ASA 5505 incoming traffic issue

Discussion in 'Cisco' started by Exclusive, Jun 20, 2008.

  1. Exclusive

    Exclusive Guest

    have an issue getting emailthrough the Cisco ASA to our email server
    is 10.100.50.172 255.255.0.0
    Everything else is working. We have internet. All outgoin traffic is
    OK. Is anybody see what's wrong. Thanks,

    ASA Version 8.0(2)
    !
    hostname RedRiverASA

    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.100.86.1 255.255.0.0
    ospf cost 10
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxx.yyy.15.10 255.255.255.248
    ospf cost 10
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd Vcn8uAzrKx1tjbpj encrypted
    boot system disk0:/asa802-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name redriverfoods.com
    object-group service VideoFlow
    service-object tcp range 3230 3253
    service-object tcp eq h323
    service-object udp range 3230 3235
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 10.100.0.0 255.255.0.0
    static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask
    255.255.255.255
    access-group out_in in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.100.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet 10.100.0.0 255.255.0.0 inside
    telnet timeout 30
    ssh timeout 5
    console timeout 30
    dhcpd auto_config outside
    !

    no threat-detection basic-threat
    no threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:bd3505f41995b9dba0c49b19e79760f5
     
    Exclusive, Jun 20, 2008
    #1
    1. Advertisements

  2. Exclusive

    Scott Perry Guest

    The access-list and static NAT translation both look correct.

    Once you add a change a NAT translation, you sometimes have to clear the
    connection with a "clear xlate" command. This can be more specific to just
    one global or local IP address. Also consider trying "no inpect smtp".
    This could either be in global configuration or under the global policy
    configuration, depending on your image version. Sometimes ESMTP does not
    work due to this.

    Compare this to the accessibility of web pages which I see are also on the
    same server. It is possible that an incorrect default gateway on the server
    could be causing this. If the web content is accessible, consider the
    inspection of SMTP from above.

    Increase the logging level and consider even using a syslog service if you
    do not currently have one. This will allow you to see the connection being
    permitted or denied as it passes through the firewall. Heavily used
    firewalls can still log debugging level without a serious impact. It is
    debugging commands that cause most of the harm, not debugging level logging.
     
    Scott Perry, Jun 25, 2008
    #2
    1. Advertisements

  3. Exclusive

    Scott Perry Guest

    Nice catch! I see that now. I am not as used to reading the configuration
    partially masked like that.

    Do not forget to throw in the access for HTTP and HTTPS. Therefore, I have
    appended two more lines into the middle of Martin's configuration:
    no static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask
    255.255.255.255
    static (inside,outside) tcp interface smtp 10.100.50.172 smtp netmask
    255.255.255.255
    static (inside,outside) tcp interface www 10.100.50.172 http netmask
    255.255.255.255
    static (inside,outside) tcp interface https 10.100.50.172 https netmask
    255.255.255.255
    clear xlate
    wr mem
     
    Scott Perry, Jun 26, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.