2 lines of asterisks.

With the Linksys connected in place of the ASA5510... when I telnet into the mail server I get the same 220 response but with two lines of readable text that identifies the server by name and URL.

I don't know if that is significant but it is the only difference I have noticed other than the fact that external access to the mail server works thru the Linksys router but doesn't work thru the ASA.

What else should I look for in the ASA configuration? Do you need me to post the run config again

Thanks

Ed

Edward Luna · ‎02-20-2012

I got it working.

I'm not certain exactly what did it because I added several changes all at once.

Note: we had already created the smtp access-list and static route entries.

I added the following to the access-lists.

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq smtp

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq telnet

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq https

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq www

access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq 987

I added the following static routes.

static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

static (Internal,Internet) tcp interface telnet 10.1.1.2 telnet netmask 255.255.255.255

static (Internal,Internet) tcp interface www 10.1.1.2 www netmask 255.255.255.255

static (Internal,Internet) tcp interface https 10.1.1.2 https netmask 255.255.255.255

After the additions above, the external email started working.

Thanks to everyone for all the help.

Ed

manish arora · ‎02-21-2012

Hi Ed,

Good to hear that you got thinking working for you , looks like you need ports open for connecting to OWA etc.

enjoy !

Manish