Hi all,
I have a simple, yet annoying issue here, that I have been trying to fix for days.
I am trying to let SMTP outbound out through the ASA firewall, running firmware 9.1(3).
From the exchange server a simple test such as 'telnet test.smtp.org 25' fails with Connecting To test.smtp.org...Could not open connection to the host, on port 25: Connect failed
DNS looks ok, as follows:
nslookup
Default Server: dc01.lcd.local
Address: 10.0.8.3
> set type=mx
> test.smtp.org
Server: dc01.lcd.local
Address: 10.0.8.3
Non-authoritative answer:
test.smtp.org MX preference = 5, mail exchanger = test.smtp.org
test.smtp.org internet address = 149.20.54.225
My inbound static NAT rule works fine from our public IP, and exchange responds as it should.
Relevant ASA config for outbound rules are as follows:
object network EXCH01
host 10.0.8.21
access-list inside_access_in extended permit tcp object EXCH01 any eq smtp log warnings ; access control list allowing smtp through the inside interface
access-list inside_access_in extended permit ip any any ; allows all ip traffic out from the LAN to the internet
object network EXCH01
nat (any,outside) dynamic interface ; exchange object based nat rule
A packet-tracer command appears to show the firewall allows this traffic type:
packet-tracer input inside tcp 10.0.8.21 smtp 149.20.54.225 smtp detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xce5a8e30, priority=1, domain=permit, deny=false
hits=263226954, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in_1 in interface inside
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_2 any any4
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object tcp
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd10626e0, priority=13, domain=permit, deny=false
hits=939341, user_data=0xcbdb2ec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network SMTP
nat (inside,outside) static interface service tcp smtp smtp
Additional Information:
Static translate 10.0.8.21/25 to 103.13.88.94/25
Forward Flow based lookup yields rule:
in id=0xd294f998, priority=6, domain=nat, deny=false
hits=0, user_data=0xd17f8080, cs_id=0x0, flags=0x0, protocol=6
src ip/id=10.0.8.21, mask=255.255.255.255, port=25, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc9e66978, priority=1, domain=nat-per-session, deny=true
hits=67673215, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xce5ae9c0, priority=0, domain=inspect-ip-options, deny=true
hits=36388309, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: INSPECT
Subtype: inspect-pptp
Result: ALLOW
Config:
class-map global-class
match any
policy-map global-policy
class global-class
inspect pptp
service-policy global-policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcf0fce18, priority=70, domain=inspect-pptp, deny=false
hits=36014159, user_data=0xcf0fc798, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcf0faf68, priority=18, domain=flow-export, deny=false
hits=37390241, user_data=0xcf0adcc8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcef37788, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=36093366, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc9e66978, priority=1, domain=nat-per-session, deny=true
hits=67673217, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xce587990, priority=0, domain=inspect-ip-options, deny=true
hits=37291874, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 37679980, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_punt
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_punt
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASA-LCD#
There are no access lists etc. on any LAN devices between Exchange at the firewall, and I've temporarily turned off the windows firewall on Exchange server. How can I troubleshoot this problem further.
For further information, when running a telnet from the exchange server to an external SMTP host, i've attached the output I get from the ASDM packet capture tool. I'm seeing no traffic on the Egress interface; please tell me what I have missed
Note: I have no problem with any other type of outbound traffic (ping, http etc.), from any host including Exchange; only smtp outbound is a problem.
Thanks in advance for your advice.
Regards,
Mike