1. Home
  2. Cisco Systems
  3. ASA 5505 incoming traffic issue

ASA 5505 incoming traffic issue

have an issue getting emailthrough the Cisco ASA to our email server is 10.100.50.172 255.255.0.0 Everything else is working. We have internet. All outgoin traffic is OK. Is anybody see what's wrong. Thanks,

ASA Version 8.0(2) ! hostname RedRiverASA

names ! interface Vlan1 nameif inside security-level 100 ip address 10.100.86.1 255.255.0.0 ospf cost 10 ! interface Vlan2 nameif outside security-level 0 ip address xxx.yyy.15.10 255.255.255.248 ospf cost 10 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd Vcn8uAzrKx1tjbpj encrypted boot system disk0:/asa802-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name redriverfoods.com object-group service VideoFlow service-object tcp range 3230 3253 service-object tcp eq h323 service-object udp range 3230 3235 access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-602.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.100.0.0 255.255.0.0 static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask

255.255.255.255 access-group out_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 10.100.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet 10.100.0.0 255.255.0.0 inside telnet timeout 30 ssh timeout 5 console timeout 30 dhcpd auto_config outside !

no threat-detection basic-threat no threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default ! service-policy global_policy global prompt hostname context Cryptochecksum:bd3505f41995b9dba0c49b19e79760f5

Reply to
Exclusive
Loading thread data ...

The access-list and static NAT translation both look correct.

Once you add a change a NAT translation, you sometimes have to clear the connection with a "clear xlate" command. This can be more specific to just one global or local IP address. Also consider trying "no inpect smtp". This could either be in global configuration or under the global policy configuration, depending on your image version. Sometimes ESMTP does not work due to this.

Compare this to the accessibility of web pages which I see are also on the same server. It is possible that an incorrect default gateway on the server could be causing this. If the web content is accessible, consider the inspection of SMTP from above.

Increase the logging level and consider even using a syslog service if you do not currently have one. This will allow you to see the connection being permitted or denied as it passes through the firewall. Heavily used firewalls can still log debugging level without a serious impact. It is debugging commands that cause most of the harm, not debugging level logging.

----- Scott Perry Indianapolis, IN

-----

Reply to
Scott Perry

oh, really ?!

I find it odd ,that the NAT IP is the same as the outside IP. Normally you would do PAT hence your static would look different, or you would assign a public IP to you mail-server, and this o.c. must be different from the outside IP of the ASA.

(snip) interface Vlan2 nameif outside security-level 0 ip address xxx.yyy.15.10 255.255.255.248 ... .. access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp ... .. static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255 access-group out_in in interface outside (/snip)

C/P this: no static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask

255.255.255.255 static (inside,outside) tcp interface smtp 10.100.50.172 smtp netmask 255.255.255.255 clear xlate wr mem

inspect SMTP might be an issue - might not. normally for SMTP on internet SMTP servers i would use inspect.

HTH Martin

Reply to
Martin Bilgrav

Nice catch! I see that now. I am not as used to reading the configuration partially masked like that.

Do not forget to throw in the access for HTTP and HTTPS. Therefore, I have appended two more lines into the middle of Martin's configuration: no static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask

255.255.255.255 static (inside,outside) tcp interface smtp 10.100.50.172 smtp netmask 255.255.255.255 static (inside,outside) tcp interface www 10.100.50.172 http netmask 255.255.255.255 static (inside,outside) tcp interface https 10.100.50.172 https netmask 255.255.255.255 clear xlate wr mem

----- Scott Perry Indianapolis, IN

-----

Reply to
Scott Perry

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.