Solved: NAT , ASA 9.1

apapakons · ‎07-02-2014

Hello,

Outside

ip: 10.7.128.172

-DMZ |

Ironport --------- ASA

10.2.129.95 |

Inside

Exchange Server

10.2.128.43

I wanted to migrate from ASA 5520 (version 8.4.2) to ASA 5515-X (version 9.1.3). The ASA is configured with the following interfaces: Inside, Outside and DMZ. In the inside zone I have the exchange server and in the DMZ Zone I have cisco Ironport which relays the smtp packets to the internal exchange server.

With 5520 I used the following commands and Nat worked perfectly:

object CultexMail-1

host 10.2.128.43

nat (internal,outside) static 10.7.128.172 service tcp pop3 pop3

object CultexMail-2

host 10.2.128.43
nat (linternal,outside) static 10.7.128.172 service tcp www www

object ironport

host 10.2.129.95
nat (dmz,outside) static 10.7.128.172 service tcp smtp smtp

e.t.c

After replacing the firewall with the new one I could receive emails but I could not access the web interface of exchange from outside and I could not send outgoing emails.

After adding the following commands I was able to access the web interface of my exchange but no luck with sending outgoing emails:

object ironport-test

host 10.2.129.95

nat (dmz,outside) dynamic 10.7.128.172

object cultexmail-test

host 10.2.128.43

nat (inside, outside) dynamic 10.7.128.172

Do you have any idea for this implementation how Nat rules should be (for Cisco ASA version 9.1)? Thank you.

nkarthikeyan · ‎07-14-2014

Hi,

I guess you have a overlapping NAT rule. Can you check if any conflicting rule persists in you configs. try getting sh nat output and cross verify.

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
        hits=35237, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Regards

Karthik

View solution in original post

Marius Gunnerud · ‎07-02-2014

I would first suggest that you change your NAT rules from dynamic to static, as you only have one IP. Also you will need to specify ports that you are translating otherwise you will be NATing all ports to the one server and no other PC on the network will be able to reach the internet.

object cultexmail-test
host 10.2.128.43
nat (inside, outside) static 10.7.128.172 service tcp http http

change this first, and then test. Report back the results please.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

apapakons · ‎07-03-2014

Hello MAriusGurrerud,

Initially, as you suggested, I used the static NAT rules with my new firewall 5515. The same rules I have now at my cisco 5520 and the mail servers work right:

nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL // exempt wan mail traffic from use translation - because branches use internal dns server

// port forwarding incoming smtp traffic to ironport and the other protocols (http,https,imap) to internal exchange server.

nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135 135

The result with asa 5515 version 9.1.3 was tha I could get incoming mail but nothing else. I found out an article at web "http://tsbraindump.blogspot.gr/2013/04/port-address-translation-and-nat-in.html" that proposed (as weird it seems to be - with ASA 9.1) to create dynamic NAT rule for outgoing mail traffic. Then I added to the above configuration the rule:

object cultexmail-test

host 10.2.128.43

nat (inside, outside) dynamic 10.7.128.172

After the addition of the above command I could access the exchange server webpage but still cannot send mails from my internal exchange to outside (for example from my mail server to yahoo mail).

nkarthikeyan · ‎07-14-2014

Hi,

I guess you have a overlapping NAT rule. Can you check if any conflicting rule persists in you configs. try getting sh nat output and cross verify.

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
        hits=35237, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Regards

Karthik

apapakons · ‎07-17-2014

Hello,

I do not see any difference between sh nat detail output and my configuration commands:

Manual NAT Policies (Section 1)

//exempt wan traffic from translasion, because branches use headquarter dns server to resolve addresses.
1 (outside1) to (lan_Servers) source static syzefxis_ranges syzefxis_ranges   destination static CultMAIL CultMAIL
    translate_hits = 7, untranslate_hits = 9
    Source - Origin: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
    10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
    10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
    10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
    10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
    10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
    10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
    10.34.97.252/31, 10.34.97.254/32, Translated: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
    10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
    10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
    10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
    10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
    10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
    10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
    10.34.97.252/31, 10.34.97.254/32
    Destination - Origin: 10.2.128.43/32, 10.2.128.72/32, Translated: 10.2.128.43/32, 10.2.128.72/32

//nat rules for site-to-site vpn-do not nat
2 (inside_data) to (outside1) source static NETWORK_OBJ_10.2.128.0_24 NETWORK_OBJ_10.2.128.0_24   destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.0/24, Translated: 10.2.128.0/24
    Destination - Origin: 192.168.15.0/24, Translated: 192.168.15.0/24

//disabled rule
3 (lan_Servers) to (outside1) source dynamic cultexmail extmail_ip   inactive
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32

//mail nat rules

Auto NAT Policies (Section 2)
1 (lan_Servers) to (outside1) source static Cultexmail-1 10.7.128.172   service tcp pop3 pop3
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: pop3 Mapped: pop3
2 (lan_Servers) to (outside1) source static Cultexmail-2 10.7.128.172   service tcp www www
    translate_hits = 0, untranslate_hits = 7
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: www Mapped: www
3 (lan_Servers) to (outside1) source static Cultexmail-3 10.7.128.172   service tcp imap4 imap4
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: imap4 Mapped: imap4
4 (lan_Servers) to (outside1) source static Cultexmail-4 10.7.128.172   service tcp https https
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: https Mapped: https
5 (lan_Servers) to (outside1) source static Cultexmail-5 10.7.128.172   service tcp 135 135
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: 135 Mapped: 135
6 (dmz_webservers) to (outside1) source static CultEmailEDGE 10.7.128.172   service tcp smtp smtp
    translate_hits = 0, untranslate_hits = 1
    Source - Origin: 10.2.129.95/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: smtp Mapped: smtp

THE CONFIGURATION OF ASA

nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL
nat (inside_data,outside1) source static NETWORK_OBJ_10.2.128.0_24 NETWORK_OBJ_10.2.128.0_24 destination static NETWORK_OBJ_192.168.15.0_24 NETWORK_OBJ_192.168.15.0_24 no-proxy-arp route-lookup
nat (lan_Servers,outside1) source dynamic cultexmail extmail_ip inactive
nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135

object-group network CultMAIL
network-object object Cultexmail-1
network-object object Cultexmail1

apapakons · ‎07-17-2014

OK I thik I have at least one error at my configuration...I post the configuration of my current firewall:

(outside1) to (lan_Servers) source static syzefxis_ranges syzefxis_ranges   destination static CultMAIL CultMAIL
    translate_hits = 27799, untranslate_hits = 243
    Source - Origin: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
    10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
    10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
    10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
    10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
    10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
    10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
    10.34.97.252/31, 10.34.97.254/32, Translated: 10.179.114.0/24, 10.179.115.0/24, 10.179.116.0/24, 10.179.117.0/24
    10.179.118.0/24, 10.179.119.0/24, 10.179.120.0/24, 10.179.121.0/24
    10.179.122.0/24, 10.179.123.0/24, 10.179.125.0/24, 10.179.115.174/32
    10.179.141.0/24, 10.179.142.0/24, 10.34.96.1/32, 10.34.96.2/31
    10.34.96.4/30, 10.34.96.8/29, 10.34.96.16/28, 10.34.96.32/27
    10.34.96.64/26, 10.34.96.128/25, 10.34.97.0/25, 10.34.97.128/26
    10.34.97.192/27, 10.34.97.224/28, 10.34.97.240/29, 10.34.97.248/30
    10.34.97.252/31, 10.34.97.254/32
    Destination - Origin: 10.2.128.43/32, 10.2.128.72/32, Translated: 10.2.128.43/32, 10.2.128.72/32

