Solved: Unable to open SMTP session through ASA 5512-X

johnathan.t · ‎09-21-2012

Hi All,

Just doing some basic testing before we replace our ancient PIX 515E with a new 5512. I have a mini lab set up following the diagram below, although I am unable to telnet through to the mail server's netcat listener on port 25 TCP. I can ping all the way outbound from 192.168.101.1 to 10.0.0.2, and the 10.0.0.2 machine shows it is translated properly to 200.225.117.1.

NAT and access rules are as follows:

object network mail
 host 192.168.101.1
 description Mail relay
access-list inbound extended permit ip any host 200.225.117.1
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is 72.38.1.2 to network 0.0.0.0
C    192.168.100.0 255.255.255.0 is directly connected, inside
C    72.38.1.0 255.255.255.0 is directly connected, outside
C    192.168.101.0 255.255.255.0 is directly connected, dmz1
S*   0.0.0.0 0.0.0.0 [1/0] via 72.38.1.2, outside

Any ideas? I am also unable to ping the 200.225.117.1 machine with access list permitting IP.

EDIT: Somehow the new global access rule is involved. When adding a permit any any in there I can get to the mail server no problem. When I remove it but leave in my permit ip any any on the outside interface, I am denied?!?!

Jennifer Halim · ‎09-21-2012

With the new software (from version 8.3 onwards), you would need to configure the real ip on the inbound ACL.

So your inbound acl should be as follows:

access-list inbound extended permit ip any host 192.168.101.1

This is the major change from version 8.3 onwards compared to the earlier version as you have configured 
(using the NATed IP).

View solution in original post

Jennifer Halim · ‎09-21-2012

With the new software (from version 8.3 onwards), you would need to configure the real ip on the inbound ACL.

So your inbound acl should be as follows:

access-list inbound extended permit ip any host 192.168.101.1

This is the major change from version 8.3 onwards compared to the earlier version as you have configured 
(using the NATed IP).

johnathan.t · ‎09-21-2012

Jennifer,

What was the reasoning behind this design change? It is pretty awful in my opinion. When administrators are configuring inbound access it is much easier to think "what must be allowed to the outside address and on what ports" rather than looking up the translated IP and entering it that way.

Do you think these changes will be added to the PIX to ASA migration tool? The only major change I found documented was the configuration of NAT. Could you provide me a list of major changes between 8.2 and 8.6?

Thank You!

John

Jennifer Halim · ‎09-21-2012

You can actually refer to the object in the access-list instead of the actual ip address.

There is also a lot of more flexible NAT that you can configure, ie: both source and destination IP and ports being translation, etc.

Here is the major changes which take place from version 8.3:

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html

1) NAT

2) Access-list

3) Licensing if you have failover pair, doesn't need to be the same anymore.