[tim_the_wizard]

I will try to provide as much information as possible but I have a unique problem here. I have a server running Windows Server 2008 R2 that uses Windows Fax server (IP 192.168.1.3) and I am trying to let it send email notifications when a Fax is sent. I have placed in all the SMTP information:

username@gmail.com
password
port: 587

On the user computers they have their email in the format: user@ourdomain.com.

The first issue is that I cant communicate from inside our network with smtp.google.com. If I ping it, it cant resolve the host. I can however ping google.com.

I accessed the console for the ASA and specified to open port 587, and allowed smtp but I still cant reach it. Below is my running config, I appreciate you taking a look.
:
ASA Version 7.2(3)
!
hostname RehabFW
enable password **********encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address *.*.*.146 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd ******** encrypted
ftp mode passive
access-list VOIP-TRAFFIC extended permit ip host 192.168.1.2 any
access-list VOIP-TRAFFIC extended permit ip any host 192.168.1.2
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.25
5.255.0
access-list inbound extended permit tcp any interface outside eq pop3
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq ssh
access-list inbound extended permit tcp any interface outside eq 987
access-list inbound extended permit tcp any interface outside eq 3389
access-list inbound extended permit tcp any interface outside eq https
access-list inbound extended permit tcp any interface outside eq 3390
access-list inbound extended permit tcp any interface outside eq 3391
access-list inbound extended permit tcp any interface outside eq 12088
access-list inbound extended permit tcp any interface outside eq 10088
access-list inbound extended permit tcp any interface outside eq 8200
access-list inbound extended permit tcp any interface outside eq 10019
access-list inbound extended permit tcp any interface outside eq 8016
access-list inbound extended permit tcp any interface outside eq 8116
access-list inbound extended permit tcp any interface outside eq 587
access-list inbound extended permit tcp any interface outside eq smtp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool ippool 10.10.10.1-10.10.10.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.
255
static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25
5
static (inside,outside) tcp interface 987 192.168.1.2 987 netmask 255.255.255.25
5
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.
255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.25
5.255
static (inside,outside) tcp interface 3390 192.168.1.5 3390 netmask 255.255.255.
255
static (inside,outside) tcp interface 3391 192.168.1.3 3391 netmask 255.255.255.
255
static (inside,outside) tcp interface 12088 192.168.1.177 12088 netmask 255.255.
255.255
static (inside,outside) tcp interface 10088 192.168.1.177 10088 netmask 255.255.
255.255
static (inside,outside) tcp interface 8016 192.168.1.177 8016 netmask 255.255.25
5.255
static (inside,outside) tcp interface 8116 192.168.1.177 8116 netmask 255.255.25
5.255
static (inside,outside) tcp interface 8200 192.168.1.177 8200 netmask 255.255.25
5.255
static (inside,outside) tcp interface 10019 192.168.1.177 10019 netmask 255.255.
255.255
static (inside,outside) tcp interface 587 192.168.1.3 587 netmask 255.255.255.25
5
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.
255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 96.31.226.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable 444
http 192.168.1.0 255.255.255.0 management
http 192.168.1.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 10 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 30
dhcpd dns 64.60.0.17 64.60.0.18
!
dhcpd address 192.168.1.100-192.168.1.150 inside
!
!
class-map inspection_default
match default-inspection-traffic
class-map VOIP-MAP
match access-list VOIP-TRAFFIC
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map VOIP-QOS
class VOIP-MAP
police output 250000 37500
class class-default
police output 5500000 37500
!
service-policy global_policy global
service-policy VOIP-QOS interface inside
webvpn
enable outside
group-policy REH internal
group-policy REH attributes
dns-server value 64.60.0.17 64.60.0.18
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
tunnel-group REH type ipsec-ra
tunnel-group REH general-attributes
address-pool ippool
default-group-policy REH
tunnel-group REH ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
prompt hostname context
Cryptochecksum:cb09406b6858e3528cb436fa34aecbc2
: end

[auglan]

Isn't the hostname smtp.gmail.com ?

[tim_the_wizard]

Quote:

Originally Posted by auglan

Isn't the hostname smtp.gmail.com ?

Alright, point considered here is the ping information for that:

Pinging gmail-smtp-msa.l.google.com [173.194.79.108] with 32 bytes of data:
Reply from 173.194.79.108: bytes=32 time=84ms TTL=47
Reply from 173.194.79.108: bytes=32 time=77ms TTL=47
Reply from 173.194.79.108: bytes=32 time=75ms TTL=47
Reply from 173.194.79.108: bytes=32 time=87ms TTL=47

Ping statistics for 173.194.79.108:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 75ms, Maximum = 87ms, Average = 80ms

Here is the error information get from the application log:
The fax service has failed to generate a positive delivery receipt using SMTP.

The following error occurred: 0x8004020E.
This error code indicates the cause of the error.

But looking over my settings, is there a problem with my configuration that would not allow the Fax server to communicate the information?

[auglan]

Did you check the logs on the asa to see if its being filtered? Can also try from the command line using packet-tracer to see if the flow is allowed.

[tim_the_wizard]

Quote:

Originally Posted by auglan

Did you check the logs on the asa to see if its being filtered? Can also try from the command line using packet-tracer to see if the flow is allowed.

Can you walk me through that?

[auglan]

From configuration mode:


logging buffered 6
logging enable

Try to narrow it down to the specific internal host

View logs:


show logging

show log | i Deny

show log | i "ip of internal host"


sh conn | i "ip of internal host"


show xlate | i "ip of internal host"



Also found this. Could be an issue with your account:

The Error Code 0x8004020E means:
System.Runtime.InteropServices.COMException (0x8004020E):
The server rejected the sender address. The server response was: 454 5.7.3
Client does not have permission to submit mail to this server.

[tim_the_wizard]

only show xlate worked for the internal IP. Here is the results:

PAT Global *.*.*.146(3391) Local 192.168.1.3(3391)
PAT Global *.*.*.146(587) Local 192.168.1.3(587)
PAT Global *.*.*.146(25) Local 192.168.1.3(25)

*3391 is a patched RDP port.

[tim_the_wizard]

Okay I thought this was a network problem but as it turns out this issue is due to Windows Fax server not working well with external SMTP addresses. Thanks for you help though!

[auglan]

Glad you got it worked out.