New to this, need help configuring

NTidd · ‎04-26-2007

Ok, I recently picked up a cisco asa 5505. I've been using the ASDM tool to configure it. I've got the internet connection working but am having some trouble getting internet traffic to pass through to our mail server which is located on the local network. I've added a rule for it but it still won't work. What am I missing? A NAT entry or static route? Anyway it is pretty much a 192.168.1.x local network. The server we are trying to get to is 192.168.1.1. We are trying to allow any outside internet traffic on port 25 to pass through to the local network.

Any help would be appreciated.

NTidd · ‎04-26-2007

Also here is my config. I haven't had the time to read the full docs yet as we are on a deadline to get this device online, also is the static route correct to allow internet access?:

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name xxx

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.136.239.XXX 255.255.255.XXX

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name knightwatch.local

access-list outside_access_in extended permit tcp any host 192.168.1.1 eq smtp

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.136.239.XXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.200 inside

dhcpd dns 64.136.224.XXX 172.16.0.XXX interface inside

dhcpd domain knightwatch.local interface inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-522.bin

no asdm history enable

Richard Burts · ‎04-27-2007

Nathan

I have not looked at the config closely, but I see a major issue. If people outside are attempting to access the server then it needs an address that is accessible from outside. Any request from outside can not use address 192.168.1.1. Usually this is handled with a static translation which translates from the address known outside to 192.168.1.1. Try adding a static translation and let us know how it works.

HTH

Rick

HTH

Rick

acomiskey · ‎04-27-2007

Just to add, you will also have to change your access-list to reflect the outside address, not the 192 address.