Question : Cisco ASA NAT Issue

Layout:

There is a cable provided modem device with the following addresses:
Internal Interface: 10.1.10.1
External Interface: XXX.XXX.147.33

The Internal interface is connected directly to the external interface of an ASA5505

ASA5505 External Interface: 10.1.10.2
ASA5505 Internal Interface: 192.168.1.1

An Exchange server (SBS) is sitting at 192.168.1.2, and ready to receive mail.

RDP and other protocols are functioning fine, but SMTP is not. All SMTP flow comes through Postini (Google) for hygiene. SMTP gets a SYN and times out the connection. The sanitized config is here:

ciscoasa# sh config
: Saved
: Written by enable_15 at 12:56:23.279 EDT Mon Jun 21 2010
!
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name XXXXXXXXXXX.local
enable password XXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
names
name 192.168.1.250 XXX-XXX-SBS description XXX Interface on XXX-SBS
name 192.168.1.203 XXX-XXXAPP01 description XXX Interface on XXXAPP01
name 192.168.1.204 XXX-XXXAPP02 description XXX Interface on XXXAPP02
name 192.168.1.3 XXXAPP01 description XXXAPP01 Server
name 192.168.1.4 XXXAPP02 description XXXAPP02 Server
!
interface Vlan1
nameif inside
security-level 100
ddns update hostname 192.168.1.2
dhcp client update dns server both
ip address 192.168.1.1 255.255.255.0
ospf cost 10
ospf authentication null
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.10.2 255.255.255.0
ospf cost 10
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
domain-name ifi.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group network Postini
network-object 207.126.144.0 255.255.240.0
network-object 64.18.0.0 255.255.240.0
network-object 74.125.149.0 255.255.255.0
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq smtp
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq https
access-list outside_access_in extended permit tcp any host XXX.XXX.147.34 eq https
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 444
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 500
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 1701
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq pptp
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 4125
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 4500
access-list outside_access_in extended permit udp any host XXX.XXX.147.33 eq ntp
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 987
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RemoteUserAccess 192.168.1.50-192.168.1.59 mask 255.0.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) XXX.XXX.147.33 192.168.1.2 netmask 255.255.255.255
static (inside,outside) XXX.XXX.147.34 XXX-XXX-SBS netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
sysopt noproxyarp inside
sysopt noproxyarp outside
sysopt noproxyarp dmz
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh scopy enable
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.61-192.168.1.95 inside
dhcpd dns 192.168.1.2 interface inside
dhcpd wins 192.168.1.2 interface inside
dhcpd lease 259200 interface inside
dhcpd ping_timeout 120 interface inside
dhcpd domain XXX.LOCAL interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RemoteUserAccess2 internal
group-policy RemoteUserAccess2 attributes
dns-server value 192.168.1.60
vpn-tunnel-protocol IPSec
default-domain value XXX.LOCAL
username XXXXXXXX password XXXXXXXXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXXXXX attributes
vpn-group-policy RemoteUserAccess2
username XXXXXXXXXXX password XXXXXXXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXXXXXX attributes
vpn-group-policy RemoteUserAccess2
username XXXXXXXXX password XXXXXXXXXXXXXXXXXXXXXX encrypted privilege 0
username XXXXXXXX attributes
vpn-group-policy RemoteUserAccess2
tunnel-group RemoteUserAccess2 type remote-access
tunnel-group RemoteUserAccess2 general-attributes
address-pool RemoteUserAccess
default-group-policy RemoteUserAccess2
tunnel-group RemoteUserAccess2 ipsec-attributes
pre-shared-key *
tunnel-group RemoteUserAccess2 ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group-map default-group RemoteUserAccess2
!
class-map global-class
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
!
service-policy global-policy global
smtp-server 192.168.1.2
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

All other protocols get to the server - just not SMTP! I checked with the ISP - they say that they are not blocking SMTP traffic - what am i missing here??!?

Answer : Cisco ASA NAT Issue

Found a few other things...

No inbound OR outbound SMTP, but according to the cable company - no filtering. We reverted to the previous circuit, and as soon as interface IPs,etc were changed for the old circuit, then things immediately worked.

Hmmm - i'm no rocket scientist - but things look rather bad for the cable company

/Chris.

Random Solutions

Server 2008 R2 - Can't connect to a remote app through rdweb

Restoring information store Exchange 2003

Print 'Incomplete' for crystal report subtotal if any detail records are zero

Touch controls for Windows Mobile / C# / .NET Compact Framework?

Sending 'Test' Messages

on BB (running BES), duplicate contacts and calendar - but not in Outlook - happened after running Blackberry Transporter and upgrade to Exchange 2010

CM license expiry

search and replace

Access Automatically send email once payment amount is due