Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5897
Views
0
Helpful
5
Replies

Cisco ASA 5510, SMTP Access Isue

Go to solution
NickTuppack
Level 1
Level 1

‎10-17-2013 05:20 PM - edited ‎03-11-2019 07:53 PM

Hi,

I'm having an issue trying to open port 25 on our cisco ASA 5510 version 9.1 (2). When a wire tap is placed on the outside port between the ASA and the internet we are getting hits on wireshark, when a port 25 trace from http://www.yougetsignal.com/tools/open-ports is run. No hits or activity is showing up on the debug log using ASDM, even when filtering is applied.

Problem is we cannot open port 25 traffic from the outside network to the inside network so that smtp mail can flow to the Exchange server *.102. Mail can go from the inside network to the ouside network and out to the internet no problems (internal being the most trusted obviously).

Please find attatched the config for the ASA. I have replaced the companyname/domain with "ourcompanyname", our public IP to "ourpublicIP", our ISP to OurISP and our internal IP's with *.*.*.* for sanitisation reasons.

Any help would be greatly appreciated.

Cheers

Labels:
15369335-Upload To Web.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amitaaga
Cisco Employee
Cisco Employee
In response to NickTuppack

‎10-19-2013 11:35 AM

You need to do port forwarding on the ASA's outside interface ip for port 25 to be able to achieve the desired objective.

Modify the following statement (remove the redundant "destination eq smtp" from it):

object service smtp

  service tcp source eq smtp

Also, remove this nat config from the ASA:

no nat (inside,outside) after-auto source static mail.ourcompany.com mail.ourcompany.com destination static ourcompany.com ourcompany.com service smtp smtp

& add the following config to the ASA:

nat (inside,outside) source static mail.ourcompany.com interface service smtp smtp

access-list outside_access_in extended permit tcp any eq 25

Check and see if it helps.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-18-2013 07:50 AM

You have an incoming rule allowing smtp to the outside interface and a nat after-auto rule for the mail server.

You need instead an object NAT for the mail server and an incoming rule allowing smtp to that static nattted address.

If you use ASDM, you can add this all via the "public servers" dialog box. (Configuration, Firewall, Public servers)

0 Helpful

Go to solution
NickTuppack
Level 1
Level 1
In response to Marvin Rhoads

‎10-18-2013 08:07 PM

Thanks for the Speedy reply Marvin it's greatly appreciated. So looking at configuring the public server through ASDM I have tried the following:

Private Interface - Inside

Private IP Address- I have inserted the private IP of the Exchange server

Service- SMTP

Public Interface- Outside

Public IP- I have inserted the static IP that our ISP has provided.

Trouble is that our Outside interface and our public IP are the same. The ASA will not allow these to be these to be the same. What is the best practice for this.

Thanks for your help on this BTW, my ASA experience is very very limited.

Cheers

0 Helpful

Go to solution
amitaaga
Cisco Employee
Cisco Employee
In response to NickTuppack

‎10-19-2013 11:35 AM

You need to do port forwarding on the ASA's outside interface ip for port 25 to be able to achieve the desired objective.

Modify the following statement (remove the redundant "destination eq smtp" from it):

object service smtp

  service tcp source eq smtp

Also, remove this nat config from the ASA:

no nat (inside,outside) after-auto source static mail.ourcompany.com mail.ourcompany.com destination static ourcompany.com ourcompany.com service smtp smtp

& add the following config to the ASA:

nat (inside,outside) source static mail.ourcompany.com interface service smtp smtp

access-list outside_access_in extended permit tcp any eq 25

Check and see if it helps.

0 Helpful

Go to solution
NickTuppack
Level 1
Level 1
In response to amitaaga

‎10-20-2013 03:20 PM

Hi Amitaaga,

Thankyou so much for your help, you have really saved me on this one. Here is what I did:

Deleted

object service smtp

service tcp source eq smtp destination eq smtp

Added

object service smtp

service tcp source eq smtp

Deleted

access-list outside_access_in extended permit object smtp any interface outside

Added

access-list outside_access_in extended permit object smtp any interface outside

access-list outside_access_in extended permit tcp any object mail.ourcompany.com eq smtp

Deleted

nat (inside,outside) after-auto source static mail.ourcompany.com mail.ourcompany.com destination static ourcompany.com ourcompany.com service smtp smtp

Added

nat (inside,outside) source static mail.ourcompany.com interface service smtp smtp

Changed Destination ports on SMTP Service Object

From 25

To default (1-65535)

0 Helpful

Go to solution
NickTuppack
Level 1
Level 1
In response to amitaaga

‎10-21-2013 03:38 AM

OK so now that I have mail routing in through port 25, how can I configure OWA access through https?

We are using a 2013 Exchange server and I wish for users to connect to the server without having to turn on the VPN.

Cheers

Nick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card