Open ASA for Outgoing Webserver Email 1

[RMurr34]

Hello,

I have a webserver in a DMZ behind my ASA 5510. I've configured SMTP on the webserver and configured my Exchange Server (2007) to allow relay through it. However, the emails just sit in a queue going nowhere. Since the webserver is in a DMZ it's a standalone server so I added the ISP DNS server as it's DNS server. Is there something here in my config that is stopping the emails from making it through to my Exchange Server?



ASA Version 8.0(2)
!
hostname dumdumium
domain-name mydomain.com
enable password riBdCf1fnvp8w.If encrypted
names
name 76.xxx.xxx.xxx PERIM-RTR
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 76.xxx.xxx.xxx 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 192.168.61.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
dns domain-lookup inside
dns server-group DefaultDNS
domain-name mydomain.com
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 192.168.60.0 255.255.255.0 10.100.10.0 255.255.255.0
access-list 101 extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list nonat extended permit ip 192.168.60.0 255.255.255.0 10.100.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq ftp
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq 3389
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq www
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq smtp
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xxx echo
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xxx echo
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq https
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq smtp
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq www
access-list outside_access_in extended permit icmp any host 76.xxx.xxx.xxx echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit tcp any host 76.xxx.xxx.xxx eq 3389
access-list 102 extended permit ip 192.168.60.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 103 extended permit ip 192.168.60.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 104 extended permit ip 192.168.60.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list 105 extended permit ip 192.168.60.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz_access_in extended deny ip any interface inside
access-list dmz_access_in extended permit ip any interface outside
access-list dmz_access_in extended permit tcp host 192.168.61.55 host 192.168.60.94 eq smtp
access-list split-tunnel standard permit 192.168.10.0 255.255.255.0
access-list split-tunnel standard permit 192.168.20.0 255.255.255.0
access-list split-tunnel standard permit 192.168.30.0 255.255.255.0
access-list split-tunnel standard permit 192.168.40.0 255.255.255.0
access-list split-tunnel standard permit 192.168.50.0 255.255.255.0
access-list split-tunnel standard permit 192.168.60.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool 10.100.10.1-10.100.10.50
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit 192.168.10.0 255.255.255.0 inside
icmp permit 192.168.20.0 255.255.255.0 inside
icmp permit 192.168.30.0 255.255.255.0 inside
icmp permit 192.168.40.0 255.255.255.0 inside
icmp permit 192.168.50.0 255.255.255.0 inside
icmp permit 192.168.60.0 255.255.255.0 inside
icmp permit 192.168.61.0 255.255.255.0 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
static (dmz,outside) 76.xxx.xxx.xxx 192.168.61.75 netmask 255.255.255.255
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (inside,dmz) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,dmz) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,dmz) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (inside,dmz) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
static (inside,dmz) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,outside) 76.xxx.xxx.xxx 192.168.60.94 netmask 255.255.255.255
static (dmz,outside) 76.xxx.xxx.xxx 192.168.61.55 netmask 255.255.255.255
static (dmz,inside) 192.168.61.55 192.168.61.55 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 PERIM-RTR 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn host 192.168.60.99
key xxxxxxxxxxx
aaa authentication ssh console LOCAL
http server enable
http 192.168.60.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map newmap 10 match address 101
crypto map newmap 10 set peer 66.xxx.xxx.xxx
crypto map newmap 10 set transform-set FirstSet
crypto map newmap 20 match address 102
crypto map newmap 20 set peer 67.xxx.xxx.xxx
crypto map newmap 20 set transform-set FirstSet
crypto map newmap 30 match address 103
crypto map newmap 30 set peer 68.xxx.xxx.xxx
crypto map newmap 30 set transform-set FirstSet
crypto map newmap 40 match address 104
crypto map newmap 40 set peer 66.xxx.xxx.xxx
crypto map newmap 40 set transform-set FirstSet
crypto map newmap 50 match address 105
crypto map newmap 50 set peer 66.xxx.xxx.xxx
crypto map newmap 50 set transform-set FirstSet
crypto map newmap 65535 ipsec-isakmp dynamic dyn1
crypto map newmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 1000
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy seavpn internal
group-policy seavpn attributes
dns-server value 192.168.60.99
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value dwr.digitalwarroom.com
username asa password xxxxxxxxx encrypted
username colovpn password xxxxxxxxx encrypted
tunnel-group 66.xxx.xxx.xxx type ipsec-l2l
tunnel-group 66.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 67.xxx.xxx.xxx type ipsec-l2l
tunnel-group 67.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 66.xxx.xxx.xxx type ipsec-l2l
tunnel-group 66.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 68.xxx.xxx.xxx type ipsec-l2l
tunnel-group 68.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group 66.xxx.xxx.xxx type ipsec-l2l
tunnel-group 66.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpnpool
default-group-policy seavpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
prompt hostname context