Auto NAT Policies (Section 2)
1 (lan_Servers) to (outside1) source static Cultexmail-1 10.7.128.172   service tcp pop3 pop3
    translate_hits = 9, untranslate_hits = 7257
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: pop3 Mapped: pop3
2 (lan_Servers) to (outside1) source static Cultexmail-2 10.7.128.172   service tcp www www
    translate_hits = 1, untranslate_hits = 5237
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: www Mapped: www
3 (lan_Servers) to (outside1) source static Cultexmail-3 10.7.128.172   service tcp imap4 imap4
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: imap4 Mapped: imap4
4 (lan_Servers) to (outside1) source static Cultexmail-4 10.7.128.172   service tcp https https
    translate_hits = 475, untranslate_hits = 167881
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: https Mapped: https
5 (lan_Servers) to (outside1) source static Cultexmail-5 10.7.128.172   service tcp 135 135
    translate_hits = 0, untranslate_hits = 3279
    Source - Origin: 10.2.128.43/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: 135 Mapped: 135
6 (dmz_webservers) to (outside1) source static CultEmailEDGE 10.7.128.172   service tcp smtp smtp
    translate_hits = 0, untranslate_hits = 176491
    Source - Origin: 10.2.129.27/32, Translated: 10.7.128.172/32
    Service - Protocol: tcp Real: smtp Mapped: smtp

CultEmailEDGE=not ironport

a)At NAT section 1 there is no second nat rule for my site-to-site vpn and this is right, because I do not use nat or pat to translate the addresses of my internal users to my ASA's outside interface address. So I do not have to exempt any traffic from 10.2.128.0 to 192.168.15.0. In addition I have a mistake at this rule because the 10.2.128.0 network is at interface "lan_servers" and not "internal_users".

b)If you check again the above NAT rules of my current firewall the rule about smtp port forwarding, forwards smtp traffic to an old anti-spam server. We replaced this server with cisco ironport. Our provider nated our real address of ironport (10.2.129.95) to a public address (x.x.x.x).Adterwords we requested from our provider to change the mx records of our mail server mail.X.gr, and add the public address of ironport with the same priority. If we reruest the mx records from a public server we see:

10(priority) mail.X.gr(hostname) X.X.X.X (mail.public address)

(this X.X.X.X publiv address is translated to 10.7.128.172 address.We want to do port forward with this address,,,X.X.X.X -> 10.7.128.172)

10(priority) ironport.x.gr(hostname) Y.Y.Y.Y (ironport public address)

(Y.Y.Y.Y is the public address of ironport, Y.Y.Y.Y->10.2.129.95)

The real question now is do I need the last rule to port forward any smtp packet from 10.7.128.172 to my ironport ?

Yadhu Tony · ‎07-02-2014

Also this document may shed some light https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Regards,

Yadhu

Regards,
Tony

http://yadhutony.blogspot.com

nkarthikeyan · ‎07-02-2014

Hi,

Do you see any logs for NAT removal or some error messages related to NAT?

Because there is a bug which might be related to this issue.

CSCun95075 - ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule

Symptom:
Once a twice NAT rule with a service translation is added, other traffic on the interface may also be dropped with a reason of nat-no-xlate-to-pat-pool. This is expected behavior and more details can be found here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/access_fwaaa.html#wp1331733

However, if the NAT rule references an object-group and that object-group is changed while the NAT rule is still configured, traffic may still be dropped even after removing the NAT rule.

Conditions:
All of the following conditions must be matched to see this issue:

1) The ASA is configured with a twice NAT rule that uses a service translation
2) The object-group referenced in the NAT rule is edited (i.e. a new network-object is added to it) while the NAT rule is still configured
3) The NAT rule is removed from the configuration

Workaround:
Reloading the ASA after the offending NAT rule is removed will resolve the issue.

Bug Fixed in release : 9.1.5(1) or 9.1.2(100)

Regards

Karthik

apapakons · ‎07-03-2014

Dear Karthik,

First of all thank you for your help. In my new firewall initially I had those rules:

nat (outside1,lan_Servers) source static syzefxis_ranges syzefxis_ranges destination static CultMAIL CultMAIL
nat (lan_Servers,outside1) static 10.7.128.172 service tcp pop3 pop3
nat (lan_Servers,outside1) static 10.7.128.172 service tcp www www
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
nat (lan_Servers,outside1) static 10.7.128.172 service tcp imap4 imap4
nat (lan_Servers,outside1) static 10.7.128.172 service tcp https https
nat (lan_Servers,outside1) static 10.7.128.172 service tcp 135 135

I copied them from my old 5520 ASA firewall (version 8.4.2) whith my network objects. From my configuratiion do you think that I may have problem with this bug? I used asa real time logging at the migration time but did not see any weird logs about nat and I would like to add that with the command "sh nat detail" I could see "counts" of "untranslated_hits" to be increasing for the right rules. This is correct as I have NAt rules of type "NAT (inside,outside)" and I had incoming traffic.

nkarthikeyan · ‎07-03-2014

Seems to be the bug only as per my knowledge while looking at the issue.

Can you remove all the rules and object-group once and restart the firewall.... then you configure once again with the object-group and NAT rules..... and then try to access all the required access.

Either you can go with TAC case or you can try with next OS version which has the fixed release of this bug.

Regards

Karthik

Marius Gunnerud · ‎07-03-2014

Although this could be a bug...though I doubt it since there is an email security appliance involved here...I would rule out the ironport first before starting to remove configs and reload..etc.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

apapakons · ‎07-13-2014

Hi!

I tried at last the firewall with the new firmware 9.2 version and I was dissapointed. The Nat did not work at all either for incoming or outgoing flows.. As I was advised I left only the static nat rules for the port forwarding of incoming flows...Though I could not send an outgoing email, I could not get an incoming email and I could not access the exchange owa. In addition I observed that cisco changed the nat rules a bit at version 9.2.

But this time I have logs and I have used the packet tracer commands tha you told me to use.So using:

asayppo# packet-tracer input lan_Servers tcp 10.2.128.43 12345 4.2.2.2 25 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b275070, priority=1, domain=permit, deny=false
        hits=609599, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=lan_Servers, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 10.7.128.169, outside1

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group lan_servers_list in interface lan_Servers
access-list lan_servers_list extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b993090, priority=13, domain=permit, deny=false
        hits=11859, user_data=0x7fff2430ab80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=lan_Servers, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
        hits=73294, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b27cd60, priority=0, domain=inspect-ip-options, deny=true
        hits=28792, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=lan_Servers, output_ifc=any

Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c67dbf0, priority=13, domain=dynamic-filter, deny=false
        hits=9911, user_data=0x7fff2c67d120, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=lan_Servers, output_ifc=any

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c682620, priority=12, domain=UNKNOWN:59, deny=false
        hits=10632, user_data=0x7fff2c6825c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=lan_Servers, output_ifc=any

Phase: 8
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map ips
match access-list IPS
policy-map my-ips-policy
class ips
ips inline fail-open
service-policy my-ips-policy interface outside1
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff3034f1c0, priority=51, domain=ids, deny=false
        hits=19652, user_data=0x7fff3034d9c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside1

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2c67b480, priority=13, domain=dynamic-filter, deny=false
        hits=19652, user_data=0x7fff2c679050, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside1

Phase: 10
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2c6815d0, priority=12, domain=UNKNOWN:59, deny=false
        hits=19652, user_data=0x7fff2c6811d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside1

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
        hits=73296, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
        hits=30666, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 49672, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: lan_Servers
input-status: up
input-line-status: up
output-interface: outside1
output-status: up
output-line-status: up
Action: allow

-----------------------------------------

Also:

packet-tracer input outside1 tcp 4.2.2.2 12345 10.7.128.172 25 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b122cd0, priority=1, domain=permit, deny=false
        hits=630195, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside1, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network CultEmailEDGE
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
Additional Information:
NAT divert to egress interface dmz_webservers
Untranslate 10.7.128.172/25 to 10.2.129.95/25

