Question : Cisco ASA NAT Issue

Layout:

There is a cable provided modem device with the following addresses:
Internal Interface: 10.1.10.1
External Interface: XXX.XXX.147.33

The Internal interface is connected directly to the external interface of an ASA5505

ASA5505 External Interface: 10.1.10.2
ASA5505 Internal Interface: 192.168.1.1

An Exchange server (SBS) is sitting at 192.168.1.2, and ready to receive mail.

RDP and other protocols are functioning fine, but SMTP is not.  All SMTP flow comes through Postini (Google) for hygiene.  SMTP gets a SYN and times out the connection.  The sanitized config is here:

ciscoasa#  sh config
: Saved
: Written by enable_15 at 12:56:23.279 EDT Mon Jun 21 2010
!
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name XXXXXXXXXXX.local
enable password XXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
names
name 192.168.1.250 XXX-XXX-SBS description XXX Interface on XXX-SBS
name 192.168.1.203 XXX-XXXAPP01 description XXX Interface on XXXAPP01
name 192.168.1.204 XXX-XXXAPP02 description XXX Interface on XXXAPP02
name 192.168.1.3 XXXAPP01 description XXXAPP01 Server
name 192.168.1.4 XXXAPP02 description XXXAPP02 Server
!
interface Vlan1
 nameif inside
 security-level 100
 ddns update hostname 192.168.1.2
 dhcp client update dns server both
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 ospf authentication null
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.1.10.2 255.255.255.0
 ospf cost 10
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name ifi.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
 port-object eq 3389
object-group network Postini
 network-object 207.126.144.0 255.255.240.0
 network-object 64.18.0.0 255.255.240.0
 network-object 74.125.149.0 255.255.255.0
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq smtp
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq https
access-list outside_access_in extended permit tcp any host XXX.XXX.147.34 eq https
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 444
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 500
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 1701
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq pptp
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 4125
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 4500
access-list outside_access_in extended permit udp any host XXX.XXX.147.33 eq ntp
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 987
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RemoteUserAccess 192.168.1.50-192.168.1.59 mask 255.0.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) XXX.XXX.147.33 192.168.1.2 netmask 255.255.255.255
static (inside,outside) XXX.XXX.147.34 XXX-XXX-SBS netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
sysopt noproxyarp inside
sysopt noproxyarp outside
sysopt noproxyarp dmz
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh scopy enable
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.61-192.168.1.95 inside
dhcpd dns 192.168.1.2 interface inside
dhcpd wins 192.168.1.2 interface inside
dhcpd lease 259200 interface inside
dhcpd ping_timeout 120 interface inside
dhcpd domain XXX.LOCAL interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RemoteUserAccess2 internal
group-policy RemoteUserAccess2 attributes
 dns-server value 192.168.1.60
 vpn-tunnel-protocol IPSec
 default-domain value XXX.LOCAL
username XXXXXXXX password XXXXXXXXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXXXXX attributes
 vpn-group-policy RemoteUserAccess2
username XXXXXXXXXXX password XXXXXXXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXXXXXX attributes
 vpn-group-policy RemoteUserAccess2
username XXXXXXXXX password XXXXXXXXXXXXXXXXXXXXXX encrypted privilege 0
username XXXXXXXX attributes
 vpn-group-policy RemoteUserAccess2
tunnel-group RemoteUserAccess2 type remote-access
tunnel-group RemoteUserAccess2 general-attributes
 address-pool RemoteUserAccess
 default-group-policy RemoteUserAccess2
tunnel-group RemoteUserAccess2 ipsec-attributes
 pre-shared-key *
tunnel-group RemoteUserAccess2 ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
tunnel-group-map default-group RemoteUserAccess2
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global-policy
 class global-class
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
!
service-policy global-policy global
smtp-server 192.168.1.2
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

All other protocols get to the server - just not SMTP!  I checked with the ISP - they say that they are not blocking SMTP traffic - what am i missing here??!?

Answer : Cisco ASA NAT Issue

Found a few other things...

No inbound OR outbound SMTP, but according to the cable company - no filtering.  We reverted to the previous circuit, and as soon as interface IPs,etc were changed for the old circuit, then things immediately worked.

Hmmm - i'm no rocket scientist - but things look rather bad for the cable company

/Chris.
Random Solutions  
 
programming4us programming4us