Hi Marvin,I found what is the

Neko-Chen · ‎05-24-2014

I have close inspect ESMTP via "no inspect esmtp", but still failed to access smtp service. outlook or other email software still said failed to connect to host. failed to send emails.

I have no idea what's problem. Please help me. thanks. here is configuration

:
ASA Version 8.6(1)2
!
hostname ASA
domain-name ***
enable password K** encrypted
passwd *encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address *** 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address *** 255.255.254.0
!
interface GigabitEthernet0/2
shutdown
no nameif
security-level 100
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif mgmt
security-level 100
ip address ***255.255.255.0
management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone peking 8
dns domain-lookup outside
dns server-group DefaultDNS
name-server ***
domain-name ***
same-security-traffic permit intra-interface
object network my-inside-nat
subnet ***
object network vpnaddress
subnet ***
object network LAN
subnet ***
object network NETWORK_OBJ_***
subnet ****
object network FTP_Address
host ***
object network ftp_internal
host ***
object network CM
subnet ***
description CM
object network FTP
host ***
object network FTP_server
host ***
object-group network DM_INLINE_NETWORK_1
network-object ***
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list 102 extended permit tcp any any eq smtp
access-list 102 extended permit icmp any any
access-list 102 extended permit tcp any host **** object-group DM_INLINE_TCP_1
access-list testgroup_splitTunnelAcl standard permit ***255.255.254.0
access-list outside_cryptomap_10.10 extended permit ip any any
access-list outside_cryptomap_10.10_1 extended permit ip object vpnaddress ****
access-list 00_SplitTunnelAcl standard permit ***
access-list 00_SplitTunnelAcl standard permit ***
access-list 00A_SplitTunnelAcl standard permit ***
access-list inside_access_in extended permit ip any any
access-list Test_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list 101 extended permit tcp any any eq smtp
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm informational
logging host inside ****
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside ****
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
ip local pool VPNPool **** mask 255.255.255.0
ip local pool TestPool ****-**** mask 255.255.255.0
no failover
icmp unreachable rate-limit 10 burst-size 5
icmp permit ***255.255.254.0 inside
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static vpnaddress vpnaddress
!
object network my-inside-nat
nat (inside,outside) dynamic interface
object network FTP_server
nat (inside,outside) static*** service tcp ftp ftp
access-group 102 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 ***1
route outside ** 255.255.255.0 ** 1
route inside *** 255.255.255.0 ** 1
route outside *** 255.255.255.0 **1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http ***255.255.255.255 mgmt
http *** 255.255.255.255 inside
http ****255.255.255.255 inside
http *** 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
virtual telnet***
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map cisco 10 set ikev1 transform-set ESP-DES-MD5
crypto dynamic-map cisco 10 set ikev2 ipsec-proposal DES
crypto dynamic-map cisco 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic cisco
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=***
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 7f26c050
***
quit
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share*****
encryption des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet ** ** inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption des-sha1
ssl trust-point ASDM_TrustPoint0 outside

tunnel-group-list enable
tunnel-group-preference group-url
group-policy testgroup internal
group-policy testgroup attributes
dns-server value ****
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testgroup_splitTunnelAcl
default-domain value p1add.radd.lan
group-policy "GroupPolicy_00 0A00VPN" internal
group-policy "GroupPolicy_000 VPN" internal
group-policy "GroupPolicy_00 VPN" attributes
wins-server none
dns-server value ****
vpn-tunnel-protocol ***-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ***_SplitTunnelAcl
default-domain value ***
address-pools value TestPool
group-policy ***internal
group-policy ***attributes
dns-server value ****
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 000_SplitTunnelAcl
address-pools value VPNPool

tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *** type remote-access
tunnel-group **** general-attributes
address-pool VPNPool
authorization-server-group LOCAL
default-group-policy ***
tunnel-group *** ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group "AnyConnect VPN" type remote-access
tunnel-group "AnyConnect VPN" general-attributes
address-pool VPNPool
authorization-server-group LOCAL
tunnel-group "AnyConnect VPN" webvpn-attributes
group-alias "AnyConnect VPN" enable
tunnel-group "AnyConnect VPN" type remote-access
tunnel-group "AnyConnect VPN" general-attributes
address-pool TestPool
default-group-policy "GroupPolicy_AnyConnect VPN"
tunnel-group "AnyConnect VPN" webvpn-attributes
group-alias "AnyConnect VPN" enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map global-policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:d7d6c3e7ed9892285702aab47319fd95
: end

Marvin Rhoads · ‎05-24-2014

It looks like you have a mail server on the inside you want clients to be able to reach from the outside. You already have the access-list on the outside interface. However, you will also need a static NAT for the server so that it has a unique public address. Otherwise incoming traffic will have no way of knowing the real ip address of the mail server.

Neko-Chen · ‎05-24-2014

Hi Marvin,

I have no mail server on the inside. mail server is outside, all users need to connect to outside mail server. but it is failed when send email. failed to telnet the mail server, I have set "no inspect esmtp", but still no work.

Marvin Rhoads · ‎05-25-2014

Please run packet-tracer to highlight the flow through your ASA as follows:

packet-tracer input inside tcp <address of a client PC> 1025 <address of yor outside mail server> 25

(substituting your actual ip addresses for the bracketed variables) and share the output.

Also, you don't need:

access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside

...as a higher security interface is by default allowed to communicate with lower security interfaces.

Neko-Chen · ‎05-25-2014

Hi Marvin, I have deleted

access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface inside

then try to telnet, but still failed.

the result of packet-tracer :

ASA#packet-tracer input inside tcp 172.28.76.191 25 111.221.119.105 25

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network my-inside-nat
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 172.28.76.191/25 to *.*.210.26/19

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 368953, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Neko-Chen · ‎05-27-2014

Hi Marvin, do you have any idea for my problem? I can not solve this problem... please help...thanks

Marvin Rhoads · ‎05-27-2014

According to your packet tracer output, the ASA is not blocking the traffic from a client to the mail server. Can you watch the ASA logs when you try connect and look for something unusual?

The best way is to make sure you are logging at level 6 and then try to connect. Watch the logs in ASDM (Monitoring > Logging > Real Time Log Viewer). You should see the tcp flows being setup.

You can also go on your server and watch for the incoming connection requests (note that they will be coming from the ASA outside interface - the NAT address your clients will be using)

Neko-Chen · ‎05-30-2014

Hi Marvin,

I found what is the problem, it was blocked by Mcafee VirusScan, no ASA's issue.

Thanks for you help.

ASA5515 SMTP issue failed to permit SMTP traffic please help!!