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_INBOUND in interface outside1
access-list OUTSIDE_INBOUND extended permit tcp any object ironport eq smtp
access-list OUTSIDE_INBOUND remark *** ALLOW PACKETS FROM OUTSIDE INWARDS ***
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b8a6070, priority=13, domain=permit, deny=false
        hits=1135, user_data=0x7fff24326080, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.2.129.95, mask=255.255.255.255, port=25, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
        hits=83579, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b12a9c0, priority=0, domain=inspect-ip-options, deny=true
        hits=35237, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 6
Type: IDS
Subtype:
Result: ALLOW
Config:
class-map ips
match access-list IPS
policy-map my-ips-policy
class ips
ips inline fail-open
service-policy my-ips-policy interface outside1
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3034df10, priority=51, domain=ids, deny=false
        hits=12295, user_data=0x7fff3034d9c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c608460, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=12235, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c679b20, priority=13, domain=dynamic-filter, deny=false
        hits=12295, user_data=0x7fff2c679050, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 9
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2c681230, priority=12, domain=UNKNOWN:59, deny=false
        hits=12295, user_data=0x7fff2c6811d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=any

Phase: 10
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map CONNS
match access-list CONNS
policy-map CONNS
class CONNS
set connection conn-max 0 embryonic-conn-max 500 random-sequence-number enable
set connection timeout idle 1193:02:47 embryonic 0:20:00 half-closed 0:10:00
        embryonic 0:20:00
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
service-policy CONNS interface dmz_webservers
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2cfa4340, priority=8, domain=conn-set, deny=false
        hits=10059, user_data=0x7fff2cf9c8f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.2.129.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=dmz_webservers

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network CultEmailEDGE
nat (dmz_webservers,outside1) static 10.7.128.172 service tcp smtp smtp
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2b87c580, priority=6, domain=nat-reverse, deny=false
        hits=748, user_data=0x7fff2b87aa60, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.2.129.95, mask=255.255.255.255, port=25, tag=0, dscp=0x0
        input_ifc=outside1, output_ifc=dmz_webservers

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a652170, priority=0, domain=nat-per-session, deny=false
        hits=83581, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2b5ae440, priority=0, domain=inspect-ip-options, deny=true
        hits=19775, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=dmz_webservers, output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 56870, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside1
input-status: up
input-line-status: up
output-interface: dmz_webservers
output-status: up
output-line-status: up
Action: allow

-------------------------------------------------

In addition I saw two stange logs:

1.The first one had to do with assymetric nat

5 Jul 13 2014 11:34:34 305013 65.55.111.141 51143 10.2.129.95 25 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside1:65.55.111.141/51143 dst dmz_webservers:10.2.129.95/25 denied due to NAT reverse path failure

----------

2.Secondly I was getting a lot of smtp incoming traffic to an internal address that I do not use at all and of course the flow was denied.

4 Jul 13 2014 11:34:29 106023 95.211.122.21 43456 10.2.145.22 25 Deny tcp src outside1:95.211.122.21/43456 dst inside_data:10.2.145.22/25 by access-group "OUTSIDE_INBOUND" [0x0, 0x0]

-------------------------

apapakons · ‎07-03-2014

From what to metioned KarthiKI think the best option is to upgrade my firmware. In Cisco site I found only one version 9.1.5. Is 9.1.5(1) a special OS version and where can I founf it?

nkarthikeyan · ‎07-03-2014

Hi,

You can use 9.2.2 version where it got fixed.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html#pgfId-762517

Lets see if the issue gets resolved for you. Hoping for the best.

Regards

Karthik

apapakons · ‎07-04-2014

Hello nkarthikeyan,

I upgraded the ASA version to 9.2.2 and I think it got fixed. I am not sure yet. I removed any extra NAT commands that I added the last week and I left the original NAT commands of my 5520 firewall. I created a lab environment to check the http protocol (http forwarding) and it worked. This sunday I will try again the migration and I hope the smtp protocol to work fine for both incoming and outgoing mail traffic.

I will let you know about the results of 5515 integration and I will rate all answers. Thank you in advance.