Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
251
Views
5
Helpful
1
Replies

Exchange server behind 5515X

michael1467
Level 1
Level 1

‎10-10-2022 08:34 AM

Hello,

 

I have an ASA5515X and it has been working ok up to now. I have now set up an exchange server on my private network. I have an AnyConnect VPN set up and it works great.

I have followed all examples of how to set up mail routing but no matter what I do, port 25 is not open. Before I had a Pix515 and it worked ok. I tried port forwarding and 1-to-1 NAT and nothing is working.

I need to have ports 25, 80, and 443 open only for SMTP, WEB, and OWA. Below is an abbreviated copy of the running config.

I used CLI and ASDM to build a config but nothing works. I know I am missing something somewhere. Any help to show what is missing would be appreciated. I even moved the servers NIC to the public IP and it worked so the ISP and server are ruled out

 

-----------------------------------------------

The ASA has its own dedicated public IP and the mail server has its own unique public IP

ASA Public IP addr = XXX.XXX.XXX.169

Mail Srvr Public IP = XXX.XXX.XXX.170

!
!
interface GigabitEthernet0/0
duplex full
nameif outside
security-level 0
ip address XXX.XXX.XXX.169 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
! VPN OBJ The VPN works perfectly

object network NETWORK_OBJ_192.168.6.0_28
subnet 192.168.6.0 255.255.255.240



----- This is for the mail server

object network obj_192.168.10.42
host 192.168.10.42

 

access-list inbound extended permit icmp any any
access-list inbound extended permit esp any any
access-list inbound extended permit tcp any any eq pptp
access-list inbound extended permit icmp any any echo
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit udp any any eq isakmp
access-list inbound extended permit ah any any
access-list inbound extended permit gre any any

access-list inbound extended permit tcp any host XXX.XXX.XXX.170 eq www
access-list inbound extended permit tcp any host XXX.XXX.XXX.170 eq smtp
access-list inbound extended permit tcp any host XXX.XXX.XXX.170 eq https

access-list inbound extended deny ip any any

 

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.6.0_28 NETWORK_OBJ_192.168.6.0_28 no-proxy-arp rou
te-lookup
!

object network obj_192.168.10.42
nat (inside,outside) static XXX.XXX.XXX.170 service tcp smtp smtp
!

nat (inside,outside) after-auto source dynamic any interface

access-group inbound in interface outside
access-group inside_access_in in interface inside

 

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map dynamic-filter-snoop

 

 

 

1 Reply 1

Ioannis Gerokostas
Level 1
Level 1

‎10-11-2022 03:33 AM

Hello Michael

I had the same problem before years the solution was to remove the inspect esmtp line from the policy-map. i will suggest you to remove the inspect esmtp just to check if this solve the problem

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card