 

[unclerico]

access-list dmz_access_in extended deny ip any interface inside
access-list dmz_access_in extended permit ip any interface outside
access-list dmz_access_in extended permit tcp host 192.168.61.55 host 192.168.60.94 eq smtp

Your ACE's in the ACL are out of order. Your last entry should be the the first entry. The best thing to do is look at your log it will tell you:

sh logging asdm

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

Hello again UncleRico,

Happy New Year!

I ran sh logging asdm but nothing happens? How do I change the order of my ACEs?

Thanks once again for your help.

 

[unclerico]

Happy New Year to you also my friend.

First of all to enable logging run the following:

logging enable

Second, to change the order of your ACE's do this:

no access-list dmz_access_in line 3 extended permit tcp host 192.168.61.55 host 192.168.60.94 eq smtp

access-list dmz_access_in line 1 extended permit tcp host 192.168.61.55 host 192.168.60.94 eq smtp

You should be good to go. One more question is do you have your SMTP virtual server set to use your exchange server's IP address or host name as the smart host??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

Here's what my config shows now:

access-list dmz_access_in extended permit tcp host 192.168.61.55 host 192.168.60.94 eq smtp
access-list dmz_access_in extended deny ip any interface inside
access-list dmz_access_in extended permit ip any interface outside

When I run sh loggin asdm it returns the following:

