Announcement

Collapse
No announcement yet.

Client site can Send but not receive email

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Client site can Send but not receive email

    Is there anything in this config that isn't allowing me to send email from outlook??? All incoming works fine, email client is configured correctly and all other traffic is flowing just fine.


    Code:
    BH-Hattiesburg# show run
    : Saved
    :
    ASA Version 8.2(5)
    
    hostname BH-Hattiesburg
    enable password y8sQFc/izVpURAqk encrypted
    passwd y8sQFc/izVpURAqk encrypted
    names
    name 192.168.1.0 Magee
    name 192.168.50.0 Hattiesburg
    
    interface Ethernet0/0
     switchport access vlan 2
    
    interface Ethernet0/1
    
    interface Ethernet0/2
    
    interface Ethernet0/3
    
    interface Ethernet0/4
    
    interface Ethernet0/5
     switchport monitor Ethernet0/4
    
    interface Ethernet0/6
    
    interface Ethernet0/7
    
    interface Vlan1
     nameif inside
     security-level 100
     ip address 192.168.50.1 255.255.255.0
    
    interface Vlan2
     nameif outside
     security-level 0
     ip address dhcp setroute
    
    ftp mode passive
    access-list outside_1_cryptomap extended permit ip Hattiesburg 255.255.255.0 Magee 255.255.255.0
    access-list outside_1_cryptomap extended permit ip Hattiesburg 255.255.255.0 host 72.x.x.x
    access-list inside_nat0_outbound extended permit ip Hattiesburg 255.255.255.0 Magee 255.255.255.0
    access-list inside_nat0_outbound extended permit ip Hattiesburg 255.255.255.0 host 72.x.x.x
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set peer 72.x.x.x
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash md5
     group 1
     lifetime 86400
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 30
    console timeout 0
    dhcpd auto_config outside
    dhcpd option 157 ascii TftpServers=0.0.0.0,FtpServers=192.168.1.1:/ADTRAN,FtpLogin=polycomftp,FtpPassword=password,Layer2Tagging=FALSE,VlanID=0
    
    dhcpd address 192.168.50.5-192.168.50.36 inside
    dhcpd enable inside
    
    
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    
    tunnel-group 72.x.x.x type ipsec-l2l
    tunnel-group 72.x.x.x ipsec-attributes
     pre-shared-key *****
    
    class-map global-class
     match default-inspection-traffic
    
    
    policy-map global_policy
    policy-map global-policy
     class global-class
      inspect dns
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect icmp
      inspect ip-options
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
    
    service-policy global-policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:3a64712ab7596769fe0e1e0f5cbb6dcc
    : end
    BH-Hattiesburg#
    Last edited by HubTech; 28th February 2013, 19:17. Reason: more info

  • #2
    Re: Client site can Send but not receive email

    Not sure why you didn't use the default global_policy as your policy is just about identical to the defaullt. If your not going to use the default policy remove it.

    no policy-map global_policy

    What do the logs in the ASA say?

    You can run packet-tracer from the CLI to test a flow.

    Is this email traffic going over the vpn? If so maybe its an issue on the other side where it terminates.
    Last edited by auglan; 28th February 2013, 20:02.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Client site can Send but not receive email

      All I need the VPN for is VOICE(sip) and a connection to a file server. I'm not the strongest cisco tech. I'm not sure what to do. i've got 4 other sites running just fine. well except for a sip phone at one location. but this just started happening one day. no config changes. checked with my mail provider, nothing on their side. i'm at a loss

      https://www.dropbox.com/s/mxm6qyb21c8czpc/Capture.JPG
      Last edited by HubTech; 28th February 2013, 21:37.

      Comment


      • #4
        Re: Client site can Send but not receive email

        What type of mail account is it? Pop3, imap, secure pop, secure imap? That capture only shows a source port 25 (which your client will never be unless its a mail server) destined to port 25. You want your internal source port to be a high port <1024 with a destination port of whatever protocol your using.

        Another thing. Sometimes on certain versions of ASA code when you start playing around with the policy and its not working as expected then saving the config and rebooting the ASA is a good idea. I have come across this with older versions of code (8.0 - 8.2) etc.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Client site can Send but not receive email

          POP3. i've tried to save/reboot the router to no avail.

          Comment


          • #6
            Re: Client site can Send but not receive email

            Okay so now run the packet tracer again but this time use your source ip with a high tcp port <1024 and the mail server destination port of tcp 110 and see if the flow is allowed. If it is then it could be an issue on the client side.

            Also check to see if the connection is even happening on the ASA when you try to do a send/receive


            sh conn protocol tcp port 110
            Last edited by auglan; 1st March 2013, 17:06.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Client site can Send but not receive email

              OK, i get the same positive result

              https://www.dropbox.com/s/17swjo1xb9ioe3u/capture2.JPG

              Comment


              • #8
                Re: Client site can Send but not receive email

                Okay when you try via the client do you see the connection in the state table on the ASA? If the connection is there then the return traffic should be allowed back through as its part of an existing session.

                sh conn protocol tcp port 110
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment

                Working...
                X