08-22-2008 03:53 AM - edited 03-11-2019 06:34 AM
Hi,
I am wondering if the SMTP (port 25) is being blocked by default on the ASA 5510 Firewall. The reason I am asking is that when one of my exchange server tried to forward emails to the exchange inside the ASA 5510, the connections will always be dropped. I tried the packet tracer and it always say that the packet was dropped and the access rules that dropped it is the Implicit IP deny all rule.
I had performed a NAT on the 5510 for the exchange server and still the traffic does not comes in for Port 25 only. Specific rules had also been added to allow TCP/25 through but still the same problem. I wonder if there is an "inspection" on SMTP/25 which caused the problem? If not, how can I overcome this problem so that connections between the two exchange servers will talk to one another?
Many thanks for any suggestions,
Tan
08-22-2008 06:15 AM
through the reason u got looks like packet filtering issue
could u please post ur config here
08-22-2008 06:33 AM
08-22-2008 07:18 AM
is this one u have problem with
name 116.x.x.121 SGPCRS02-EXT description Exchange server for PO
is the internal server in the PO interface?
if yes
this line is good
static (PO,Outside) SGPCRS02-EXT SGPCRS02-INT netmask 255.255.255.255
but u need to add an ACL to permit smtp
like
access-list 100 permit tcp any host SGPCRS02-EXT eq 25
and shoud be applied in the indound direction on the outside interface
i think u have a poblem with ur ACLs
just check it and let me know
good luck
08-22-2008 09:31 PM
Hi,
Had added the followings to the config but still the same problem.
static (PO,Outside) SGPCRS02-EXT SGPCRS02-INT netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host SGPCRS02-EXT eq 25
access-list PO_access_in extended permit tcp host SGPCRS02-INT eq 25
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
inspect icmp
inspect smtp
The traffic from external SMTP to Internal is still blocked. Can you assist?
Thanks
08-22-2008 11:11 PM
first u dont need this line
access-list PO_access_in extended permit tcp host SGPCRS02-INT eq 25
as long as u r using the external IP with static nat
dont forget
access-group outside_access_in in interface outside
secondly
try to disable smtp and esmtp instpection from
policy-map asa_global_fw_policy
class inspection_default
because sometimes they make problems
and let me know
good luck
08-23-2008 12:46 PM
Are you trying to send the mails from outside to inside ?
The I think you should also have this in your inside inbound access-list
access-list PO_access_in permit tcy host SGPCRS02-INT eq 25 any
Regards,
Prem
08-23-2008 05:45 PM
i agree with Prem
because as i mentioned in my first post the problem with packet filtiring and especially with implicit deny ACL entry
so try access-list PO_access_in permit tcy host SGPCRS02-INT eq 25 any
and make sure of the inbound ACL on the outside interface aswel
08-24-2008 06:03 AM
But there is one more thing that I want to point here, If what I think is happening, then because we have allowed the traffic on outside access-list,
The firewall should add a session entry for the connection, and the returning traffic/packet should bypasses the many lookups associated with a new connection. :P
but anyways try "access-list PO_access_in permit tcy host SGPCRS02-INT eq 25 any"
What would really help you in understanding in what is happening is syslogs.
logging on
logging host
logging mon 7 (to troubleshoot this issue)
Or you can collect the logs from console too,
logging on
logging con 7
And then try to do what you are doing and share the logs.
turning logging off,
no logg on
no logg con 7
Regards,
Prem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide