Cisco asa 5505 inbound mail

justinnickrand · ‎06-01-2011

Last night I switched out our old cisco pix 515 with a asa 5505. The config is the same and internet and outgoing mail is working but no mail is coming in. Below is a copy of my config. Any help would be greatly appreciated on why my inbound mail is not coming in.

------------------------

smtp 192.168.51.248 (Barracuda email filter)
pop3 192.168.50.11 (exchange server)
--------------------------------------------------------------
Tried to telnet into the firewall but connection timed out. Went to mxtool box and that also timed out while trying to connect to smtp. Port scan from mxtool box timed out too on all ports.
--------------------------------------------------------------

ciscoasa(config)# show run

ASA Version 8.2(1)

hostname ciscoasa
enable password w75RP0QSey3ak6rf encrypted
passwd w75RP0QSey3ak6rf encrypted
names

interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.5 255.255.255.0

interface Vlan2
nameif outside
security-level 0
ip address 66.xxx.xx.xx 255.255.255.248

interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full

interface Ethernet0/1
speed 100
duplex full

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

boot system disk0:/asa821-k8.bin
ftp mode passive
access-list vpntunnel extended permit ip 192.168.50.0 255.255.255.0 10.xxx.xx.xx 255.255.0.0
access-list nonat extended permit ip 192.168.50.0 255.255.255.0 xxx.xx.xx 255.255.0.0
access-list in_outside extended permit tcp any host 66.xxx.xx.xx eq h323
access-list in_outside extended permit tcp any host 66.xxx.xx.xx eq https
access-list in_outside extended permit tcp any host 66.xxx.xx.xx eq www
access-list in_outside extended permit tcp any host 66.xxx.xx.xx eq 8080
access-list in_outside extended permit tcp any host 66.xxx.xx.xx eq www
access-list in_outside extended permit tcp any host 66.xxx.xx.xx eq https
access-list in_outside extended permit tcp any host 66.xxx.xx.xx eq www
access-list in_outside extended permit tcp any host 66.xxx.xx.xx https
access-list in_outside extended permit tcp any host 66.xxx.xx.xx eq smtp
access-list in_outside extended permit tcp any host 66.xxx.xx.xx eq pop3
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool dhpool 10.168.40.1-10.168.40.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 66.xxx.xx.xx smtp 192.168.51.248 smtp netmask 255.255.255.255
static (inside,outside) tcp 66.xxx.xx.xx pop3 192.168.50.11 pop3 netmask 255.255.255.255
static (inside,outside) tcp 66.xxx.xx.xx https 192.168.50.11 https netmask 255.255.255.255
static (inside,outside) tcp 66.xxx.xx.xx www 192.168.50.11 www netmask 255.255.255.255
static (inside,outside) 66.xxx.xx.xx 192.168.50.7 netmask 255.255.255.255
static (inside,outside) 66.xxx.xx.xx 192.168.50.108 netmask 255.255.255.255
access-group in_outside in interface outside
route outside 0.0.0.0 0.0.0.0 66.xxx.xx.xx 1
route inside 192.xxx.xx.xx 255.255.255.0 192.168.50.1 1
route inside 192.xxx.xx.xx 255.255.255.128 192.168.50.1 1
route inside 192.xxx.xx.xx 255.255.255.128 192.168.50.1 1
route inside 192.xxx.xx.xx 255.255.255.0 192.168.50.1 1
route inside 192.xxx.xx.xx 255.255.255.0 192.168.50.1 1
route inside 192.xxx.xx.xx 255.255.255.0 192.168.50.1 1
route inside 192.xxx.xx.xx 255.255.255.0 192.168.50.1 1
route inside 192.xxx.xx.xx 255.255.255.0 192.168.50.1 1
route inside 192.xxx.xx.xx 255.255.255.128 192.168.50.1 1
route inside 192.xxx.xx.xx 255.255.255.128 192.168.50.1 1
route inside 192.xxx.xx.xx 255.255.255.0 192.168.50.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.50.13
key xxxxx
aaa-server partnerauth (inside) host 192.168.50.7
key xxxxx
http server enable
http 192.168.50.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set 3desmap esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set 3desmap
crypto map dhmap 65535 ipsec-isakmp dynamic dynmap
crypto map dhmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 50
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside

ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy hdvpn internal
group-policy hdvpn attributes
dns-server value 192.xxx.xx.xx 192.xxx.xx.xx
vpn-idle-timeout 200
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntunnel
tunnel-group hdvpn type remote-access
tunnel-group hdvpn general-attributes
address-pool dhpool
authentication-server-group partnerauth
default-group-policy hdvpn
tunnel-group hdvpn ipsec-attributes
pre-shared-key *

prompt hostname context
Cryptochecksum:5b5b7c30645a5238058efcebac23f42a

Maykol Rojas · ‎06-01-2011

HI,

Is the MX record pointing to the barracuda or directly to the SMTP server. Most customers what they do is to have all the inbound mail traffic to be inspected first by the barracuda so it then can be sent to the mail server. Is that your scenario? If it is, I dont see any translations for the barracuda, nor a route to get to it.

Let me know how the barracuda fits on this scenario.

Cheers.

Mike

justinnickrand · ‎06-01-2011

All incoming traffic goes to the firewall and then a route in the firewall directs the mail traffic

static (inside,outside) tcp 66.xxx.xx.xx smtp 192.168.51.248 smtp netmask 255.255.255.255 (Barracuda email filter)

The Barracuda then filters the mail and sends it to the exchange server.

This is the way I had it set up on the pix 515 firewall and it worked so I copied the config.

Maykol Rojas · ‎06-01-2011

Hi,

Is the scenario something like this

Barracuda-------L3Device----------ASA----------Internet-Cloud

|

Mail Server

If so, and if the barracuda starts a brand new connection to the mail server to deliver the mail, the SYN packet of that connection will go directly to the Mail server, then the mail server will send the SYN-ACK to the ASA and the ASA will drop the packet.

Can you collect the logs in order for me to confirm this theory? You should see something like, deny TCP (no connection) from inside 192.168.51.248 to Inside 192.168.50.x flags SYN-ACK on interface Insde, or in its defect, discard tcp session.. bla bla...

Gather the logs to see if you get any of those.

Mike

justinnickrand · ‎06-02-2011

what command do I use to enable logging and then to show the log?

Maykol Rojas · ‎06-02-2011

Hello,

If you have ASDM that would be great, you will just need to go to Monitoring----->Logging-----Enable---->View, in case you want to do it via CLI, you will need to put, logging buffered 7 then logging on.

To show the logs, that would be show log | inc

Cheers

Mike