dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
417
mikesqui
join:2015-03-19

mikesqui

Member

[HELP] ASA v9.1 SMTP outbound

Click for full size
Hi all,

I have a simple, yet annoying issue here, that I have been trying to fix for days.

I am trying to let SMTP outbound out through the ASA firewall, running firmware 9.1(3).

From the exchange server a simple test such as 'telnet test.smtp.org 25' fails with Connecting To test.smtp.org...Could not open connection to the host, on port 25: Connect failed

DNS looks ok, as follows:

nslookup
Default Server: dc01.lcd.local
Address: 10.0.8.3

> set type=mx
> test.smtp.org
Server: dc01.lcd.local
Address: 10.0.8.3

Non-authoritative answer:
test.smtp.org MX preference = 5, mail exchanger = test.smtp.org

test.smtp.org internet address = 149.20.54.225

My inbound static NAT rule works fine from our public IP, and exchange responds as it should.

Relevant ASA config for outbound rules are as follows:

object network EXCH01
host 10.0.8.21

access-list inside_access_in extended permit tcp object EXCH01 any eq smtp log warnings ; access control list allowing smtp through the inside interface

access-list inside_access_in extended permit ip any any ; allows all ip traffic out from the LAN to the internet

object network EXCH01
nat (any,outside) dynamic interface ; exchange object based nat rule

A packet-tracer command appears to show the firewall allows this traffic type:

packet-tracer input inside tcp 10.0.8.21 smtp 149.20.54.225 smtp detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xce5a8e30, priority=1, domain=permit, deny=false
hits=263226954, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_2 any any4
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object tcp
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd10626e0, priority=13, domain=permit, deny=false
hits=939341, user_data=0xcbdb2ec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network SMTP
nat (inside,outside) static interface service tcp smtp smtp
Additional Information:

Static translate 10.0.8.21/25 to 103.13.88.94/25
Forward Flow based lookup yields rule:
in id=0xd294f998, priority=6, domain=nat, deny=false
hits=0, user_data=0xd17f8080, cs_id=0x0, flags=0x0, protocol=6
src ip/id=10.0.8.21, mask=255.255.255.255, port=25, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9e66978, priority=1, domain=nat-per-session, deny=true
hits=67673215, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:

Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xce5ae9c0, priority=0, domain=inspect-ip-options, deny=true
hits=36388309, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: inspect-pptp
Result: ALLOW
Config:
class-map global-class
match any
policy-map global-policy
class global-class
inspect pptp
service-policy global-policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcf0fce18, priority=70, domain=inspect-pptp, deny=false
hits=36014159, user_data=0xcf0fc798, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcf0faf68, priority=18, domain=flow-export, deny=false
hits=37390241, user_data=0xcf0adcc8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcef37788, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=36093366, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc9e66978, priority=1, domain=nat-per-session, deny=true
hits=67673217, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xce587990, priority=0, domain=inspect-ip-options, deny=true
hits=37291874, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 37679980, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_punt
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_punt
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ASA-LCD#

There are no access lists etc. on any LAN devices between Exchange at the firewall, and I've temporarily turned off the windows firewall on Exchange server. How can I troubleshoot this problem further.

For further information, when running a telnet from the exchange server to an external SMTP host, i've attached the output I get from the ASDM packet capture tool. I'm seeing no traffic on the Egress interface; please tell me what I have missed

Note: I have no problem with any other type of outbound traffic (ping, http etc.), from any host including Exchange; only smtp outbound is a problem.

Thanks in advance for your advice.

Regards,

Mike
aryoba
MVM
join:2002-08-22

aryoba

MVM

Can you post show running-config CLI command output?
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to mikesqui

MVM

to mikesqui
2nded. Your running config, minus passwords, nonRFC1918 addresses and any other sensitive info would help.

Dumb question, your capture is catching traffic in both directions, right? ie. 10.0.8.21 -> 149.20.54.225 AND 149.20.54.225 -> 10.0.8.21?

Regards