Announcement

Collapse
No announcement yet.

Need help forwarding SMTP Exchange 2007 Cisco ASA 5510

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Need help forwarding SMTP Exchange 2007 Cisco ASA 5510

    Hi,

    I have a cisco ASA 5510 that I need help with forwarding SMTP to an Exchange 2007 server. I have tried forwarding but whenever I run any connectivity tests it will not find port 25. I need to forward all Exchange ports but SMTP is the first. I am in no way a Cisco expert. Thanks in advance for your help. Here is the config. The exchange server is at 172.16.1.7 on the internal network.

    hostname hostname
    domain-name domain.local
    enable password MJdt5zHzIwh7Z0Dk encrypted
    passwd Zr1KZRvCSjRwH9Aj encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address xx.xx.xx.102 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 172.16.1.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    access-list inside_nat0_outbound extended permit ip any 172.16.1.0

    255.255.255.192
    access-list nanovpn_splitTunnelAcl remark Split
    access-list nanovpn_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
    access-list outside_access_in extended permit tcp any eq smtp host 172.16.1.7 eq

    smtp
    access-list outside_access_in extended permit tcp any eq https host 172.16.1.7 eq

    https
    access-list outside_access_in extended permit tcp any eq www host 172.16.1.7 eq

    www
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any interface outside eq smtp
    access-list outside_access_in extended permit tcp any interface outside eq 587
    access-list phones_splitTunnelAcl standard permit any
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool dhcpd 172.16.1.20-172.16.1.45 mask 255.255.255.0
    icmp permit any inside
    asdm image disk0:/asdm-508.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface smtp 172.16.1.7 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface 587 172.16.1.7 587 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 xx.xx.xx.97 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server xxxvpn protocol nt
    aaa-server xxxvpn (inside) host 172.16.1.6
    timeout 5
    nt-auth-domain-controller fileserver
    group-policy xxx internal
    group-policy xxx attributes
    dns-server value 172.16.1.6 172.16.1.7
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value xxx_splitTunnelAcl
    webvpn
    group-policy xxxvpn internal
    group-policy xxxvpn attributes
    dns-server value 172.16.1.6 172.16.1.7
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value xxxvpn_splitTunnelAcl
    default-domain value xxx.local
    webvpn
    http server enable
    http xx.xx.xx.114 255.255.255.255 outside
    http 172.16.1.0 255.255.255.0 inside
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds

    28800
    crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes

    4608000
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds

    28800
    crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes

    4608000
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *
    tunnel-group xxvpn type ipsec-ra
    tunnel-group xxvpn general-attributes
    address-pool dhcpd
    authentication-server-group xxvpn
    default-group-policy xxvpn
    tunnel-group xxvpn ipsec-attributes
    pre-shared-key *
    tunnel-group xxx type ipsec-ra
    tunnel-group xxx general-attributes
    address-pool dhcpd
    authentication-server-group nanovpn
    default-group-policy phones
    tunnel-group phones ipsec-attributes
    pre-shared-key *
    telnet 192.168.1.0 255.255.255.0 inside
    telnet 172.16.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd lease 3600
    dhcpd ping_timeout 50
    dhcpd enable management
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    Last edited by robsharma; 29th November 2009, 01:37.

  • #2
    Re: Need help forwarding SMTP Exchange 2007 Cisco ASA 5510

    Not exactly sure, but at first look, it looks to be a problem with your acl. You specify smtp but refer to https (ssl or 443) traffic in your acl. I also assume that the 172.16.1.7 is the address of your Inside interface? Or is it the address of the Exchange server?

    smtp
    access-list outside_access_in extended permit tcp any eq https host 172.16.1.7 eq

    I may be missing what you are trying to do, but it should read

    access-list outside_access_in extended permit tcp any eq smtp host 172.16.1.7

    Comment


    • #3
      Re: Need help forwarding SMTP Exchange 2007 Cisco ASA 5510

      Originally posted by solarflare View Post
      Not exactly sure, but at first look, it looks to be a problem with your acl. You specify smtp but refer to https (ssl or 443) traffic in your acl. I also assume that the 172.16.1.7 is the address of your Inside interface? Or is it the address of the Exchange server?

      smtp
      access-list outside_access_in extended permit tcp any eq https host 172.16.1.7 eq

      I may be missing what you are trying to do, but it should read

      access-list outside_access_in extended permit tcp any eq smtp host 172.16.1.7
      access-list outside_access_in extended permit tcp any host 172.16.1.7 eq smtp

      Comment

      Working...
      X