03-27-2012 08:22 AM - edited 03-11-2019 03:47 PM
Hi,
I have 2 subnets bought from my provider 194.102.98.128/27 and 194.102.98.160/27.
From my provider a have the following setup:
IP Address: 86.120.151.66 Netmask: 255.255.255.128 Gateway: 86.120.151.1 DNS (1): 213.154.124.1 DNS (2): 193.231.252.1
My IPs are static routed by my provider thought 86.120.151.66 .
On the firewall I have the following set-up:
Outside Interface: 86.120.151.66/25 security level 0
DMZ interface: 194.102.98.129/27 security level 50
Inside Interface: 194.102.98.161/27 security level 100
0.0.0.0 0.0.0.0 [1/0] via 86.120.151.1, outside
Everything works perfectly except when I try to sent an email. The email gets sent (eventually), but afert a long waiting time, 45-60 sec. The connection is opened instally to the server but then just hangs there for 40-50 sec. The problem is that a have an aplication on a server that has to send confirmation emails, and that aplication is limited to a 30 sec timeout for conecting to the mail server, much less then the 45-60 sec that I have now. The mail server is hosted by a data center, it is not in my networks (location).
I have tried deleting the ESMTP inspection, that doesn't work. Pinging my mail server rezults in a average time of 20 ms. And when a do a tracert the hight value in a hop doesn't usually pass 80 ms, the average is 20-25 ms.
The problem is ONLY when sending emails. Everything else works perfect, including receiving emails from the same server.
My running config is:
hostname ASA-Adisys
domain-name Intern.ro
enable password 0./39zRW9yhKK/bO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 91.220.232.66 www.itarena.ro description Adresa IP a site-ului
name 194.102.98.161 Inside_Gateway
name 172.16.10.96 VPN_Adress_POOL
name 194.102.98.185 Adisys_Cara
name 194.102.98.165 Adisys_Cyclope
name 194.102.98.184 Adisys_UC540W description Adresa de WAN Adisys
name 194.102.98.133 DMZ_Agnor_IP1
name 194.102.98.134 DMZ_Agnor_IP2
name 194.102.98.146 DMZ_Fasttrack
name 194.102.98.150 DMZ_Graitec_Auth_Server
name 194.102.98.148 DMZ_Graitec_Axapta
name 194.102.98.149 DMZ_Graitec_Citrix
name 194.102.98.147 DMZ_Graitec_FTP
name 194.102.98.144 DMZ_Jeka
name 194.102.98.142 DMZ_Agras
name 194.102.98.132 DMZ_Router_Dlink description Adresa de la router-ul din spate
name 89.122.106.51 Graitec_Remote_PC1 description Calculator dupa care se face RDC Graitec
name 89.122.49.40 Graitec_Remote_PC3 description Calculator dupa care se face RDC Graitec
name 184.154.10.114 Graitec_mail.graitec.info
name 89.120.49.209 Graitec_mail.graitec.net description Calculator dupa care se face RDC Graitec
name 89.122.248.141 Graitec_mail.graitec.ro description Calculator dupa care se face RDC Graitec
name 81.80.156.221 Graitec_mailhost.graitec.com
name 82.137.9.82 Test_IP description IP de test
!
interface Vlan1
nameif inside
security-level 100
ip address Inside_Gateway 255.255.255.224
!
interface Vlan2
description IP Internet
nameif outside
security-level 0
ip address 86.120.151.66 255.255.255.128
!
interface Vlan12
description Retea clienti
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 194.102.98.129 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name Intern.ro
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object host Graitec_mail.graitec.net
network-object host Graitec_Remote_PC1
network-object host Graitec_mail.graitec.ro
network-object host Graitec_Remote_PC3
network-object host Test_IP
object-group network DM_INLINE_NETWORK_2
network-object host DMZ_Graitec_Axapta
network-object host DMZ_Graitec_Citrix
network-object host DMZ_Graitec_Auth_Server
object-group network DM_INLINE_NETWORK_3
network-object host DMZ_Graitec_Axapta
network-object host DMZ_Graitec_Citrix
network-object host DMZ_Graitec_Auth_Server
object-group network DM_INLINE_NETWORK_4
network-object host DMZ_Graitec_Citrix
network-object host DMZ_Graitec_Auth_Server
network-object host Inside_Gateway
network-object host Adisys_UC540W
object-group network DM_INLINE_NETWORK_5
network-object host DMZ_Graitec_Axapta
network-object host DMZ_Graitec_Citrix
network-object host DMZ_Graitec_Auth_Server
object-group network DM_INLINE_NETWORK_6
network-object host DMZ_Graitec_Citrix
network-object host DMZ_Graitec_Auth_Server
object-group network DM_INLINE_NETWORK_7
network-object host DMZ_Graitec_Axapta
network-object host DMZ_Graitec_Citrix
network-object host DMZ_Graitec_Auth_Server
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_8
network-object host Inside_Gateway
network-object host Adisys_UC540W
object-group network DM_INLINE_NETWORK_10
network-object host DMZ_Graitec_FTP
network-object host DMZ_Graitec_Axapta
network-object host DMZ_Graitec_Citrix
network-object host DMZ_Graitec_Auth_Server
object-group network DM_INLINE_NETWORK_9
network-object host Graitec_mail.graitec.info
network-object host Graitec_mailhost.graitec.com
network-object host Graitec_mail.graitec.net
network-object host Graitec_mail.graitec.ro
network-object host Graitec_Remote_PC3
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object icmp6
object-group service DM_INLINE_TCP_1 tcp
port-object eq 2525
port-object eq 465
port-object eq pop3
port-object eq smtp
access-list outside_access_in remark Allow access to Auth, Axapta, Citrix to 3389
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 eq 3389
access-list outside_access_in remark Allow access to Citrix, Auth, Adisys_WAN to port 443
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_4 eq https
access-list outside_access_in remark Allow access to Auth, Axapta, Citrix from port 80
access-list outside_access_in extended permit tcp any eq www object-group DM_INLINE_NETWORK_3
access-list outside_access_in remark Allow access to Auth, Axapta, Citrix from port 53
access-list outside_access_in extended permit object-group TCPUDP any eq domain object-group DM_INLINE_NETWORK_5
access-list outside_access_in remark Allow access to Auth, Citrix from port 443
access-list outside_access_in extended permit tcp any eq https object-group DM_INLINE_NETWORK_6
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_1
access-list outside_access_in remark Allow Ping to graitec servers
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list outside_access_in remark Deny any to Axapta, Auth, Citrix
access-list outside_access_in extended deny ip any object-group DM_INLINE_NETWORK_7
access-list outside_access_in remark Allow access to Adisys_WAN from Non500-isakmp
access-list outside_access_in extended permit udp any host Adisys_UC540W eq 4500
access-list outside_access_in remark Allow access to Adisys_WAN from Isakmp
access-list outside_access_in extended permit udp any object-group DM_INLINE_NETWORK_8 eq isakmp
access-list outside_access_in remark Allow access to Adisys_WAN from esp
access-list outside_access_in extended permit esp any host Adisys_UC540W
access-list outside_access_in remark Allow access to Adisys_WAN from AHP
access-list outside_access_in extended permit ah any host Adisys_UC540W
access-list outside_access_in remark Allow syslog messeger from ITarena.ro to Cyclope Syslog
access-list outside_access_in extended permit udp host www.itarena.ro host Adisys_Cyclope eq syslog
access-list outside_access_in remark Allow 113 from www.itarena.ro
access-list outside_access_in extended permit tcp host www.itarena.ro 194.102.98.160 255.255.255.224 eq ident
access-list outside_access_in remark Allow Mark Vision from internet
access-list outside_access_in extended permit tcp any host Adisys_UC540W eq 9788
access-list outside_access_in extended permit tcp any host DMZ_Router_Dlink eq www
access-list outside_access_in remark Allow TFTP for Voice
access-list outside_access_in extended permit ip VPN_Adress_POOL 255.255.255.240 194.102.98.160 255.255.255.224 inactive
access-list outside_access_in remark Allow TFTP from inside to VPN
access-list outside_access_in extended permit ip 194.102.98.160 255.255.255.224 VPN_Adress_POOL 255.255.255.240 inactive
access-list outside_access_in remark Deny any to Inside Network 194.102.98.160/27
access-list outside_access_in extended deny ip any 194.102.98.160 255.255.255.224
access-list outside_access_in extended permit ip any 194.102.98.128 255.255.255.224
access-list outside_access_in remark Allow Ping
access-list outside_access_in extended permit icmp any any echo-reply
access-list THROTTLE_GRAITEC_FTP extended permit ip host DMZ_Graitec_FTP any
access-list THROTTLE_GRAITEC_FTP extended permit ip any host DMZ_Graitec_FTP
access-list Adisan-VPN_splitTunnelAcl standard permit 194.102.98.160 255.255.255.224
access-list outside_mpc extended permit ip host DMZ_Fasttrack any
access-list outside_mpc extended permit ip any host DMZ_Fasttrack
access-list outside_access_in_1 remark Allow
access-list outside_access_in_1 extended permit tcp any any eq https
pager lines 24
logging enable
logging trap warnings
logging asdm informational
logging host inside Adisys_UC540W
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPN_POOL 172.16.10.97-172.16.10.110
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group outside_access_in_1 in interface outside control-plane
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 86.120.151.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 194.102.98.160 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 194.102.98.160 255.255.255.224 inside
telnet timeout 15
ssh 194.102.98.160 255.255.255.224 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address Adisys_Cyclope-194.102.98.170 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics host number-of-rate 2
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy Adisan-VPN internal
group-policy Adisan-VPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Adisan-VPN_splitTunnelAcl
tunnel-group Adisan-VPN type remote-access
tunnel-group Adisan-VPN general-attributes
address-pool VPN_POOL
default-group-policy Adisan-VPN
tunnel-group Adisan-VPN ipsec-attributes
pre-shared-key *
!
class-map THROTTLE_GRAITEC_FTP
match access-list THROTTLE_GRAITEC_FTP
class-map THROTTLE_FASTTRACK
match access-list outside_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map THROTTLE_GRAITEC_FTP
class THROTTLE_GRAITEC_FTP
police output 10000000 20000
police input 10000000 20000
class THROTTLE_FASTTRACK
police input 6000000 12000
police output 6000000 12000
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect dns
inspect tftp
!
service-policy global_policy global
service-policy THROTTLE_GRAITEC_FTP interface outside
prompt hostname context
Cryptochecksum:347696f9e2888a7c7c1adf4a1a20eeef
: end
08-31-2012 02:17 PM
Did you ever find a solution to why the ASA is doing this? Im having the same problem
08-31-2012 03:55 PM
Hello Paul,
Please explain your issue and the desing of your network so we can help you
08-31-2012 04:30 PM
Please see the following post that i started.
I have verified that this is indeed a problem when I have the ASA in place. Bypassing the ASA resolves the issue. I have no inspection in place. No time outs in place either.
I am having the same issue as the original person that started this post.
When routing between two different segments with an exchange server and outlook clients on different networks, going through the ASA at random times the clients are experiencing hangs when sending emails in outlook. Aparently the other person fixed it by disabled RPC inspection on the juniper he has..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide