Hello Mvsheik123,

Please create another capture on the ASA but that one on the outside interface ussing the Natted Ip, also create an ASP-drop capture.

capture asp type asp-drop all

show capture asp | include 212.130.21.44

Regards,

Julio

Hi Julio,

thanks for your reply. sorry I didnt understand why we need to create another capture with outside interface using natted IP..?

We are just trying to telnet behind the firewall to any public mail servers (MX record) with the port 25.

I just tried to capture asp-drop while telneting, but it didnt give me any output..?

fw-dcz-cc4-cc3(config)# capture asp type asp-drop all

fw-dcz-cc4-cc3(config)# show capture asp | in 212.130.121.44

fw-dcz-cc4-cc3(config)#

fw-dcz-cc4-cc3(config)#

fw-dcz-cc4-cc3(config)#

Please note that we have two firewalls, one FWSM in WAN edge and other one is a ASA at DC. I was trying the capture only on ASA at DC.

thanks

Hello Sr,

The ASP capture is going to show us if the ASA with the algorithm it uses drops any packets, and we can see that there are no packets going to that destination being dropped by the ASA.

Now regarding the capture on the outside its to see if the packets are traversing the ASA, now if this internal server wants to access a host on the lower security level (outside) you will need to have a routable IP right? you need to do the capture with that IP.

access-list capout permit tcp host inside_host_ip  host 212.130.21.44 eq 25

access-list capout permit tcp   host 212.130.21.44 eq 25 host inside_host_ip

capture capout access-list capout interface outside

Please rate helpful posts.

Regards,

Julio

Hello Julio,

Thanks for your quick response back..!

Now i understand the use of ASP capture and its clear that ASA is not droping any packets destined to my smtp server in outside.

regarding other capture i use exactly the same ACL to capture and I got the capture output which i attached initially. Further I tried applying capture to both outside and inside interface and I posted the capture applied to outside interface.

thanks..!

Hello Pernasirid,

So seems like the nat is not working because we are seeing the packets with a private IP address instead of a public, do you have a nat  for that particular host trying to access the server on the outside.

Also what version are you running.

Regards,

Julio

Hi Julio,

I have nated the local ip address to public ip address (static nat) and I was able to telnet to the public ip (nated) with the port 25 and it was opening fine from outside. But when I tried from the inside server (local ip) to telnet (port 25) to any outside smtp server i cant telnet...? but the DC firewall we have nat-control disable.

if you look at the capture output you can see the local ip address is sending smtp syn packet to remote smtp server

we are using 8.2.2 in DC firewall and WAN FWSM is 4.0(12)

Hello Pemasirid,

The problem at this moment is that the host is not being natted. As you state that capture is taken on the outside so it should be taken the global ip address instead of the embedded Ip address.

So that is what we need to troubleshoot, why that host is not being natted.

Can you provide your running configuration.

Regards,

Julio

Hello Julio,

Let me thank you again for your interest and replying to my issue..!

As I mentioned earlier in the thread,we have two  firewalls, ASA 5580 (ver 8.2.2) is in the data center, that has no natting configured as facing the internet so nat-control is disabled. other firewall is in WAN edge which is FWSM (ver 4.0(12) where all our nat/pat configured as its a interent facing firewall and users are using it to go out for internet.

We have three servers which is behind the DC firewall. these three servers are nated with three public ip in WAN FWSM and allowed some ports including smtp (25). currently none of our PC including these three servers can not telnet any smtp servers outside (ie.gmail.com) with port 25.

When i did capture on DC firewall, i could see smtp request going to the outside server where im telneting but has no response back. Capture was applied to both inside and outside interface and got the same result. So im not sure which NAT you are refering to now..?

when I check capture on my WAN firewall (FWSM) I could not see any traffic hitting outside interface (no capure output) but i could see some capture output when i applied to inside interface on fwsm (its the same capture output which I'm seeing on DC fw inside interface).

I also seeing some dns packet drops when i give "sh service-policy global" then i change some dns message lenght but still see those drop packets, I'm not sure wether this has somthing to do with smtp issue...?

For your reference I'm attaching both firewall configuration, due to security reason I have only included the required configuration, the public NATED ip address which I used for nat is 78.100.xx.xx1, 78.100.xx.xx2, 78.100.xx.xx2.

Please feel free to ask me if you have any doubts on the configurations.

thanks

Hi MS,

thanks for your reply. Actually when we telnet to same ip with port 25 from different network it was working fine. Another funny thing is that only one windwos XP client is able to telnet to same ip address with port 25 behind the firewall in network in question..

You mean the connection is working from one pc in the network and when you try to access from another pc in the same network, it is not working. Is that case?

Yes, it works for only one windows XP machine when you telnet any outside smtp server with the port 25 it gets open, but we tried with other OS like Win7, Vista and also other Windows Xp but didnt work..?

I think your post was not completed and seems you started writing and didnt complete it..

I was asking for Infrastructure setup/configs but you posted them already. So, it is..

PCs --> ASA5580 (no nat) --> MPLS --> CORE SW with servers and FWSM module.

PCs (except one) unable to access Servers on Core Sw or any internet based servers via on port 25 and same case with Server on FWSM. Is this correct?

Thx

MS

Hello MS,

thanks for your post. Yes, your assumption is correct. Any PC/Servers (except 1 XP client) behind ASA5580 can not telnet to smtp port outside in FWSM.

Do you have any thought..?