Question : Cisco ASA NAT Issue


There is a cable provided modem device with the following addresses:
Internal Interface:
External Interface: XXX.XXX.147.33

The Internal interface is connected directly to the external interface of an ASA5505

ASA5505 External Interface:
ASA5505 Internal Interface:

An Exchange server (SBS) is sitting at, and ready to receive mail.

RDP and other protocols are functioning fine, but SMTP is not.  All SMTP flow comes through Postini (Google) for hygiene.  SMTP gets a SYN and times out the connection.  The sanitized config is here:

ciscoasa#  sh config
: Saved
: Written by enable_15 at 12:56:23.279 EDT Mon Jun 21 2010
ASA Version 8.2(2)
hostname ciscoasa
domain-name XXXXXXXXXXX.local
enable password XXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
name XXX-XXX-SBS description XXX Interface on XXX-SBS
name XXX-XXXAPP01 description XXX Interface on XXXAPP01
name XXX-XXXAPP02 description XXX Interface on XXXAPP02
name XXXAPP01 description XXXAPP01 Server
name XXXAPP02 description XXXAPP02 Server
interface Vlan1
 nameif inside
 security-level 100
 ddns update hostname
 dhcp client update dns server both
 ip address
 ospf cost 10
 ospf authentication null
interface Vlan2
 nameif outside
 security-level 0
 ip address
 ospf cost 10
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
 ospf cost 10
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa822-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name ifi.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
 port-object eq 3389
object-group network Postini
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq smtp
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq https
access-list outside_access_in extended permit tcp any host XXX.XXX.147.34 eq https
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 444
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 500
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 1701
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq pptp
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 4125
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 4500
access-list outside_access_in extended permit udp any host XXX.XXX.147.33 eq ntp
access-list outside_access_in extended permit tcp any host XXX.XXX.147.33 eq 987
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RemoteUserAccess mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,outside) XXX.XXX.147.33 netmask
static (inside,outside) XXX.XXX.147.34 XXX-XXX-SBS netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
sysopt noproxyarp inside
sysopt noproxyarp outside
sysopt noproxyarp dmz
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet inside
telnet timeout 30
ssh scopy enable
ssh inside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd wins interface inside
dhcpd lease 259200 interface inside
dhcpd ping_timeout 120 interface inside
dhcpd domain XXX.LOCAL interface inside
dhcpd update dns both interface inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RemoteUserAccess2 internal
group-policy RemoteUserAccess2 attributes
 dns-server value
 vpn-tunnel-protocol IPSec
 default-domain value XXX.LOCAL
username XXXXXXXX password XXXXXXXXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXXXXX attributes
 vpn-group-policy RemoteUserAccess2
username XXXXXXXXXXX password XXXXXXXXXXXXXXXXXXX encrypted privilege 15
username XXXXXXXXXXX attributes
 vpn-group-policy RemoteUserAccess2
username XXXXXXXXX password XXXXXXXXXXXXXXXXXXXXXX encrypted privilege 0
username XXXXXXXX attributes
 vpn-group-policy RemoteUserAccess2
tunnel-group RemoteUserAccess2 type remote-access
tunnel-group RemoteUserAccess2 general-attributes
 address-pool RemoteUserAccess
 default-group-policy RemoteUserAccess2
tunnel-group RemoteUserAccess2 ipsec-attributes
 pre-shared-key *
tunnel-group RemoteUserAccess2 ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
tunnel-group-map default-group RemoteUserAccess2
class-map global-class
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global-policy
 class global-class
  inspect dns
  inspect esmtp
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
service-policy global-policy global
prompt hostname context
 profile CiscoTAC-1
  no active
  destination address http
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

All other protocols get to the server - just not SMTP!  I checked with the ISP - they say that they are not blocking SMTP traffic - what am i missing here??!?

Answer : Cisco ASA NAT Issue

Found a few other things...

No inbound OR outbound SMTP, but according to the cable company - no filtering.  We reverted to the previous circuit, and as soon as interface IPs,etc were changed for the old circuit, then things immediately worked.

Hmmm - i'm no rocket scientist - but things look rather bad for the cable company

Random Solutions  
programming4us programming4us