04-26-2007 01:51 PM - edited 03-05-2019 03:43 PM
Ok, I recently picked up a cisco asa 5505. I've been using the ASDM tool to configure it. I've got the internet connection working but am having some trouble getting internet traffic to pass through to our mail server which is located on the local network. I've added a rule for it but it still won't work. What am I missing? A NAT entry or static route? Anyway it is pretty much a 192.168.1.x local network. The server we are trying to get to is 192.168.1.1. We are trying to allow any outside internet traffic on port 25 to pass through to the local network.
Any help would be appreciated.
04-26-2007 02:03 PM
Also here is my config. I haven't had the time to read the full docs yet as we are on a deadline to get this device online, also is the static route correct to allow internet access?:
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name xxx
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.136.239.XXX 255.255.255.XXX
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name knightwatch.local
access-list outside_access_in extended permit tcp any host 192.168.1.1 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.136.239.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 64.136.224.XXX 172.16.0.XXX interface inside
dhcpd domain knightwatch.local interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
04-27-2007 09:23 AM
Nathan
I have not looked at the config closely, but I see a major issue. If people outside are attempting to access the server then it needs an address that is accessible from outside. Any request from outside can not use address 192.168.1.1. Usually this is handled with a static translation which translates from the address known outside to 192.168.1.1. Try adding a static translation and let us know how it works.
HTH
Rick
04-27-2007 09:38 AM
Just to add, you will also have to change your access-list to reflect the outside address, not the 192 address.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: