ā11-18-2011 07:09 AM - edited ā03-11-2019 02:52 PM
Hi,
We are trying to telnet port 25 (smtp) to remote Exchnage server which is outside of the firewall from a PC behind a firewall.
Firewall rules are allowed from inside to outside (outbound traffic) for all the ports. We tried removing inspection of esmtp/smtp still no luck.
when we did the packet-tracer command it allowed from every steps and has no issue, but when we check the service-policy, (show service-policy global)
we could see some dns drop packets increase then we change the dns message lenght but still can not telnet port 25 behind firewall.
When we capture packets to/from smtp server while telneting to port 25, and view from wireshark we could see the TCP port number reused appeared in the information colum. (attached).
Can some one please advise us what exactly causing this issue.
thanks in advance.
ā11-18-2011 10:40 AM
Hi
Capture info - Basically it tells that another tcp session started with the same ports that being used in the trace.
It appears that the client keep trying the connection. If you look at the packet trace, all you see is TCP/SYN request from cleint to server and nothing coming back from server. have you checked from server end? The requests are reaching the server?
Thx
MS
ā11-18-2011 01:53 PM
Hello Mvsheik123,
Please create another capture on the ASA but that one on the outside interface ussing the Natted Ip, also create an ASP-drop capture.
capture asp type asp-drop all
show capture asp | include 212.130.21.44
Regards,
Julio
ā11-18-2011 02:06 PM
Hi Julio,
thanks for your reply. sorry I didnt understand why we need to create another capture with outside interface using natted IP..?
We are just trying to telnet behind the firewall to any public mail servers (MX record) with the port 25.
I just tried to capture asp-drop while telneting, but it didnt give me any output..?
fw-dcz-cc4-cc3(config)# capture asp type asp-drop all
fw-dcz-cc4-cc3(config)# show capture asp | in 212.130.121.44
fw-dcz-cc4-cc3(config)#
fw-dcz-cc4-cc3(config)#
fw-dcz-cc4-cc3(config)#
Please note that we have two firewalls, one FWSM in WAN edge and other one is a ASA at DC. I was trying the capture only on ASA at DC.
thanks
ā11-18-2011 02:16 PM
Hello Sr,
The ASP capture is going to show us if the ASA with the algorithm it uses drops any packets, and we can see that there are no packets going to that destination being dropped by the ASA.
Now regarding the capture on the outside its to see if the packets are traversing the ASA, now if this internal server wants to access a host on the lower security level (outside) you will need to have a routable IP right? you need to do the capture with that IP.
access-list capout permit tcp host inside_host_ip host 212.130.21.44 eq 25
access-list capout permit tcp host 212.130.21.44 eq 25 host inside_host_ip
capture capout access-list capout interface outside
Please rate helpful posts.
Regards,
Julio
ā11-18-2011 02:22 PM
Hello Julio,
Thanks for your quick response back..!
Now i understand the use of ASP capture and its clear that ASA is not droping any packets destined to my smtp server in outside.
regarding other capture i use exactly the same ACL to capture and I got the capture output which i attached initially. Further I tried applying capture to both outside and inside interface and I posted the capture applied to outside interface.
thanks..!
ā11-18-2011 03:02 PM
Hello Pernasirid,
So seems like the nat is not working because we are seeing the packets with a private IP address instead of a public, do you have a nat for that particular host trying to access the server on the outside.
Also what version are you running.
Regards,
Julio
ā11-19-2011 02:23 AM
Hi Julio,
I have nated the local ip address to public ip address (static nat) and I was able to telnet to the public ip (nated) with the port 25 and it was opening fine from outside. But when I tried from the inside server (local ip) to telnet (port 25) to any outside smtp server i cant telnet...? but the DC firewall we have nat-control disable.
if you look at the capture output you can see the local ip address is sending smtp syn packet to remote smtp server
we are using 8.2.2 in DC firewall and WAN FWSM is 4.0(12)
ā11-19-2011 11:22 AM
Hello Pemasirid,
The problem at this moment is that the host is not being natted. As you state that capture is taken on the outside so it should be taken the global ip address instead of the embedded Ip address.
So that is what we need to troubleshoot, why that host is not being natted.
Can you provide your running configuration.
Regards,
Julio
ā11-19-2011 12:09 PM
Hello Julio,
Let me thank you again for your interest and replying to my issue..!
As I mentioned earlier in the thread,we have two firewalls, ASA 5580 (ver 8.2.2) is in the data center, that has no natting configured as facing the internet so nat-control is disabled. other firewall is in WAN edge which is FWSM (ver 4.0(12) where all our nat/pat configured as its a interent facing firewall and users are using it to go out for internet.
We have three servers which is behind the DC firewall. these three servers are nated with three public ip in WAN FWSM and allowed some ports including smtp (25). currently none of our PC including these three servers can not telnet any smtp servers outside (ie.gmail.com) with port 25.
When i did capture on DC firewall, i could see smtp request going to the outside server where im telneting but has no response back. Capture was applied to both inside and outside interface and got the same result. So im not sure which NAT you are refering to now..?
when I check capture on my WAN firewall (FWSM) I could not see any traffic hitting outside interface (no capure output) but i could see some capture output when i applied to inside interface on fwsm (its the same capture output which I'm seeing on DC fw inside interface).
I also seeing some dns packet drops when i give "sh service-policy global" then i change some dns message lenght but still see those drop packets, I'm not sure wether this has somthing to do with smtp issue...?
For your reference I'm attaching both firewall configuration, due to security reason I have only included the required configuration, the public NATED ip address which I used for nat is 78.100.xx.xx1, 78.100.xx.xx2, 78.100.xx.xx2.
Please feel free to ask me if you have any doubts on the configurations.
thanks
ā11-18-2011 01:56 PM
Hi MS,
thanks for your reply. Actually when we telnet to same ip with port 25 from different network it was working fine. Another funny thing is that only one windwos XP client is able to telnet to same ip address with port 25 behind the firewall in network in question..
ā11-18-2011 05:59 PM
You mean the connection is working from one pc in the network and when you try to access from another pc in the same network, it is not working. Is that case?
ā11-19-2011 01:44 AM
Yes, it works for only one windows XP machine when you telnet any outside smtp server with the port 25 it gets open, but we tried with other OS like Win7, Vista and also other Windows Xp but didnt work..?
I think your post was not completed and seems you started writing and didnt complete it..
ā11-21-2011 02:14 PM
I was asking for Infrastructure setup/configs but you posted them already. So, it is..
PCs --> ASA5580 (no nat) --> MPLS --> CORE SW with servers and FWSM module.
PCs (except one) unable to access Servers on Core Sw or any internet based servers via on port 25 and same case with Server on FWSM. Is this correct?
Thx
MS
ā11-21-2011 08:48 PM
Hello MS,
thanks for your post. Yes, your assumption is correct. Any PC/Servers (except 1 XP client) behind ASA5580 can not telnet to smtp port outside in FWSM.
Do you have any thought..?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide