06-07-2007 09:40 AM - edited 03-11-2019 03:26 AM
I am new to Cisco firewalls and am having trouble getting the acls to work. I have a asa 5520 with version 7.2.2 software. I have it connected and can get to the internet but when I configure an acl to get my mail from the outside spam quarentine company I get no mail. I am not sure if I am doing the acl right or not.I did 1 from outside ip to inside ip allowing only port 3389 to go through.
06-07-2007 09:43 AM
Hi
Port 3389 is for terminal services. Mail is typically on port 25. Is this a typo ?
Could you send copy of config of ASA minus any sensitive info.
HTH
Jon
06-07-2007 09:46 AM
1. 3389 is rdp (remote desktop protocol)
2. You need a static translation for the destination of the mail
static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255
1.1.1.1=external address
192.168.1.1=internal address
3. Write the acl, this is for smtp tcp 25.
access-list outside_access_in extended permit tcp host
access-group outside_access_in in interface outside
Post you config if you have problems.
06-07-2007 10:05 AM
ASA Version 7.2(2)19
!
hostname ciscoasa
domain-name xxxxxxxx.com
enable password xxxxxxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif Wan
security-level 0
ip address xx.xxx.xxx.xx 255.255.255.224
!
interface GigabitEthernet0/1
nameif Lan
security-level 100
ip address xx.xxx.x.xx 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxxxxxxxxxxx encrypted
boot system disk0:/asa722-19-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxxxx.com
access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x
x eq https
access-list 110 extended permit tcp host xxx.xxx.xx.xx range 3268 3268 host xx.x
xx.x.xx range 3268 3268
access-list 110 extended permit tcp host xxx.xxx.xx.xx eq smtp host xx.xxx.x.xx
eq smtp
access-list Lan_nat_static extended permit ip interface Lan interface Wan
pager lines 24
logging enable
logging asdm informational
mtu Wan 1500
mtu Lan 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (Wan) 1 interface
nat (Lan) 1 0.0.0.0 0.0.0.0
access-group 110 in interface Wan
route Wan 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
06-07-2007 10:06 AM
Sorry..3268 was the port
I have these 3 in the access rules for mail
06-07-2007 10:09 AM
Don't use source ports in your acl's
access-list 110 extended permit tcp host xx.xxx.xxx.xxx host xx.xxx.x.x
x eq https
access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.x
xx.x.xx eq 3268
access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx
eq smtp
06-07-2007 10:10 AM
What ip are they forwarding your mail to? You need a static translation for this address.
static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255
1.1.1.1=external address
192.168.1.1=internal address
or if the address is the outside interface of ASA you need
static (inside,outside) tcp interface 25 192.168.1.1 25 netmask 255.255.255.255
192.168.1.1=internal address
06-07-2007 10:19 AM
We first have a rule to check the global catalog for the user. then it gets pushed to the mail server internal.
I am new to the command line so I am using the gui.
would the source port be any?
06-07-2007 10:25 AM
A source port would normally be a random port above 1024. You do not use these in your acl as you would have no idea what it would be.
About the mail server, I mean what is the ip address that the spam quarantine company uses to send you mail?
06-07-2007 10:27 AM
it would be an external one
06-07-2007 10:33 AM
Yes, you need a static statement for this address if you want to get the mail.
06-07-2007 11:04 AM
I added the static and still no luck.
06-07-2007 11:06 AM
Can you post what the static is? Feel free to change the address to something different.
06-07-2007 11:12 AM
ASA Version 7.2(2)194 02 00 8086 1
!9
hostname ciscoasa 11
domain-name xxxxxxx.com
04 03 00
enable password xxxxxxxx encrypted
E
namesing B
dns-guards ...
!
interface GigabitEthernet0/0IOS Extension to setup ROMMO
nameif Wan
security-level 0isco Systems ROMM
ip address xx.xxx.xxx.xx 255.255.255.224:08 PST 2006
!
interface GigabitEthernet0/1
Platform ASA552
nameif Lan
security-level 100o interrupt boot.
ip address xx.xxx.x.xx 255.255.255.0SPACE to begin boot immediately.
!
interface GigabitEthernet0/2
Launching BootLoader...
shutdown
no nameifguration f
no security-levely.
no ip address
L
!d
interface GigabitEthe
!#
passwd xxxxencrypted##########################
boot system disk0:/asa722-19-k8.bin
ftp mode passive################
dns server-group DefaultDNS######################
domain-name xxxxxx.com
access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x########################
7 eq https
access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx range 32
512MB
68 3268
T
access-list Lan_nat_static extended permit ip interface Lan interface Wan2546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 00 MAC: 001a.6d7c.8468
pager lines 24
logging enable
logging asdm informationalv03 Gigabit Ethernet @ irq
mtu Wan 1500x 01 MAC: 00
mtu Lan 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1 2 index 02 MAC: 001a.6d7c.846a
asdm image disk0:/asdm-522.bin
no asdm history enableit Ethernet @ irq09 de
arp timeout 14400001a.6d7c.846b
nat-control
global (Wan) 1 interface
nat (Lan) 1 0.0.0.0 0.0.0.0net @ irq11 dev 1 index 05
static (Lan,Wan) xx.xxx.xxx.xxx xx.xxx.x.xx netmask 255.255.255.
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
06-07-2007 11:19 AM
1. you don't need the source port in this acl line.
access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x eq https
it should be...
access-list 110 extended permit tcp host xx.xxx.xxx.xxx host xx.xxx.x.x eq https
2. There is no point to have a "range 3268 3268"
it should be...
access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx eq 3268
3. access-group 110 in interface Wan
4. Is the address in your static the same as the Wan address on the ASA?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: