- Cisco Community
- Technology and Support
- Security
- Network Security
- ok, Understood. So, now are
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SMTP Traffic need to allow from inhouse server
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-09-2017 11:38 PM - edited 03-12-2019 02:02 AM
SMTP traffic need to hit translate in private IP address.
===================================================================================================
InBisco-AHM-ASA5512-FW(config)# sh run nat
nat (DMZ-Apps,outside) source static DMZ-APP-SRV DMZ-APP-SRV destination static NETWORK_OBJ_10.X.66.0_26 NETWORK_OBJ_10.X.66.0_26 no-proxy-arp route-lookup
nat (DMZ-Apps,Airtel-MPLS-WAN) source static DMZ-APP-SRV DMZ-APP-SRV destination static RO-Network-Grp RO-Network-Grp no-proxy-arp route-lookup
nat (inside,Airtel-MPLS-WAN) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static RO-HYD-SAP-SRV RO-HYD-SAP-SRV no-proxy-arp route-lookup
nat (inside,Airtel-MPLS-WAN) source static IT IT destination static RO-Network-Grp RO-Network-Grp no-proxy-arp route-lookup
nat (Secured-SAP,outside) source static SAP-APP-SRV SAP-APP-SRV destination static NETWORK_OBJ_10.X.66.0_26 NETWORK_OBJ_10.X.66.0_26 no-proxy-arp route-lookup
nat (Secured-SAP,Airtel-MPLS-WAN) source static SAP-APP-SRV SAP-APP-SRV destination static RO-Network-Grp RO-Network-Grp no-proxy-arp route-lookup
!
object network Server_HTTP
nat (DMZ-Apps,outside) static 111.X.X.251 service tcp www www
object network Mail_Server_8.14
nat (Secured-SAP,outside) static 111.X.X.253
!
nat (inside,outside) after-auto source dynamic any interface inactive
nat (DMZ-Apps,outside) after-auto source dynamic any interface
nat (Secured-SAP,outside) after-auto source dynamic any interface
InBisco-AHM-ASA5512-FW(config)#
InBisco-AHM-ASA5512-FW(config)# sh run access-l
access-list Secured-SAP_access_in extended permit tcp host 10.X.8.14 any eq smtp
access-list Secured-SAP_access_in extended permit icmp 10.X.8.0 255.255.255.0 any log
access-list Secured-SAP_access_in extended permit ip 10.X.8.0 255.255.255.0 object-group LAN-Subnet-Group log
access-list Secured-SAP_access_in remark For SAP LDP Printing
access-list Secured-SAP_access_in extended permit tcp 10.X.8.0 255.255.255.0 object-group RO-Network-Grp eq lpd log
access-list Secured-SAP_access_in remark For Internet Access of Servers
access-list Secured-SAP_access_in extended permit object-group DM_INLINE_SERVICE_1 10.X.8.0 255.255.255.0 any log
access-list Secured-SAP_access_in extended permit tcp host 10.X.8.9 any eq smtp
access-list outside_access_in extended permit icmp any any log
access-list outside_access_in extended permit tcp any object MAIL_Server_25 eq smtp
access-list outside_access_in extended permit tcp any object Server_HTTP eq www
access-list outside_access_in extended permit tcp any object MAIL_Server object-group DM_INLINE_TCP_3
access-list outside_access_in extended permit tcp any object MAIL_Server_465 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any object MAIL_Server_110 eq pop3
access-list outside_access_in extended permit tcp any object MAIL_Server_993 eq 993
InBisco-AHM-ASA5512-FW(config)# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/1 Secured-SAP 10.X.X.250 255.255.255.0 CONFIG
GigabitEthernet0/5 outside 111.X.X.250 255.255.255.248 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/1 Secured-SAP 10.150.8.250 255.255.255.0 CONFIG
GigabitEthernet0/5 outside 111.93.94.250 255.255.255.248 manual
========================================================================================
InBisco-AHM-ASA5512-FW(config)# pack in sec tcp 10.150.8.14 25 202.160.160.30 $
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa3847fa0, priority=13, domain=capture, deny=false
hits=76832549, user_data=0x7fffa38869f0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=Secured-SAP, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2a573c0, priority=1, domain=permit, deny=false
hits=373390729, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Secured-SAP, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Secured-SAP_access_in in interface Secured-SAP
access-list Secured-SAP_access_in extended permit tcp host 10.150.8.14 any eq smtp
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa369c4f0, priority=13, domain=permit, deny=false
hits=0, user_data=0x7fff9ecb7940, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=10.150.8.14, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=25, dscp=0x0
input_ifc=Secured-SAP, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2a5c400, priority=0, domain=inspect-ip-options, deny=true
hits=2288007, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Secured-SAP, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa3b570c0, priority=70, domain=inspect-smtp, deny=false
hits=4, user_data=0x7fffa3b4cd10, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=25, dscp=0x0
input_ifc=Secured-SAP, output_ifc=any
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Mail_Server_8.14
nat (Secured-SAP,outside) static 111.93.94.253
Additional Information:
Static translate 10.150.8.14/25 to 111.93.94.253/25
Forward Flow based lookup yields rule:
in id=0x7fffa36f1320, priority=6, domain=nat, deny=false
hits=1, user_data=0x7fffa2b97bb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.150.8.14, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Secured-SAP, output_ifc=outside
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffa2b406e0, priority=0, domain=inspect-ip-options, deny=true
hits=2910621, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 36054020, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_punt <inspect_esmtp>
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_punt <inspect_esmtp>
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: Secured-SAP
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
InBisco-AHM-ASA5512-FW(config)#
==============================================================================
InBisco-AHM-ASA5512-FW(config)# pack in out tcp 202.160.160.30 25 10.150.8.14$
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa3886a50, priority=13, domain=capture, deny=false
hits=6718415, user_data=0x7fffa33f17d0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2b3b6a0, priority=1, domain=permit, deny=false
hits=152266549, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.150.8.0 255.255.255.0 Secured-SAP
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object MAIL_Server_25 eq smtp
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa368be10, priority=13, domain=permit, deny=false
hits=72, user_data=0x7fff9ecb7640, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.150.8.14, mask=255.255.255.255, port=25, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2b406e0, priority=0, domain=inspect-ip-options, deny=true
hits=2910658, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2945ea0, priority=70, domain=inspect-smtp, deny=false
hits=72, user_data=0x7fffa3b4cd10, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=25, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2c15660, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=904254, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network Mail_Server_8.14
nat (Secured-SAP,outside) static 111.93.94.253
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffa3aa9d60, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7fffa2b97bb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.150.8.14, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=Secured-SAP
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Secured-SAP
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
=================================================================================================
InBisco-AHM-ASA5512-FW(config)# pack in out tcp 202.160.160.30 25 111.93.94.2$
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa3886a50, priority=13, domain=capture, deny=false
hits=6719868, user_data=0x7fffa33f17d0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2b3b6a0, priority=1, domain=permit, deny=false
hits=152267284, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network Mail_Server_8.14
nat (Secured-SAP,outside) static 111.93.94.253
Additional Information:
NAT divert to egress interface Secured-SAP
Untranslate 111.93.94.253/25 to 10.150.8.14/25
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any object MAIL_Server_25 eq smtp
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa368be10, priority=13, domain=permit, deny=false
hits=73, user_data=0x7fff9ecb7640, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.150.8.14, mask=255.255.255.255, port=25, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2b406e0, priority=0, domain=inspect-ip-options, deny=true
hits=2910684, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2945ea0, priority=70, domain=inspect-smtp, deny=false
hits=73, user_data=0x7fffa3b4cd10, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=25, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2c15660, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=904268, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network Mail_Server_8.14
nat (Secured-SAP,outside) static 111.93.94.253
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffa3aa9d60, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0x7fffa2b97bb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=10.150.8.14, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=Secured-SAP
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffa2a5c400, priority=0, domain=inspect-ip-options, deny=true
hits=2288055, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Secured-SAP, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 36054474, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_punt <inspect_esmtp>
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_punt <inspect_esmtp>
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Secured-SAP
output-status: up
output-line-status: up
Action: allow
Cisco Adaptive Security Appliance Software Version 8.6(1)2
email outgoing is not working..
please do the needful for same.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2017 01:28 PM
Hello,
Apart from 'outbound email not working', I am not able to understand the requirement. Could you please provide following info:
-exact mail server ip address and also confirm if it is inbound or outbound emails that are not working.
-also provide the public ip address that you wish to use for the purpose.
-provide output of
show nameif
show ip (you can mask public ip range)
packet-tracer output for direction for which issue is happening
logs (if available)
HTH
-
AJ
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2017 02:59 AM
HI
Public IP is 111.93.94.253 and private mail server IP is 10.150.8.14.
now outgoing and incoming both are not working.
above packet-tracer output are there.
and below is show ip.
InBisco-AHM-ASA5512-FW(config)# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/1 Secured-SAP 10.X.X.250 255.255.255.0 CONFIG
GigabitEthernet0/5 outside 111.X.X.250 255.255.255.248 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/1 Secured-SAP 10.150.8.250 255.255.255.0 CONFIG
GigabitEthernet0/5 outside 111.93.94.250 255.255.255.248 manual
do let me know in-case need any further.
regards,
darshin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2017 05:34 AM
ok, Understood. So, now are you relying only on packet-tracer nat statements to verify if smtp traffic isn't working or you have tested with real tcp traffic as well.
The second packet-tracer output is incorrect since you would need public ip(mapped ip) in the destination ip address. Also, for source port, you should use ephermal ports(higher 1024) since the smtp server would rarely use source port 25.
Other than that, the config looks good.
not that its recommended, but you can try to remove inspect smtp to see if that makes a difference. If the real smtp traffic does not work, please attach logs and we can see where the traffic is getting dropped.
hth
-
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
