Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
4
Replies

Email Traffic not Passed from outside to my DMZ interface

support.eng1
Level 1
Level 1

‎03-06-2017 05:35 AM - edited ‎03-12-2019 02:01 AM

Hello

I have ASA5512-FW , ASA Version 8.6(1)2

I have 5 WAN IP addresses & I want to NAT my Internal Mail server with one of these IP address ex. 111.*.*253, so below is the chunk configuration of my ASA.

Problem : I have taken a Packet capture it will showed me when my server Requests with port 25 to any destination with port 25  it is passing from all the phases but when I am performing reverse process it was stuck in NAT rule sub type RPF drop.

interface GigabitEthernet0/1
 description **** Connected to SAP Server Segment / Adhoc Switch Port 6 ****
 nameif Secured-SAP
 security-level 70
 ip address 10.150.8.250 255.255.255.0  (this Interface Contains mail server )

interface GigabitEthernet0/5
 description **** Conneced to Tata Internet Ad-Hoc Switch Port 3 ****
 nameif outside
 security-level 0
 ip address 111.*.*.250 255.255.255.248

access-list Secured-SAP_access_in extended permit tcp 10.150.8.9 eq 25  tcp any eq smtp

access-list outside_access_in extended permit tcp any object 10.150.8.9 eq smtp

access-group Secured-SAP_access_in in interface Secured-SAP

access-group outside_access_in in interface outside

object network MAIL_Server_25
 nat (Secured-SAP,outside) static 111.*.*.253 service tcp smtp smtp

Thanks in advance

Regards

Vineet Dwivedi

Labels:
0 Helpful
4 Replies 4

trdatta
Cisco Employee
Cisco Employee

‎03-09-2017 10:34 AM

Hi Vineet,

Can you please share the entire packet tracer output.

Regards

Tripat Kaur

0 Helpful

support.eng1
Level 1
Level 1
In response to trdatta

‎03-09-2017 10:30 PM

Hello  Tripat Kaur

Please find the attached txt file contains packet_tracer  logs .

Regards

Vineet Dwivedi

Preview file
17 KB
0 Helpful

trdatta
Cisco Employee
Cisco Employee
In response to support.eng1

‎03-09-2017 10:47 PM

Hi Vineet,

The packet-tracer : InBisco-AHM-ASA5512-FW(config)#  pack in out tcp 202.*.*.30 25 10.150.8.14$

will not work since you are running on internal IP address of the server while running on the public IP address gives the accurate results.

Please mark the answer as correct if this answers your question.

Regards

Tripat Kaur

0 Helpful

support.eng1
Level 1
Level 1
In response to trdatta

‎03-09-2017 10:51 PM

Hello Tripat Kaur

I agree with your point, but  you can also find packet-tracer logs for public to public IP address, it is passing from all the phases without any drops but still we cant able to send/receive mails

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card