11-12-2010 02:52 PM - edited 03-11-2019 12:08 PM
I have a problem with the SMTP traffic on my cisco asa.
I have a host with IP public, this host respond on ports 110 and 443 from outside but the port 25 not responding.
I have this configuration:
access-list 101 extended permit tcp any host 189.168.70.67 eq pop3
access-list 101 extended permit tcp any host 189.168.70.67 eq smtp
access-list 101 extended permit tcp any host 189.2168.70.67 eq https
static (inside,outside) 189.168.70.67 10.10.10.18 netmask 255.255.255.255
I have this version:
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"
ASA5510 up 3 days 8 hours
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Somebody can help me ..
11-12-2010 03:25 PM
Hello,
Your static NAT and ACL configuration look OK. The easiest way to determine the issue would be to set up packet captures on the ASA:
access-list CAP permit tcp any host 189.168.70.67 eq smtp
access-list CAP permit tcp host 189.168.70.67 eq smtp any
access-list CAP permit tcp any host 10.10.10.18 eq smtp
access-list CAP permit tcp host 10.10.10.18 eq smtp any
cap CAPIN access-list CAP interface inside
cap CAPOUT access-list CAP interface outside
You can check the captures with "show cap CAPIN" and "show cap CAPOUT". Is the 10.10.10.18 host responding to SMTP requests?
11-12-2010 04:20 PM
Hi Allen,
Does not capture anything from outsite.
The connection is not responding to port 25 from outside.
U:\>telnet 189.168.70.67 25
Connecting To 189.168.70.67...Could not open connection to the host, on port 25:
Connect failed
U:\>
U:\>telnet 189.168.70.67 110
220 SRVCH08.chmx.local Microsoft ESMTP MAIL Service ready at Fri, 12 Nov 2010 18
:25:28 -0600
ASA5510# show cap CAPIN
0 packet captured
0 packet shown
ASA5510# show cap CAPOUT
0 packet captured
0 packet shown
ASA5510# show cap CAPIN
3 packets captured
1: 17:45:03.555818 10.1.1.35.1474 > 189.168.70.67.25: S 950061106:950061106(0) win 65535
2: 17:45:06.493397 10.1.1.35.1474 > 189.168.70.67.25: S 950061106:950061106(0) win 65535
3: 17:45:12.428658 10.1.1.35.1474 > 189.168.70.67.25: S 950061106:950061106(0) win 65535
3 packets shown
ASA5510#
11-12-2010 04:45 PM
Hello,
Is the upstream device blocking port 25? Do you have access to the upstream device? If traffic to port 25 is not reaching the ASA, then there is really nothing the ASA can do.
As a test, let's modify the capture so that we capture traffic for POP3 as well:
no cap CAPOUT
no cap CAPIN
Please add the following to the CAP access-list:
access-list CAP permit tcp any host 189.168.70.67 eq 110
access-list CAP permit tcp host 189.168.70.67 eq 110 any
access-list CAP permit tcp any host 10.10.10.18 eq 110
access-list CAP permit tcp host 10.10.10.18 eq 110 any
Then reapply the captures:
cap CAPIN access-list CAP interface inside
cap CAPOUT access-list CAP interface outside
Do you see traffic for 110 but not for 25?
11-15-2010 07:51 AM
Did you try going to service policies and turn on esmtp inspection? I seem to remember a long time ago, with about your same version, that our exchange server couldn't connect via port 25. After I turned on that setting, it worked fine.
11-15-2010 08:10 AM
Hi Juan,
I saw something interesting in the capture.
The capture on the inside interface, the CAPIN shows connection connection coming from 10.1.x.x IP address.
Is that somehow connected to your inside network.
Please provide us some information about the topology and if possible a copy of the configuration on the ASA, so that we have better detail to work with.
Cheers,
Nash.
11-16-2010 07:25 AM
11-16-2010 07:28 AM
Hi,
I have this on my ASA config, the esmtp inspection is good?
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ils
inspect http
inspect esmtp
11-16-2010 07:23 AM
Hi,
I only see the connections on prt 110 ...