4|Jan 09 2009 12:37:19|713903: Group = 66.xxx.xxx.xxx, IP = 66.xxx.xxx.xxx, Freeing previously allocated memory for authorization-dn-attributes
3|Jan 09 2009 12:37:19|713119: Group = 66.xxx.xxx.xxx, IP = 66.xxx.xxx.xxx, PHASE 1 COMPLETED
6|Jan 09 2009 12:37:20|302013: Built inbound TCP connection 2249654 for outside:192.168.10.150/1528 (192.168.10.150/1528) to inside:192.168.60.99/88 (192.168.60.99/88)
6|Jan 09 2009 12:37:20|302014: Teardown TCP connection 2249632 for outside:69.xxx.xxx.xxx/25 to inside:192.168.60.94/8469 duration 0:00:10 bytes 417 TCP FINs
4|Jan 09 2009 12:37:20|106023: Deny tcp src outside:68.xxx.xxx.xxx/4259 dst dmz:76.xxx.xxx/445 by access-group "outside_access_in" [0x0, 0x0]
6|Jan 09 2009 12:37:20|302015: Built outbound UDP connection 2249655 for outside:192.168.10.40/53 (192.168.10.40/53) to inside:192.168.60.94/8470 (192.168.60.94/8470)
6|Jan 09 2009 12:37:20|302013: Built outbound TCP connection 2249656 for outside:62.xxx.xxx.xxx/25 (62.xxx.xxx.xxx/25) to inside:192.168.60.94/8471 (76.191.108.35/8471)
6|Jan 09 2009 12:37:20|302016: Teardown UDP connection 2249655 for outside:192.168.10.40/53 to inside:192.168.60.94/8470 duration 0:00:00 bytes 261
6|Jan 09 2009 12:37:20|302014: Teardown TCP connection 2249654 for outside:192.168.10.150/1528 to inside:192.168.60.99/88 duration 0:00:00 bytes 2903 TCP FINs
6|Jan 09 2009 12:37:20|302021: Teardown ICMP connection for faddr 68.xxx.xxx.xxx/5077 gaddr 76.xxx.xxx.xxx/0 laddr 192.168.61.55/0
6|Jan 09 2009 12:37:21|302021: Teardown ICMP connection for faddr 192.168.30.95/0 gaddr 192.168.60.94/512 laddr 192.168.60.94/512
6|Jan 09 2009 12:37:21|302021: Teardown ICMP connection for faddr 192.168.30.95/0 gaddr 192.168.60.94/512 laddr 192.168.60.94/512
4|Jan 09 2009 12:37:21|106023: Deny tcp src outside:68.xxx.xxx.xxx/4261 dst dmz:76.xxx.xxx.xxx/139 by access-group "outside_access_in" [0x0, 0x0]
6|Jan 09 2009 12:37:21|302013: Built inbound TCP connection 2249657 for outside:192.168.10.150/1532 (192.168.10.150/1532) to inside:192.168.60.99/88 (192.168.60.99/88)
6|Jan 09 2009 12:37:21|302013: Built inbound TCP connection 2249658 for outside:192.168.10.150/1533 (192.168.10.150/1533) to inside:192.168.60.99/88 (192.168.60.99/88)
6|Jan 09 2009 12:37:22|302013: Built inbound TCP connection 2249659 for outside:68.xxx.xxx.xxx/1875 (68.xxx.xxx.xxx/1875) to inside:192.168.60.94/443 (76.xxx.xxx.xxx/443)
6|Jan 09 2009 12:37:22|302014: Teardown TCP connection 2249657 for outside:192.168.10.150/1532 to inside:192.168.60.99/88 duration 0:00:00 bytes 2830 TCP FINs
6|Jan 09 2009 12:37:22|302014: Teardown TCP connection 2249658 for outside:192.168.10.150/1533 to inside:192.168.60.99/88 duration 0:00:00 bytes 2765 TCP FINs
6|Jan 09 2009 12:37:23|302014: Teardown TCP connection 2249593 for outside:199.xxx.xxx.xxx/25 to inside:192.168.60.94/8465 duration 0:00:28 bytes 742 TCP FINs
6|Jan 09 2009 12:37:23|302013: Built inbound TCP connection 2249660 for outside:192.168.40.107/1637 (192.168.40.107/1637) to inside:192.168.60.94/443 (192.168.60.94/443)
6|Jan 09 2009 12:37:24|302016: Teardown UDP connection 2249295 for outside:192.168.10.40/389 to inside:192.168.60.94/8392 duration 0:02:01 bytes 359
6|Jan 09 2009 12:37:24|302016: Teardown UDP connection 2249296 for outside:192.168.10.40/88 to inside:192.168.60.94/8393 duration 0:02:01 bytes 2682
6|Jan 09 2009 12:37:24|302016: Teardown UDP connection 2249297 for outside:192.168.10.40/88 to inside:192.168.60.94/8396 duration 0:02:01 bytes 1709
6|Jan 09 2009 12:37:24|302016: Teardown UDP connection 2249298 for outside:192.168.10.40/88 to inside:192.168.60.94/8397 duration 0:02:01 bytes 2740
6|Jan 09 2009 12:37:24|302016: Teardown UDP connection 2249299 for outside:192.168.10.40/88 to inside:192.168.60.94/8398 duration 0:02:01 bytes 1709
6|Jan 09 2009 12:37:24|302016: Teardown UDP connection 2249300 for outside:192.168.10.40/88 to inside:192.168.60.94/8399 duration 0:02:01 bytes 2740
6|Jan 09 2009 12:37:24|302016: Teardown UDP connection 2249304 for outside:192.168.10.40/88 to inside:192.168.60.94/8402 duration 0:02:01 bytes 1709
6|Jan 09 2009 12:37:24|302020: Built outbound ICMP connection for faddr 192.168.20.98/0 gaddr 192.168.60.94/512 laddr 192.168.60.94/512
6|Jan 09 2009 12:37:24|302020: Built inbound ICMP connection for faddr 192.168.20.98/0 gaddr 192.16.60.94/512 laddr 192.168.60.94/512
6|Jan 09 2009 12:37:24|302014: Teardown TCP connection 2249660 for outside:192.168.40.107/1637 to inside:192.168.60.94/443 duration 0:00:00 bytes 7330 TCP Reset-O
4|Jan 09 2009 12:37:24|106023: Deny tcp src outside:68.xxx.xxx.xxx/4261 dst dmz:76.xxx.xxx.xxx/139 by access-group "outside_access_in" [0x0, 0x0]
6|Jan 09 2009 12:37:25|302016: Teardown UDP connection 2249305 for outside:192.168.10.40/88 to inside:192.168.60.94/8403 duration 0:02:02 bytes 2740
6|Jan 09 2009 12:37:25|302016: Teardown UDP connection 2249306 for outside:192.168.10.40/88 to inside:192.168.60.94/8404 duration 0:02:01 bytes 1709
6|Jan 09 2009 12:37:25|302016: Teardown UDP connection 2249307 for outside:192.168.10.40/88 to inside:192.168.60.94/8405 duration 0:02:01 bytes 2740
6|Jan 09 2009 12:37:25|302016: Teardown UDP connection 2249308 for outside:192.168.10.40/88 to inside:192.168.60.94/8406 duration 0:02:01 bytes 1709
6|Jan 09 2009 12:37:25|302016: Teardown UDP connection 2249311 for outside:192.168.10.40/88 to inside:192.168.60.94/8407 duration 0:02:01 bytes 2740
4|Jan 09 2009 12:37:25|106023: Deny tcp src outside:68.xxx.xxx.xxx/4260 dst dmz:76.xxx.xxx.xxx/139 by access-group "outside_access_in" [0x0, 0x0]

