ASA 5505 incoming traffic issue

Discussion in 'Cisco' started by Exclusive, Jun 20, 2008.

  1. Exclusive

    Exclusive Guest

    have an issue getting emailthrough the Cisco ASA to our email server
    Everything else is working. We have internet. All outgoin traffic is
    OK. Is anybody see what's wrong. Thanks,

    ASA Version 8.0(2)
    hostname RedRiverASA

    interface Vlan1
    nameif inside
    security-level 100
    ip address
    ospf cost 10
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxx.yyy.15.10
    ospf cost 10
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    passwd Vcn8uAzrKx1tjbpj encrypted
    boot system disk0:/asa802-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    object-group service VideoFlow
    service-object tcp range 3230 3253
    service-object tcp eq h323
    service-object udp range 3230 3235
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1
    static (inside,outside) xxx.yyy.15.10 netmask
    access-group out_in in interface outside
    route outside xxx.yyy.15.9 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet inside
    telnet timeout 30
    ssh timeout 5
    console timeout 30
    dhcpd auto_config outside

    no threat-detection basic-threat
    no threat-detection statistics access-list
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
    service-policy global_policy global
    prompt hostname context
    Exclusive, Jun 20, 2008
    1. Advertisements

  2. Exclusive

    Scott Perry Guest

    The access-list and static NAT translation both look correct.

    Once you add a change a NAT translation, you sometimes have to clear the
    connection with a "clear xlate" command. This can be more specific to just
    one global or local IP address. Also consider trying "no inpect smtp".
    This could either be in global configuration or under the global policy
    configuration, depending on your image version. Sometimes ESMTP does not
    work due to this.

    Compare this to the accessibility of web pages which I see are also on the
    same server. It is possible that an incorrect default gateway on the server
    could be causing this. If the web content is accessible, consider the
    inspection of SMTP from above.

    Increase the logging level and consider even using a syslog service if you
    do not currently have one. This will allow you to see the connection being
    permitted or denied as it passes through the firewall. Heavily used
    firewalls can still log debugging level without a serious impact. It is
    debugging commands that cause most of the harm, not debugging level logging.
    Scott Perry, Jun 25, 2008
    1. Advertisements

  3. Exclusive

    Scott Perry Guest

    Nice catch! I see that now. I am not as used to reading the configuration
    partially masked like that.

    Do not forget to throw in the access for HTTP and HTTPS. Therefore, I have
    appended two more lines into the middle of Martin's configuration:
    no static (inside,outside) xxx.yyy.15.10 netmask
    static (inside,outside) tcp interface smtp smtp netmask
    static (inside,outside) tcp interface www http netmask
    static (inside,outside) tcp interface https https netmask
    clear xlate
    wr mem
    Scott Perry, Jun 26, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.