cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3211
Views
0
Helpful
9
Replies

Problem with the SMTP traffic on Cisco ASA 5510

ixmiquilpan
Level 1
Level 1

I have a problem with the SMTP traffic on my cisco asa.

I have a host with IP public, this host respond on ports 110 and 443 from outside but the port 25 not responding.

I have this configuration:

access-list 101 extended permit tcp any host 189.168.70.67 eq pop3
access-list 101 extended permit tcp any host 189.168.70.67 eq smtp
access-list 101 extended permit tcp any host 189.2168.70.67 eq https

static (inside,outside) 189.168.70.67 10.10.10.18 netmask 255.255.255.255

I have this version:

Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(3)

Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"

ASA5510 up 3 days 8 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Somebody can help me ..

9 Replies 9

Allen P Chen
Level 5
Level 5

Hello,

Your static NAT and ACL configuration look OK.  The easiest way to determine the issue would be to set up packet captures on the ASA:

access-list CAP permit tcp any host 189.168.70.67 eq smtp

access-list CAP permit tcp host 189.168.70.67 eq smtp any

access-list CAP permit tcp any host 10.10.10.18 eq smtp

access-list CAP permit tcp host 10.10.10.18 eq smtp any

cap CAPIN access-list CAP interface inside

cap CAPOUT access-list CAP interface outside

You can check the captures with "show cap CAPIN" and "show cap CAPOUT".  Is the 10.10.10.18 host responding to SMTP requests?

Hi Allen,

Does not capture anything from outsite.
The connection is not responding to port 25 from outside.

U:\>telnet 189.168.70.67 25
Connecting To 189.168.70.67...Could not open connection to the host, on port 25:
Connect failed

U:\>

U:\>telnet 189.168.70.67 110

220 SRVCH08.chmx.local Microsoft ESMTP MAIL Service ready at Fri, 12 Nov 2010 18
:25:28 -0600

ASA5510# show cap CAPIN                              
0 packet captured
0 packet shown
ASA5510# show cap CAPOUT                             
0 packet captured
0 packet shown
ASA5510# show cap CAPIN
3 packets captured
   1: 17:45:03.555818 10.1.1.35.1474 > 189.168.70.67.25: S 950061106:950061106(0) win 65535
   2: 17:45:06.493397 10.1.1.35.1474 > 189.168.70.67.25: S 950061106:950061106(0) win 65535
   3: 17:45:12.428658 10.1.1.35.1474 > 189.168.70.67.25: S 950061106:950061106(0) win 65535
3 packets shown
ASA5510#

Hello,

Is the upstream device blocking port 25?  Do you have access to the upstream device?  If traffic to port 25 is not reaching the ASA, then there is really nothing the ASA can do.

As a test, let's modify the capture so that we capture traffic for POP3 as well:

no cap CAPOUT

no cap CAPIN

Please add the following to the CAP access-list:

access-list CAP permit tcp any host 189.168.70.67 eq 110

access-list CAP permit tcp host 189.168.70.67 eq 110 any

access-list CAP permit tcp any host 10.10.10.18 eq 110

access-list CAP permit tcp host 10.10.10.18 eq 110 any

Then reapply the captures:

cap CAPIN access-list CAP interface inside

cap CAPOUT access-list CAP interface outside

Do you see traffic for 110 but not for 25?

Did you try going to service policies and turn on esmtp inspection? I seem to remember a long time ago, with about your same version, that our exchange server couldn't connect via port 25. After I turned on that setting, it worked fine.

Hi Juan,


I saw something interesting in the capture.


The capture on the inside interface, the CAPIN shows connection connection coming from 10.1.x.x IP address.

Is that somehow connected to your inside network.


Please provide us some information about the topology and if possible a copy of the configuration on the ASA, so that we have better detail to work with.


Cheers,


Nash.

Hi Nash,

I sent you my network topology and ASA config.

Thanks for your help ...

Gracias por su ayuda ...

Hi,

I have this on my ASA config, the esmtp inspection is good?

policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ils
  inspect http
  inspect esmtp

Hi,

I only see the connections on prt 110 ...

ASA5510# show cap CAPIN
15 packets captured
   1: 08:43:44.385295 189.135.230.67.1138 > 10.1.1.8.110: S 2396528201:2396528201(0) win 65535
   2: 08:43:44.385569 10.1.1.8.110 > 189.135.230.67.1138: S 818246061:818246061(0) ack 2396528202 win 8192
   3: 08:43:44.396723 189.135.230.67.1138 > 10.1.1.8.110: . ack 818246062 win 65535
   4: 08:43:44.397974 10.1.1.8.110 > 189.135.230.67.1138: P 818246062:818246113(51) ack 2396528202 win 64860
   5: 08:43:44.408807 189.135.230.67.1138 > 10.1.1.8.110: P 2396528202:2396528217(15) ack 818246113 win 65484
   6: 08:43:44.413491 10.1.1.8.110 > 189.135.230.67.1138: P 818246113:818246118(5) ack 2396528217 win 64845
   7: 08:43:44.424843 189.135.230.67.1138 > 10.1.1.8.110: P 2396528217:2396528234(17) ack 818246118 win 65479
   8: 08:43:44.608763 10.1.1.8.110 > 189.135.230.67.1138: . ack 2396528234 win 64828
   9: 08:43:45.247759 10.1.1.8.110 > 189.135.230.67.1138: P 818246118:818246152(34) ack 2396528234 win 64828
  10: 08:43:45.260148 189.135.230.67.1138 > 10.1.1.8.110: P 2396528234:2396528240(6) ack 818246152 win 65445
  11: 08:43:45.273148 10.1.1.8.110 > 189.135.230.67.1138: P 818246152:818246213(61) ack 2396528240 win 64822
  12: 08:43:45.273255 10.1.1.8.110 > 189.135.230.67.1138: F 818246213:818246213(0) ack 2396528240 win 64822
  13: 08:43:45.284302 189.135.230.67.1138 > 10.1.1.8.110: . ack 818246214 win 65384
  14: 08:43:45.286255 189.135.230.67.1138 > 10.1.1.8.110: F 2396528240:2396528240(0) ack 818246214 win 65384
  15: 08:43:45.286377 10.1.1.8.110 > 189.135.230.67.1138: . ack 2396528241 win 64822
15 packets shown
ASA5510# show cap CAOUT
ERROR: Capture does not exist
ASA5510# show cap CAPOUT
16 packets captured
   1: 08:43:44.385127 189.135.230.67.1138 > 189.254.69.68.110: S 1932398372:1932398372(0) win 65535
   2: 08:43:44.385600 189.254.69.68.110 > 189.135.230.67.1138: S 1684626087:1684626087(0) ack 1932398373 win 8192
   3: 08:43:44.396692 189.135.230.67.1138 > 189.254.69.68.110: . ack 1684626088 win 65535
   4: 08:43:44.397989 189.254.69.68.110 > 189.135.230.67.1138: P 1684626088:1684626139(51) ack 1932398373 win 64860
   5: 08:43:44.408792 189.135.230.67.1138 > 189.254.69.68.110: P 1932398373:1932398388(15) ack 1684626139 win 65484
   6: 08:43:44.413507 189.254.69.68.110 > 189.135.230.67.1138: P 1684626139:1684626144(5) ack 1932398388 win 64845
   7: 08:43:44.424828 189.135.230.67.1138 > 189.254.69.68.110: P 1932398388:1932398405(17) ack 1684626144 win 65479
   8: 08:43:44.608778 189.254.69.68.110 > 189.135.230.67.1138: . ack 1932398405 win 64828
   9: 08:43:45.247774 189.254.69.68.110 > 189.135.230.67.1138: P 1684626144:1684626178(34) ack 1932398405 win 64828
  10: 08:43:45.260133 189.135.230.67.1138 > 189.254.69.68.110: P 1932398405:1932398411(6) ack 1684626178 win 65445
  11: 08:43:45.273163 189.254.69.68.110 > 189.135.230.67.1138: P 1684626178:1684626239(61) ack 1932398411 win 64822
  12: 08:43:45.273270 189.254.69.68.110 > 189.135.230.67.1138: F 1684626239:1684626239(0) ack 1932398411 win 64822
  13: 08:43:45.284271 189.135.230.67.1138 > 189.254.69.68.110: . ack 1684626240 win 65384
  14: 08:43:45.286240 189.135.230.67.1138 > 189.254.69.68.110: F 1932398411:1932398411(0) ack 1684626240 win 65384
  15: 08:43:45.286392 189.254.69.68.110 > 189.135.230.67.1138: . ack 1932398412 win 64822
  16: 08:44:02.248903 189.135.230.67.1138 > 189.254.69.68.110: R 1932398412:1932398412(0) ack 1684626240 win 0

If you are only seeing traffic for TCP port 110 on the ASA and not TCP port 25, then something upstream is blocking that traffic

from reaching the ASA.  You might want to investigate the upstream device.

If you run a packet capture in front of the upstream device, do you see traffic on TCP port 25 reaching that device?

Review Cisco Networking for a $25 gift card