ASA5510# show cap CAPIN
15 packets captured
1: 08:43:44.385295 189.135.230.67.1138 > 10.1.1.8.110: S 2396528201:2396528201(0) win 65535
2: 08:43:44.385569 10.1.1.8.110 > 189.135.230.67.1138: S 818246061:818246061(0) ack 2396528202 win 8192
3: 08:43:44.396723 189.135.230.67.1138 > 10.1.1.8.110: . ack 818246062 win 65535
4: 08:43:44.397974 10.1.1.8.110 > 189.135.230.67.1138: P 818246062:818246113(51) ack 2396528202 win 64860
5: 08:43:44.408807 189.135.230.67.1138 > 10.1.1.8.110: P 2396528202:2396528217(15) ack 818246113 win 65484
6: 08:43:44.413491 10.1.1.8.110 > 189.135.230.67.1138: P 818246113:818246118(5) ack 2396528217 win 64845
7: 08:43:44.424843 189.135.230.67.1138 > 10.1.1.8.110: P 2396528217:2396528234(17) ack 818246118 win 65479
8: 08:43:44.608763 10.1.1.8.110 > 189.135.230.67.1138: . ack 2396528234 win 64828
9: 08:43:45.247759 10.1.1.8.110 > 189.135.230.67.1138: P 818246118:818246152(34) ack 2396528234 win 64828
10: 08:43:45.260148 189.135.230.67.1138 > 10.1.1.8.110: P 2396528234:2396528240(6) ack 818246152 win 65445
11: 08:43:45.273148 10.1.1.8.110 > 189.135.230.67.1138: P 818246152:818246213(61) ack 2396528240 win 64822
12: 08:43:45.273255 10.1.1.8.110 > 189.135.230.67.1138: F 818246213:818246213(0) ack 2396528240 win 64822
13: 08:43:45.284302 189.135.230.67.1138 > 10.1.1.8.110: . ack 818246214 win 65384
14: 08:43:45.286255 189.135.230.67.1138 > 10.1.1.8.110: F 2396528240:2396528240(0) ack 818246214 win 65384
15: 08:43:45.286377 10.1.1.8.110 > 189.135.230.67.1138: . ack 2396528241 win 64822
15 packets shown
ASA5510# show cap CAOUT
ERROR: Capture
ASA5510# show cap CAPOUT
16 packets captured
1: 08:43:44.385127 189.135.230.67.1138 > 189.254.69.68.110: S 1932398372:1932398372(0) win 65535
2: 08:43:44.385600 189.254.69.68.110 > 189.135.230.67.1138: S 1684626087:1684626087(0) ack 1932398373 win 8192
3: 08:43:44.396692 189.135.230.67.1138 > 189.254.69.68.110: . ack 1684626088 win 65535
4: 08:43:44.397989 189.254.69.68.110 > 189.135.230.67.1138: P 1684626088:1684626139(51) ack 1932398373 win 64860
5: 08:43:44.408792 189.135.230.67.1138 > 189.254.69.68.110: P 1932398373:1932398388(15) ack 1684626139 win 65484
6: 08:43:44.413507 189.254.69.68.110 > 189.135.230.67.1138: P 1684626139:1684626144(5) ack 1932398388 win 64845
7: 08:43:44.424828 189.135.230.67.1138 > 189.254.69.68.110: P 1932398388:1932398405(17) ack 1684626144 win 65479
8: 08:43:44.608778 189.254.69.68.110 > 189.135.230.67.1138: . ack 1932398405 win 64828
9: 08:43:45.247774 189.254.69.68.110 > 189.135.230.67.1138: P 1684626144:1684626178(34) ack 1932398405 win 64828
10: 08:43:45.260133 189.135.230.67.1138 > 189.254.69.68.110: P 1932398405:1932398411(6) ack 1684626178 win 65445
11: 08:43:45.273163 189.254.69.68.110 > 189.135.230.67.1138: P 1684626178:1684626239(61) ack 1932398411 win 64822
12: 08:43:45.273270 189.254.69.68.110 > 189.135.230.67.1138: F 1684626239:1684626239(0) ack 1932398411 win 64822
13: 08:43:45.284271 189.135.230.67.1138 > 189.254.69.68.110: . ack 1684626240 win 65384
14: 08:43:45.286240 189.135.230.67.1138 > 189.254.69.68.110: F 1932398411:1932398411(0) ack 1684626240 win 65384
15: 08:43:45.286392 189.254.69.68.110 > 189.135.230.67.1138: . ack 1932398412 win 64822
16: 08:44:02.248903 189.135.230.67.1138 > 189.254.69.68.110: R 1932398412:1932398412(0) ack 1684626240 win 0
11-16-2010 10:16 AM
If you are only seeing traffic for TCP port 110 on the ASA and not TCP port 25, then something upstream is blocking that traffic
from reaching the ASA. You might want to investigate the upstream device.
If you run a packet capture in front of the upstream device, do you see traffic on TCP port 25 reaching that device?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide