Announcement

Collapse
No announcement yet.

Talk to smtp.google [ASA 5510]

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Talk to smtp.google [ASA 5510]

    I will try to provide as much information as possible but I have a unique problem here. I have a server running Windows Server 2008 R2 that uses Windows Fax server (IP 192.168.1.3) and I am trying to let it send email notifications when a Fax is sent. I have placed in all the SMTP information:

    [email protected]
    password
    port: 587

    On the user computers they have their email in the format: [email protected].

    The first issue is that I cant communicate from inside our network with smtp.google.com. If I ping it, it cant resolve the host. I can however ping google.com.

    I accessed the console for the ASA and specified to open port 587, and allowed smtp but I still cant reach it. Below is my running config, I appreciate you taking a look.
    :
    ASA Version 7.2(3)
    !
    hostname RehabFW
    enable password **********encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address *.*.*.146 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    no ip address
    management-only
    !
    passwd ******** encrypted
    ftp mode passive
    access-list VOIP-TRAFFIC extended permit ip host 192.168.1.2 any
    access-list VOIP-TRAFFIC extended permit ip any host 192.168.1.2
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.25
    5.255.0
    access-list inbound extended permit tcp any interface outside eq pop3
    access-list inbound extended permit tcp any interface outside eq www
    access-list inbound extended permit tcp any interface outside eq ssh
    access-list inbound extended permit tcp any interface outside eq 987
    access-list inbound extended permit tcp any interface outside eq 3389
    access-list inbound extended permit tcp any interface outside eq https
    access-list inbound extended permit tcp any interface outside eq 3390
    access-list inbound extended permit tcp any interface outside eq 3391
    access-list inbound extended permit tcp any interface outside eq 12088
    access-list inbound extended permit tcp any interface outside eq 10088
    access-list inbound extended permit tcp any interface outside eq 8200
    access-list inbound extended permit tcp any interface outside eq 10019
    access-list inbound extended permit tcp any interface outside eq 8016
    access-list inbound extended permit tcp any interface outside eq 8116
    access-list inbound extended permit tcp any interface outside eq 587
    access-list inbound extended permit tcp any interface outside eq smtp
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool ippool 10.10.10.1-10.10.10.254
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.
    255
    static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25
    5
    static (inside,outside) tcp interface 987 192.168.1.2 987 netmask 255.255.255.25
    5
    static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.
    255
    static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.25
    5.255
    static (inside,outside) tcp interface 3390 192.168.1.5 3390 netmask 255.255.255.
    255
    static (inside,outside) tcp interface 3391 192.168.1.3 3391 netmask 255.255.255.
    255
    static (inside,outside) tcp interface 12088 192.168.1.177 12088 netmask 255.255.
    255.255
    static (inside,outside) tcp interface 10088 192.168.1.177 10088 netmask 255.255.
    255.255
    static (inside,outside) tcp interface 8016 192.168.1.177 8016 netmask 255.255.25
    5.255
    static (inside,outside) tcp interface 8116 192.168.1.177 8116 netmask 255.255.25
    5.255
    static (inside,outside) tcp interface 8200 192.168.1.177 8200 netmask 255.255.25
    5.255
    static (inside,outside) tcp interface 10019 192.168.1.177 10019 netmask 255.255.
    255.255
    static (inside,outside) tcp interface 587 192.168.1.3 587 netmask 255.255.255.25
    5
    static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.
    255
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 96.31.226.145 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable 444
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.1 255.255.255.255 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
    crypto dynamic-map dyn1 10 set transform-set FirstSet
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    crypto map mymap interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 20
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 30
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 30
    console timeout 30
    dhcpd dns 64.60.0.17 64.60.0.18
    !
    dhcpd address 192.168.1.100-192.168.1.150 inside
    !
    !
    class-map inspection_default
    match default-inspection-traffic
    class-map VOIP-MAP
    match access-list VOIP-TRAFFIC
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    policy-map VOIP-QOS
    class VOIP-MAP
    police output 250000 37500
    class class-default
    police output 5500000 37500
    !
    service-policy global_policy global
    service-policy VOIP-QOS interface inside
    webvpn
    enable outside
    group-policy REH internal
    group-policy REH attributes
    dns-server value 64.60.0.17 64.60.0.18
    vpn-idle-timeout 30
    split-tunnel-policy tunnelspecified
    tunnel-group REH type ipsec-ra
    tunnel-group REH general-attributes
    address-pool ippool
    default-group-policy REH
    tunnel-group REH ipsec-attributes
    pre-shared-key *
    isakmp ikev1-user-authentication none
    prompt hostname context
    Cryptochecksum:cb09406b6858e3528cb436fa34aecbc2
    : end

  • #2
    Re: Talk to smtp.google [ASA 5510]

    Isn't the hostname smtp.gmail.com ?
    Last edited by auglan; 24th July 2012, 19:04.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Talk to smtp.google [ASA 5510]

      Originally posted by auglan View Post
      Isn't the hostname smtp.gmail.com ?
      Alright, point considered here is the ping information for that:

      Pinging gmail-smtp-msa.l.google.com [173.194.79.108] with 32 bytes of data:
      Reply from 173.194.79.108: bytes=32 time=84ms TTL=47
      Reply from 173.194.79.108: bytes=32 time=77ms TTL=47
      Reply from 173.194.79.108: bytes=32 time=75ms TTL=47
      Reply from 173.194.79.108: bytes=32 time=87ms TTL=47

      Ping statistics for 173.194.79.108:
      Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
      Approximate round trip times in milli-seconds:
      Minimum = 75ms, Maximum = 87ms, Average = 80ms

      Here is the error information get from the application log:
      The fax service has failed to generate a positive delivery receipt using SMTP.

      The following error occurred: 0x8004020E.
      This error code indicates the cause of the error.

      But looking over my settings, is there a problem with my configuration that would not allow the Fax server to communicate the information?

      Comment


      • #4
        Re: Talk to smtp.google [ASA 5510]

        Did you check the logs on the asa to see if its being filtered? Can also try from the command line using packet-tracer to see if the flow is allowed.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Talk to smtp.google [ASA 5510]

          Originally posted by auglan View Post
          Did you check the logs on the asa to see if its being filtered? Can also try from the command line using packet-tracer to see if the flow is allowed.
          Can you walk me through that?

          Comment


          • #6
            Re: Talk to smtp.google [ASA 5510]

            From configuration mode:


            logging buffered 6
            logging enable

            Try to narrow it down to the specific internal host

            View logs:


            show logging

            show log | i Deny

            show log | i "ip of internal host"


            sh conn | i "ip of internal host"


            show xlate | i "ip of internal host"



            Also found this. Could be an issue with your account:

            The Error Code 0x8004020E means:
            System.Runtime.InteropServices.COMException (0x8004020E):
            The server rejected the sender address. The server response was: 454 5.7.3
            Client does not have permission to submit mail to this server.
            Last edited by auglan; 24th July 2012, 19:50.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Talk to smtp.google [ASA 5510]

              only show xlate worked for the internal IP. Here is the results:

              PAT Global *.*.*.146(3391) Local 192.168.1.3(3391)
              PAT Global *.*.*.146(587) Local 192.168.1.3(587)
              PAT Global *.*.*.146(25) Local 192.168.1.3(25)

              *3391 is a patched RDP port.

              Comment


              • #8
                Re: Talk to smtp.google [ASA 5510]

                Okay I thought this was a network problem but as it turns out this issue is due to Windows Fax server not working well with external SMTP addresses. Thanks for you help though!

                Comment


                • #9
                  Re: Talk to smtp.google [ASA 5510]

                  Glad you got it worked out.
                  CCNA, CCNA-Security, CCNP
                  CCIE Security (In Progress)

                  Comment

                  Working...
                  X