I try to telnet to my Exchange Server 192.168.60.94 from my webserver but it fails to connect.

 

[RMurr34]

Also, I do have my Exchange Server added to the
Advanced Delivery/Smart Host in IIS on the webserver
(192.168.60.94.mydomain.com).

And I also have allowed this webserver to relay through
my Exchange Server by creating a new connector.

Thanks!

 

[unclerico]

When you telnetted did you do:

telnet 192.168.60.94 25

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

Yes. All that happens is:

220***********************************************
**************************************************

Connection to host lost.

 

[unclerico]

So it is connecting then. You are seeing the ASA masking the SMTP greeting. Are you able to receive any mail from the outside????

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

I don't have anything to email TO on the webserver. I'm only using SMTP on it so when someone goes to our website they can go to one of the pages and submit request that will forward them some documents.

Not sure if that makes any sense to you

 

[unclerico]

Your scenario makes perfect sense. Have you tried submitting a new e-mail from your webserver via the web site?? One thing I would try (and only briefly) would be to disable esmtp inspection:

ASA(config)#policy-map global_policy
ASA(config-pmap)#class inspection_default
ASA(config-pmap-c)#no inspect esmtp
ASA(config-pmap-c)#exit
ASA(config-pmap)#exit

Be sure to re-enable it after you test. ESMTP inspection offers you some added protection from prowling eyes.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[RMurr34]

We're golden UncleRico! I was just successful in submitting an email from our website and it made it through.

Thanks once again for your help!

 

[unclerico]

Beaners!!! Until next time ;-)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)