Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
786
Views
0
Helpful
3
Replies

publishing SMTP on cisco ASA

Jason Flory
Level 1
Level 1

‎10-04-2013 02:48 PM - edited ‎03-11-2019 07:47 PM

Hello Everyone

I am having issues publishing SMTP via our ASA 5525.

I feel like i have everything correct but not working.  Note that we only allow SMTP outbound and inbound from a particular set of IPs.   Is there something different i need to do when publishing SMTP?

Here is what i am doing.


object-group service obj_mail_services
description This is group is for standard mail protocols
service-object tcp destination eq smtp
service-object tcp destination eq smtps
service-object tcp destination eq pop

object network obj_mail_10.2.4.70
nat (inside,outside) static 64.47.x.x

object-group network obj_Mimecast_pub
description This group lists all subnets associated with Mimecast data centers
network-object 207.211.x.0 255.255.255.0
network-object 207.211.x.0 255.255.255.0
network-object 205.139.x.0 255.255.255.0
network-object 205.139.x.0 255.255.255.0

access-list public_access extended permit object-group obj_mail_services object-group obj_Mimecast_pub object-group  obj_mail_10.2.4.70

Also note that there is another ACL on inside interface that is restricting all oubound traffic.  SMTP is allowed to the above external hosts using the same object group.

Thanks

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-04-2013 03:19 PM

Hello Jason,

The configuration looks good.

Can you do the following

packet-tracer input outside tcp 205.139.x.x 1025 64.47.x.x 25

and provide us the output

Also do

capture capin interface inside match tcp any host 10.2.4.70 eq 25

cap capout interface outside match tcp any host 64.47.x.x eq 25

Afterwards try to connect to the server and share

show cap capin

show cap capout

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jason Flory
Level 1
Level 1
In response to Julio Carvajal

‎10-04-2013 03:28 PM

Thansk for the quick response.

I am migrating rules from a different firewall and need to schedule another window.  I will do as instructed and post.

Is there any inspection that i need to disable for SMTP?  It felt like something else was wrong.  All the other rules that i migrated worked.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Jason Flory

‎10-04-2013 03:32 PM

Nope.

I mean there is an ESMTP inspection in place but as long as this is valid traffic you should not have any issues, we will determine that with the captures no worries.

Remember to subsribe on my webiste for more networking posts related to Networking at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card