Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
1
Replies

Can't Send or Receive Email from Exchange behind ASA 5510 with CSC SSM

scottkrueger
Beginner
Beginner

‎01-18-2012 05:58 AM - edited ‎03-11-2019 03:16 PM

We are upgrading from a Pix 515e to a ASA 5510 with CSC SSM.  We cannot send outbound email or receive any email from the outside world. I have placed a call with Cisco Support with no luck. Here is a copy of my config:  Any Help would be appreciated.

show config

: Saved

: Written by enable_15 at 07:17:44.760 CST Wed Jan 18 2012

!

ASA Version 8.4(3)

!

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 216.XXX.XXX.XXX 255.XXX.XXX.XXX

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.5 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

<--- More --->

  no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

object network obj-192.168.5.0

subnet 192.168.5.0 255.255.255.0

object network obj-192.168.0.0

subnet 192.168.0.0 255.255.255.0

<--- More --->

object network obj-192.168.9.2

host 192.168.9.2

object network obj-192.168.1.65

host 192.168.1.65

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj-192.168.3.0

subnet 192.168.3.0 255.255.255.0

object network obj-192.168.6.0

subnet 192.168.6.0 255.255.255.0

object network obj-192.168.8.0

subnet 192.168.8.0 255.255.255.0

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq www

port-object eq pop3

port-object eq smtp

object-group network Red-Condor

description Email Filtering

network-object host 66.234.112.69

network-object host 66.234.112.89

object-group service NetLink tcp

<--- More --->

  port-object eq 36001

object-group network AECSouth

network-object 192.168.11.0 255.255.255.0

object-group service Email_Filter tcp-udp

port-object eq 389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_0 tcp

group-object Email_Filter

port-object eq pop3

port-object eq smtp

object-group network Exchange-Server

description Exchange Server

network-object host 192.168.1.65

access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_1

access-list outside_access extended permit tcp any object obj-192.168.9.2

access-list outside_access extended permit icmp any any

access-list outside_access extended permit tcp any object-group Exchange-Server eq https

access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp

access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3

access-list outside_access extended permit object-group TCPUDP object-group Red-Condor object-group Exchange-Server object-group Email_Filter

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

<--- More --->

pager lines 24

logging enable

logging console debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnpool 192.168.5.1-192.168.5.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

!

object network obj-192.168.9.2

nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp

object network obj-192.168.1.65

nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp

object network obj-192.168.1.0

nat (inside,outside) dynamic interface

object network obj-192.168.2.0

nat (inside,outside) dynamic interface

object network obj-192.168.3.0

<--- More --->

  nat (inside,outside) dynamic interface

object network obj-192.168.6.0

nat (inside,outside) dynamic interface

object network obj-192.168.8.0

nat (inside,outside) dynamic interface

access-group outside_access in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.XXX 1

route inside 192.168.0.0 255.255.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server isaconn protocol radius

aaa-server isaconn (inside) host 192.168.1.9

timeout 5

key XXXXXXX

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

<--- More --->

http server enable

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set AEC esp-des esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca server

shutdown

<--- More --->

  smtp from-address admin@AEC2072.null

crypto ca certificate chain _SmartCallHome_ServerCA

certificate

  quit

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 208.66.175.36 source outside prefer

webvpn

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

!

<--- More --->

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

<--- More --->

   inspect netbios

  inspect tftp

  inspect ip-options

class global-class

  csc fail-close

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
Advisor
Advisor

‎01-18-2012 10:48 AM

Hello Scott,

So Exchange server ip is obj-192.168.1.65 natted to 216.x.x.x

object network obj-192.168.1.65

"nat (inside,outside) static 216.XXX.XXX.XXX no-proxy-arp"

The ACL says

access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq smtp

access-list outside_access extended permit tcp object-group Red-Condor object-group Exchange-Server eq pop3

From witch ip addresses are you trying to send traffic to the exchange server?

Please do a packet-tracer and give us the output

packet-tracer input outside tcp x.x.x.x( Outside host ip) 1025 216.x.x.x.x 25

Regards,

Julio

Rate helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents