Hi,

Sorry, I forgot to add my acl. but yes I already configured it.

access-group outside_access_in in interface outside

access-list outside_access_in extended ........... mail(Object-group)

thanks

Could you please post your full sanitized running config of your ASA as well as the output of a packet tracer

packet-tracer input <outside interface name> tcp 4.2.2.2 12345 <SMTP server IP> 25 detail

--

Please remember to select a correct answer and rate helpful posts

Hi,

Here's my Configuration.

Interface Ethernet0/0
 description outside interface
 nameif outside
 security-level 0
 ip address x.x.x.x. 255.255.255.2
!
interface Ethernet0/1
 description inside interface
 nameif inside
 security-level 100
 ip address x.x.x.x 255.255.240.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
!
banner motd ********************************************************************
**********
banner motd * Access  to  this  system  is limited  to  authorized user  only.
 If  not *
banner motd * authorized to access this system, disconnect now. Unauthorized use
rs  will *
banner motd * be  prosecuted  to  the  full  extent  of  the  law.  You  should
have  no *
banner motd * expectation  of privacy. Use  of this system and all files on this
 system  *
banner motd * may be intercepted, monitored, recorded, audited, inspected, and d
isclosed *
banner motd * to  authorized  site  users, law  enforcement  authorities, and au
thorized *
banner motd * officials  of  other  agencies. Use of this system  implies consen
t to the *
banner motd * conditions described in this warning banner.  Unauthorized or impr
oper use *
banner motd * of this system may result in  administrative disciplinary action a
nd civil *
banner motd * and criminal penalties. By continuing to use this system you indic
ate your *
banner motd * awareness of and consent to these terms and conditions of use.
         *
banner motd *
         *
banner motd *      LOG OFF IMMEDIATELY if you do not agree to the conditions sta
ted      *
banner motd *                             in this warning.
         *
banner motd ********************************************************************
**********
ftp mode passive
object-group service webservices tcp
 port-object eq www
 port-object eq https
 port-object eq ftp
object-group network allowed_servers
 network-object host 10.11.11.111
object-group network FrontBridgeServers
 network-object host 12.129.199.61
 network-object host 333.33.33.33

 network-object host FBserver
object-group service email tcp
 port-object eq www
 port-object eq lotusnotes
 port-object eq smtp

access-list IPS extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp object-group FrontBridgeServer
s host 133.23.23.232 eq smtp
access-list outside_access_in extended permit tcp any host 133.23.23.232 eq email

access-list nonat extended permit ip 11.x.x.0 255.255.255.0 11.x.x.0 255.255
.255.0
pager lines 24
logging enable
logging buffered informational
logging trap informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500

icmp permit any outside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.11.11.111 255.255.255.255
static (inside,outside) 133.23.23.232 10.11.11.111 netmask 255.255.255.255

access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none

 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp enable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value cbkpower.com
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access

aaa authentication ssh console LOCAL
http server enable

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
crypto map IPSec_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
 address-pool vpnpool
tunnel-group ciscovpn ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map my-ips-class
 match access-list IPS
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
policy-map my-ips-policy
 class my-ips-class
  ips inline fail-open
!
service-policy my-ips-policy global
Cryptochecksum:6d50f12cb115ec6499acaef1944f7b7f
: end

Could you also run the following packe tracer

packet-tracer input outside tcp 4.2.2.2 12345 133.23.23.232 25 detail

--

Please remember to select a correct answer and rate helpful posts

Hi,

Packet-tracer command is not working on my ASA  5510 Version 7.0(6)

thanks

Could you try chainging the ACL port to smtp instead of email.  Also try adding inspect smtp to the global policy.

--

Please remember to select a correct answer and rate helpful posts

Hi Marus,

Tried to add smtp and add also inspect smtp but it didn't work.

thanks

Is the configuration you posted you whole config or have you removed some NAT and ACL configuration from it?

--

Please remember to select a correct answer and rate helpful posts