No announcement yet.

How to allow traffic trough an ASA (was:Please help)

  • Filter
  • Time
  • Show
Clear All
new posts

  • How to allow traffic trough an ASA (was:Please help)

    We are using a hosted exchange 2007 on internet ( and we are using pop3- ssl (port 587) to recieve mails(outlook or OL express) it is working perfectly when no ports are blocked.

    But on my my restrictd network it is not working . I tried to open all port on my ASA5510 to the servers ip (202.54.125) but still its not working. Do i need to open any other hosts ? I think its related to certificate verification.

    Please help.

  • #2
    Re: How to allow traffic trough an ASA (was:Please help)

    Are there any access-lists blocking traffic inbound or outbound. Traffic should flow going from the inside (trusted) to the outside interace(untrusted) with no issues. In other words traffic can flow from a higher securtiy interface to a lower security interface but not the other way around unless specifically allowed by an access-list. So I would assume the server is listening on port 587 and your connecting via the client from some random port number. As long as the client initiates the flow the return flow should be allowed back in as the flow is tracked via the state table (assuming there is no acl blocking coming inbound on the outside interface) Now if the server initiates a connection or if the return traffic or response from the server is coming inbound on a different port the ASA will drop that traffic as it should. I would put an access-list on the outside interface in the inbound direction and log the results. Then you can check the logs and see whats being blocked if anything.Example

    access-list OUTSIDE_INBOUND deny ip any any log

    access-group OUTSIDE_INBOUND in interace outside

    Granted this acl will block anything coming inbound on the outside interface (may want to do this afterhours) but with the log option you should see whats being blocked and the associated port numbers etc. You can apply this acl and try to generate some traffic via your email client and see what results you get.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)


    • #3
      Re: How to allow traffic trough an ASA (was:Please help)

      Can you ping the box?? Whenever I have problems like this, 90% of the time its a NAT issue, have you got a NONAT setup??