03-17-2015 12:09 AM - edited 03-11-2019 10:38 PM
Hi,
I'm trying to make a new setup for our mail server so they can use using their mobile phone into it and I'm having trouble with smtp outbound.
when using local or private and type the command telnet x.x.x.x 25 it working
but when I tried to use public ip or outside telnet x.x.x.x 25 command it not working.
I already configure SMTP on cisco 5510 firewall.
object-group service mail tcp
port-object eq www
port-object eq smtp
Tried the command:
no fixup protocol smtp 25
no inspect esmtp & smtp
tried to change interface to out to in
but itnot working :))
how about my banner??/
"Please see the attached file"
thanks
Arvin R.
03-17-2015 01:01 PM
You have just posted the object group which defines HTTP and SMTP but you have not posted any config that references this object-group. we would need to see the ACL for the outside interface and any NAT statement that references this object group or port tcp 25 on its own (make sure you post them in the exact order they are found in the configuration please).
--
Please remember to select a correct answer and rate helpful posts
03-17-2015 07:08 PM
Hi,
Sorry, I forgot to add my acl. but yes I already configured it.
access-group outside_access_in in interface outside
access-list outside_access_in extended ........... mail(Object-group)
thanks
03-18-2015 02:33 AM
Could you please post your full sanitized running config of your ASA as well as the output of a packet tracer
packet-tracer input <outside interface name> tcp 4.2.2.2 12345 <SMTP server IP> 25 detail
--
Please remember to select a correct answer and rate helpful posts
03-18-2015 04:11 AM
Hi,
Here's my Configuration.
Interface Ethernet0/0
description outside interface
nameif outside
security-level 0
ip address x.x.x.x. 255.255.255.2
!
interface Ethernet0/1
description inside interface
nameif inside
security-level 100
ip address x.x.x.x 255.255.240.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
!
banner motd ********************************************************************
**********
banner motd * Access to this system is limited to authorized user only.
If not *
banner motd * authorized to access this system, disconnect now. Unauthorized use
rs will *
banner motd * be prosecuted to the full extent of the law. You should
have no *
banner motd * expectation of privacy. Use of this system and all files on this
system *
banner motd * may be intercepted, monitored, recorded, audited, inspected, and d
isclosed *
banner motd * to authorized site users, law enforcement authorities, and au
thorized *
banner motd * officials of other agencies. Use of this system implies consen
t to the *
banner motd * conditions described in this warning banner. Unauthorized or impr
oper use *
banner motd * of this system may result in administrative disciplinary action a
nd civil *
banner motd * and criminal penalties. By continuing to use this system you indic
ate your *
banner motd * awareness of and consent to these terms and conditions of use.
*
banner motd *
*
banner motd * LOG OFF IMMEDIATELY if you do not agree to the conditions sta
ted *
banner motd * in this warning.
*
banner motd ********************************************************************
**********
ftp mode passive
object-group service webservices tcp
port-object eq www
port-object eq https
port-object eq ftp
object-group network allowed_servers
network-object host 10.11.11.111
object-group network FrontBridgeServers
network-object host 12.129.199.61
network-object host 333.33.33.33
network-object host FBserver
object-group service email tcp
port-object eq www
port-object eq lotusnotes
port-object eq smtp
access-list IPS extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp object-group FrontBridgeServer
s host 133.23.23.232 eq smtp
access-list outside_access_in extended permit tcp any host 133.23.23.232 eq email
access-list nonat extended permit ip 11.x.x.0 255.255.255.0 11.x.x.0 255.255
.255.0
pager lines 24
logging enable
logging buffered informational
logging trap informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp permit any outside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.11.11.111 255.255.255.255
static (inside,outside) 133.23.23.232 10.11.11.111 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp enable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value cbkpower.com
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynmap
crypto map IPSec_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group ciscovpn type ipsec-ra
tunnel-group ciscovpn general-attributes
address-pool vpnpool
tunnel-group ciscovpn ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 management
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map my-ips-class
match access-list IPS
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map my-ips-policy
class my-ips-class
ips inline fail-open
!
service-policy my-ips-policy global
Cryptochecksum:6d50f12cb115ec6499acaef1944f7b7f
: end
03-18-2015 02:31 PM
Could you also run the following packe tracer
packet-tracer input outside tcp 4.2.2.2 12345 133.23.23.232 25 detail
--
Please remember to select a correct answer and rate helpful posts
03-18-2015 07:04 PM
Hi,
Packet-tracer command is not working on my ASA 5510 Version 7.0(6)
thanks
03-22-2015 03:57 PM
Could you try chainging the ACL port to smtp instead of email. Also try adding inspect smtp to the global policy.
--
Please remember to select a correct answer and rate helpful posts
03-23-2015 07:15 PM
Hi Marus,
Tried to add smtp and add also inspect smtp but it didn't work.
thanks
03-25-2015 01:09 AM
Is the configuration you posted you whole config or have you removed some NAT and ACL configuration from it?
--
Please remember to select a correct answer and rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: