Configuring ACL's 5520

kmcilvaine · ‎06-07-2007

I am new to Cisco firewalls and am having trouble getting the acls to work. I have a asa 5520 with version 7.2.2 software. I have it connected and can get to the internet but when I configure an acl to get my mail from the outside spam quarentine company I get no mail. I am not sure if I am doing the acl right or not.I did 1 from outside ip to inside ip allowing only port 3389 to go through.

Jon Marshall · ‎06-07-2007

Hi

Port 3389 is for terminal services. Mail is typically on port 25. Is this a typo ?

Could you send copy of config of ASA minus any sensitive info.

HTH

Jon

acomiskey · ‎06-07-2007

1. 3389 is rdp (remote desktop protocol)

2. You need a static translation for the destination of the mail

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

1.1.1.1=external address

192.168.1.1=internal address

3. Write the acl, this is for smtp tcp 25.

access-list outside_access_in extended permit tcp host host 1.1.1.1 eq 25

access-group outside_access_in in interface outside

Post you config if you have problems.

kmcilvaine · ‎06-07-2007

ASA Version 7.2(2)19

!

hostname ciscoasa

domain-name xxxxxxxx.com

enable password xxxxxxxx encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address xx.xxx.xxx.xx 255.255.255.224

!

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address xx.xxx.x.xx 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxxx encrypted

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name xxxxxxx.com

access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x

x eq https

access-list 110 extended permit tcp host xxx.xxx.xx.xx range 3268 3268 host xx.x

xx.x.xx range 3268 3268

access-list 110 extended permit tcp host xxx.xxx.xx.xx eq smtp host xx.xxx.x.xx

eq smtp

access-list Lan_nat_static extended permit ip interface Lan interface Wan

pager lines 24

logging enable

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (Wan) 1 interface

nat (Lan) 1 0.0.0.0 0.0.0.0

access-group 110 in interface Wan

route Wan 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

kmcilvaine · ‎06-07-2007

Sorry..3268 was the port

I have these 3 in the access rules for mail

acomiskey · ‎06-07-2007

Don't use source ports in your acl's

access-list 110 extended permit tcp host xx.xxx.xxx.xxx host xx.xxx.x.x

x eq https

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.x

xx.x.xx eq 3268

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx

eq smtp

acomiskey · ‎06-07-2007

What ip are they forwarding your mail to? You need a static translation for this address.

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

1.1.1.1=external address

192.168.1.1=internal address

or if the address is the outside interface of ASA you need

static (inside,outside) tcp interface 25 192.168.1.1 25 netmask 255.255.255.255

192.168.1.1=internal address

kmcilvaine · ‎06-07-2007

We first have a rule to check the global catalog for the user. then it gets pushed to the mail server internal.

I am new to the command line so I am using the gui.

would the source port be any?

acomiskey · ‎06-07-2007

A source port would normally be a random port above 1024. You do not use these in your acl as you would have no idea what it would be.

About the mail server, I mean what is the ip address that the spam quarantine company uses to send you mail?

kmcilvaine · ‎06-07-2007

it would be an external one

acomiskey · ‎06-07-2007

Yes, you need a static statement for this address if you want to get the mail.

kmcilvaine · ‎06-07-2007

I added the static and still no luck.

acomiskey · ‎06-07-2007

Can you post what the static is? Feel free to change the address to something different.

kmcilvaine · ‎06-07-2007

ASA Version 7.2(2)194 02 00 8086 1

!9

hostname ciscoasa 11

domain-name xxxxxxx.com

04 03 00

enable password xxxxxxxx encrypted

E

namesing B

dns-guards ...

!

interface GigabitEthernet0/0IOS Extension to setup ROMMO

nameif Wan

security-level 0isco Systems ROMM

ip address xx.xxx.xxx.xx 255.255.255.224:08 PST 2006

!

interface GigabitEthernet0/1

Platform ASA552

nameif Lan

security-level 100o interrupt boot.

ip address xx.xxx.x.xx 255.255.255.0SPACE to begin boot immediately.

!

interface GigabitEthernet0/2

Launching BootLoader...

shutdown

no nameifguration f

no security-levely.

no ip address

L

!d

interface GigabitEthe

!#

passwd xxxxencrypted##########################

boot system disk0:/asa722-19-k8.bin

ftp mode passive################

dns server-group DefaultDNS######################

domain-name xxxxxx.com

access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x########################

7 eq https

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx range 32

512MB

68 3268

T

access-list Lan_nat_static extended permit ip interface Lan interface Wan2546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 00 MAC: 001a.6d7c.8468

pager lines 24

logging enable

logging asdm informationalv03 Gigabit Ethernet @ irq

mtu Wan 1500x 01 MAC: 00

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1 2 index 02 MAC: 001a.6d7c.846a

asdm image disk0:/asdm-522.bin

no asdm history enableit Ethernet @ irq09 de

arp timeout 14400001a.6d7c.846b

nat-control

global (Wan) 1 interface

nat (Lan) 1 0.0.0.0 0.0.0.0net @ irq11 dev 1 index 05

static (Lan,Wan) xx.xxx.xxx.xxx xx.xxx.x.xx netmask 255.255.255.

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

acomiskey · ‎06-07-2007

1. you don't need the source port in this acl line.

access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x eq https

it should be...

access-list 110 extended permit tcp host xx.xxx.xxx.xxx host xx.xxx.x.x eq https

2. There is no point to have a "range 3268 3268"

it should be...

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx eq 3268

3. access-group 110 in interface Wan

4. Is the address in your static the same as the Wan address on the ASA?