Announcement

Collapse
No announcement yet.

ASA 5510 - Email not reaching Exchange Server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5510 - Email not reaching Exchange Server

    Hello there,

    I pulled almost all my hair out and still cannot figure out what I am doing wrong.

    Here is the scoop:

    I currently have an ISA 2004 firewall in place that is working fine taking all email for my .com domain.

    We purchased a ASA 5510 and I am configuring it to become the new firewall and use its CSM capabilities. For configuration and testing, I modified my .net mx record to resolve to the ASA.

    I configured my exchange server to receive .net email as well and added the smtp address to my mailbox. Email sent internally to the .net works fine.

    The problem is outside email. Something is wrong on the ASA that is blocking email from reaching the exchange server. Testing via telnet does not respond. Testing via email validation using 3rd party network-tools website shows connected, but recipient cannot be verified.

    I am attaching a diagram of my layout. Here is the configuration of my device:

    :
    ASA Version 7.2(4)
    !
    hostname ciscoasa
    domain-name domain.com
    enable password xxxx encrypted
    passwd xxx encrypted
    names
    name 172.16.1.50 Tahiti
    dns-guard
    !
    interface Ethernet0/0
    nameif inside
    security-level 100
    ip address 172.16.1.253 255.255.255.0
    ospf cost 10
    !
    interface Ethernet0/1
    nameif outside
    security-level 0
    ip address xx.xx.97.38 255.255.255.248
    ospf cost 10
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    ip address 192.168.200.253 255.255.255.0
    ospf cost 10
    management-only
    !
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    dns server-group DefaultDNS
    domain-name domain.com
    object-group service SMTP tcp
    port-object eq smtp
    access-list IPS extended permit ip any any
    access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.1
    68.200.0 255.255.255.224
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19
    2.168.200.0 255.255.255.224
    access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq ftp
    access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq 222
    access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq smtp l
    og debugging
    access-list inside_access_out remark SMTP for Tahiti
    access-list inside_access_out extended permit tcp any host Tahiti eq smtp log de
    bugging
    access-list inside_access_out extended permit tcp host 172.16.1.249 any
    access-list inside_access_out extended permit tcp host 172.16.1.249 any eq 563
    access-list inside_access_out extended permit udp host 172.16.1.249 any eq www
    access-list inside_access_out extended permit tcp any any eq ftp
    access-list inside_access_out remark Allow WWW traffic from Server Admin Subnet
    to Any
    access-list inside_access_out extended permit tcp 172.16.1.0 255.255.255.0 any e
    q www
    access-list inside_access_out remark Allow Internal TCP to VPN Clients
    access-list inside_access_out extended permit tcp 192.168.1.0 255.255.255.0 192.
    168.200.0 255.255.255.0
    access-list inside_access_out remark Allow Internal UDP to VPN clients
    access-list inside_access_out extended permit udp 192.168.1.0 255.255.255.0 192.
    168.200.0 255.255.255.0
    access-list inside_access_out remark Allow Internal ICMP to VPN Clients
    access-list inside_access_out extended permit icmp 192.168.1.0 255.255.255.0 192
    .168.200.0 255.255.255.0
    access-list inside_access_out remark FTP traffic for TESTFTP system
    access-list inside_access_out extended permit tcp host 172.16.1.251 any eq ftp
    access-list inside_access_out extended permit tcp host 172.16.1.252 host 192.168
    .1.20
    pager lines 24
    logging enable
    logging asdm warnings
    logging mail debugging
    mtu inside 1500
    mtu outside 1500
    mtu management 1500
    ip local pool bdmpool 192.168.200.1-192.168.200.30 mask 255.255.255.0
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp deny any outside
    asdm image disk0:/asdm-524.bin
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 192.168.1.0 255.255.255.0
    nat (inside) 1 172.16.0.0 255.255.0.0
    static (inside,outside) tcp interface ftp 172.16.1.248 ftp netmask 255.255.255.2
    55
    static (inside,outside) tcp interface 222 192.168.1.26 ssh netmask 255.255.255.2
    55
    static (inside,outside) tcp interface smtp Tahiti smtp netmask 255.255.255.255
    access-group inside_access_out in interface inside
    access-group outside_access_in in interface outside
    route inside 192.168.1.0 255.255.255.0 172.16.1.254 1
    route inside 172.16.0.0 255.255.0.0 172.16.1.254 1
    route outside 0.0.0.0 0.0.0.0 207.7.97.33 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa-server WindowsDomain protocol nt
    aaa-server WindowsDomain (inside) host 192.168.1.1
    nt-auth-domain-controller CATALINA
    aaa authentication ssh console LOCAL
    http server enable
    http 172.16.1.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 management
    http redirect outside 80
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto ca trustpoint Local-TP
    enrollment self
    crl configure
    crypto isakmp identity hostname
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    group-delimiter @
    telnet 172.16.0.0 255.255.255.0 inside
    telnet 172.16.1.200 255.255.255.255 inside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 172.16.1.0 255.255.255.0 management
    telnet timeout 5
    ssh 172.16.0.0 255.255.0.0 inside
    ssh 172.16.1.200 255.255.255.255 inside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    management-access inside
    ntp server 216.14.98.234 source outside
    ntp server 74.53.198.146 source outside
    ntp server 66.79.149.35 source outside
    ntp server 128.10.252.6 source outside
    ntp server 64.202.112.75 source outside
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
    group-policy webvpn_policy internal
    group-policy webvpn_policy attributes
    dns-server value 192.168.1.1
    vpn-filter none
    vpn-tunnel-protocol webvpn
    webvpn
    functions none
    customization value customization1
    port-forward value rdp_list
    group-policy bdm internal
    group-policy bdm attributes
    wins-server value 192.168.1.1 192.168.1.6
    dns-server value 192.168.1.1 192.168.1.6
    default-domain value focus360.com
    group-policy Internal_WEBVPN internal
    group-policy Internal_WEBVPN attributes
    vpn-tunnel-protocol webvpn
    webvpn
    url-list value BST

    !
    class-map my-ips-class
    match access-list IPS
    class-map class_ftp
    match port tcp range 1024 65535
    class-map class_ftp1
    match port tcp range 1 1023
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 1024
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    policy-map my-ips-policy
    class my-ips-class
    ips promiscuous fail-open
    csc fail-open
    class class_ftp
    inspect ftp
    class class_ftp1
    inspect ftp
    !
    service-policy my-ips-policy interface inside
    smtp-server 192.168.1.23 192.168.1.5
    prompt hostname context
    Cryptochecksum:7d278dc832456199303989c0d9a7c99b
    : end


    Thanks in advance for your help.
    Attached Files

  • #2
    Re: ASA 5510 - Email not reaching Exchange Server

    What is the primary card in the bindings on the server?
    Does your SMTP virtual server listen on the 172 IP?
    If you put a test machine on the switch on a 172 address can it telnet to Exchange on that IP?

    To allow mail in all you should need are these:
    static (inside,outside) tcp interface smtp Tahiti smtp netmask 255.255.255.255
    access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq smtp l
    og debugging
    access-group outside_access_in in interface outside
    Which are all in your config.

    Many thanks for putting forward a clear, concise and well detailed question too
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: ASA 5510 - Email not reaching Exchange Server

      Thank you for yor reply Andy,

      Here is where I am at now:

      Binding on the NICs was set to 172 first and 192 second. I moved 192 to be the first one with no change.

      I have two separate virtual SMTP servers each listening on one dedicated IP.

      I can telnet to the 172 NIC from systems in the 172 and 192 subnet without a problem.

      I added the entries you suggested and still no luck.

      Thanks again for your help.


      access-list IPS extended permit ip any any
      access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.1
      68.200.0 255.255.255.224
      access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19
      2.168.200.0 255.255.255.224
      access-list outside_access_in extended permit tcp any interface outside eq ftp
      access-list outside_access_in extended permit tcp any interface outside eq 222
      access-list outside_access_in extended permit tcp any interface outside eq smtp
      access-list outside_access_in extended permit tcp any host xx.xx.97.38 eq smtp l
      og debugging
      access-list inside_access_out remark SMTP for Tahiti
      access-list inside_access_out extended permit tcp any host Tahiti eq smtp log de
      bugging
      access-list inside_access_out extended permit tcp host 172.16.1.249 any
      access-list inside_access_out extended permit tcp host 172.16.1.249 any eq 563
      access-list inside_access_out extended permit udp host 172.16.1.249 any eq www
      access-list inside_access_out extended permit tcp any any eq ftp
      access-list inside_access_out remark Allow WWW traffic from Server Admin Subnet
      to Any
      access-list inside_access_out extended permit tcp 172.16.1.0 255.255.255.0 any eq www
      access-list inside_access_out remark Allow Internal TCP to VPN Clients
      access-list inside_access_out extended permit tcp 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
      access-list inside_access_out remark Allow Internal UDP to VPN clients
      access-list inside_access_out extended permit udp 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
      access-list inside_access_out remark Allow Internal ICMP to VPN Clients
      access-list inside_access_out extended permit icmp 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
      access-list inside_access_out remark FTP traffic for TESTFTP system
      access-list inside_access_out extended permit tcp host 172.16.1.251 any eq ftp
      access-list inside_access_out extended permit tcp host 172.16.1.252 host 192.168.1.20
      pager lines 24
      logging enable
      logging asdm warnings
      logging mail debugging
      mtu inside 1500
      mtu outside 1500
      mtu management 1500
      ip local pool bdmpool 192.168.200.1-192.168.200.30 mask 255.255.255.0
      ip verify reverse-path interface inside
      ip verify reverse-path interface outside
      icmp unreachable rate-limit 1 burst-size 1
      icmp permit any inside
      icmp deny any outside
      asdm image disk0:/asdm-524.bin
      asdm history enable
      arp timeout 14400
      global (outside) 1 interface
      nat (inside) 0 access-list inside_nat0_outbound
      nat (inside) 1 192.168.1.0 255.255.255.0
      nat (inside) 1 172.16.0.0 255.255.0.0
      static (inside,outside) tcp interface ftp 172.16.1.248 ftp netmask 255.255.255.255
      static (inside,outside) tcp interface 222 192.168.1.26 ssh netmask 255.255.255.255
      static (inside,outside) tcp interface smtp Tahiti smtp netmask 255.255.255.255
      access-group inside_access_out in interface inside
      access-group outside_access_in in interface outside
      route inside 192.168.1.0 255.255.255.0 172.16.1.254 1
      route inside 172.16.0.0 255.255.0.0 172.16.1.254 1
      route outside 0.0.0.0 0.0.0.0 xx.xx.97.33 1

      Comment


      • #4
        Re: ASA 5510 - Email not reaching Exchange Server

        Those entries were already in your config, I just wanted to highlight them. They are all that is required (pretty much) for what you want to do.

        Is your inside_access_out blocking it?
        Can you enable a syslog or check the pdm when you send traffic?
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment

        Working...
        X