ASA 5505 incoming traffic issue

have an issue getting emailthrough the Cisco ASA to our email server
is 10.100.50.172 255.255.0.0
Everything else is working. We have internet. All outgoin traffic is
OK. Is anybody see what's wrong. Thanks,

ASA Version 8.0(2)
!
hostname RedRiverASA

names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.86.1 255.255.0.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.yyy.15.10 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd Vcn8uAzrKx1tjbpj encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name redriverfoods.com
object-group service VideoFlow
service-object tcp range 3230 3253
service-object tcp eq h323
service-object udp range 3230 3235
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.100.0.0 255.255.0.0
static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask
255.255.255.255
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.100.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 10.100.0.0 255.255.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30
dhcpd auto_config outside
!

no threat-detection basic-threat
no threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bd3505f41995b9dba0c49b19e79760f5

 

The access-list and static NAT translation both look correct.

Once you add a change a NAT translation, you sometimes have to clear the
connection with a "clear xlate" command. This can be more specific to just
one global or local IP address. Also consider trying "no inpect smtp".
This could either be in global configuration or under the global policy
configuration, depending on your image version. Sometimes ESMTP does not
work due to this.

Compare this to the accessibility of web pages which I see are also on the
same server. It is possible that an incorrect default gateway on the server
could be causing this. If the web content is accessible, consider the
inspection of SMTP from above.

Increase the logging level and consider even using a syslog service if you
do not currently have one. This will allow you to see the connection being
permitted or denied as it passes through the firewall. Heavily used
firewalls can still log debugging level without a serious impact. It is
debugging commands that cause most of the harm, not debugging level logging.

 

Nice catch! I see that now. I am not as used to reading the configuration
partially masked like that.

Do not forget to throw in the access for HTTP and HTTPS. Therefore, I have
appended two more lines into the middle of Martin's configuration:
no static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask
255.255.255.255
static (inside,outside) tcp interface smtp 10.100.50.172 smtp netmask
255.255.255.255
static (inside,outside) tcp interface www 10.100.50.172 http netmask
255.255.255.255
static (inside,outside) tcp interface https 10.100.50.172 https netmask
255.255.255.255
clear xlate
wr mem