ASA5505 Newbie, T1 interface multiple public IPs

Answered Question
Jun 8th, 2007

I am trying to setup up our ASA5505 on our T1. I have outside interface setup on xx.xx.170.18 (the first open public IP). We want non encrypted SMTP traffic to flow from this IP to the mail server at 192.168.1.50. Then I want encrypted mail on our next available public ip xx.xx.170.20 to come into the ASA5505 and route to 192.168.1.30 via SMTP port 25 also. I am stumped though as to how to accomplish this. Do I need an additional "outside" interface for the other public ip? There is 1 T1 line can that "line" have 2 ip addresses?

Thanks for the help.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 6 months ago

That's a lot of pressure, haha, but yes it looks fine.

Correct Answer by acomiskey about 9 years 6 months ago

device access -> aaa access -> check enable server group local and check ssh server group local

you should then be able to use the username you created in asa.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Fri, 06/08/2007 - 07:23

The whole /29 network is routed to you by the isp so you do not need another physical interface. You just need to add another static and acl entry for the new server.

access-list out2in extended permit tcp any host xx.xx.170.20 eq smtp

static (inside,outside) xx.xx.170.20 192.168.1.30 netmask 255.255.255.255

thomas.estes Fri, 06/08/2007 - 07:31

Ok,

I am struggling with inputting these via the ASDM I always seem to get them backwards. So how do I telnet or SSH to the device so that I can CLI these commands to the device.

Again sorry to be such a newbie.

I try and access via telnet and I get:

User Access verification

PASSWORD:

When I try the password that I use for ASDM it does not work.

acomiskey Fri, 06/08/2007 - 07:35

Configuration -> Properties -> Device Access

Add your ip address or network you are on to ssh or telnet lists. I recommend ssh.

thomas.estes Fri, 06/08/2007 - 07:40

I did that and SSH times out (trying via PuTTY).

Telnet wants a password and I try the password that I use same password that I use for ASDM and no luck

acomiskey Fri, 06/08/2007 - 07:51

Try Config -> Properties -> Certificates -> Key pair

You should have a general purpose 1024 key there, if not hit add and generate now. Then try ssh.

check your config for

aaa authentication ssh console LOCAL

thomas.estes Fri, 06/08/2007 - 08:03

ok I generated the general purpose cert and can now get putty to connect via ssh but still can;t logon.

It asks logon as:

I have tried blank

I have tried enable_15

and a user id that I created to no avail.

Correct Answer
acomiskey Fri, 06/08/2007 - 08:08

device access -> aaa access -> check enable server group local and check ssh server group local

you should then be able to use the username you created in asa.

thomas.estes Fri, 06/08/2007 - 08:11

that resolved my ssh access. thanks so much for your help. I will now try to apply these rules to fix my original issues.

thomas.estes Fri, 06/08/2007 - 10:11

If I use this then email flows in from the outside.

static (inside,outside) tcp interface 25 192.168.1.50 25 netmask 255.255.255.255 0 0

As soon as I change this to

static (inside,outside) xx.xx.170.18 192.168.1.50 netmask 255.255.255.255

mail flow stops.

I need to be able to point at the specific incoming IP so that I can route between x.x.x.18 smtp and x.x.x.20 smtp zixvpm.

any ideas?

acomiskey Fri, 06/08/2007 - 10:16

You said you wanted xx.xx.170.18 to map to 192.168.1.30....not 192.168.1.50.

Is that correct or no?

acomiskey Fri, 06/08/2007 - 10:21

Sorry, when the address is also your outside interface address and you are doing pat then you need to use the "interface" keyword in your static. Since xx.xx.172.18 = ASA outside interface address then...

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) xx.xx.170.20 192.168.1.30 netmask 255.255.255.255

thomas.estes Fri, 06/08/2007 - 10:31

ok I have tried those.

Do I need to do the PAT here as well for the smtp?

Below is the new running config

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(2)

!

hostname ASA5505

domain-name amcinc.us

enable password 8aPd93D5bXaT2fFZ encrypted

names

!

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address x.x.170.18 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

object-group icmp-type icmp_grp

icmp-object echo-reply

icmp-object information-reply

icmp-object traceroute

access-list out2in extended permit tcp any any eq smtp

access-list out2in extended permit tcp any host x.x.170.18 eq https

access-list out2in extended permit tcp any host x.x.170.18 eq 9850

access-list out2in extended permit tcp any any eq 1677

access-list out2in extended permit tcp any any eq 7205

access-list out2in extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

logging from-address [email protected]

logging recipient-address [email protected] level errors

logging host inside 192.168.1.114

logging permit-hostdown

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) x.x.170.20 192.168.1.30 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username xxxx password pfaW5bAu431sHznu encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

ssh 192.168.1.110 255.255.255.255 inside

ssh 192.168.1.114 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

prompt hostname context

Cryptochecksum:1f035eed7192c5ef42cf50d5e477e8d3

: end

acomiskey Fri, 06/08/2007 - 10:35

This is pat...

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

and it has nothing to do with your smtp problem. Your config looks fine, .20 is not working or what? Try a "clear xlate".

acomiskey Fri, 06/08/2007 - 10:41

I think I told you this previously as well but you want to write your acl's to be more specific than any.

access-list out2in extended permit tcp any x.x.170.18 eq smtp

access-list out2in extended permit tcp any x.x.170.20 eq smtp

access-list out2in extended permit tcp any host x.x.170.18 eq https

access-list out2in extended permit tcp any host x.x.170.18 eq 9850

access-list out2in extended permit tcp any host x.x.170.18 eq 1677

access-list out2in extended permit tcp any host x.x.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

thomas.estes Fri, 06/08/2007 - 10:44

You had, I just have been so paranoid about email not flowing in that I did not want to change them.

acomiskey Fri, 06/08/2007 - 10:45

No probs, what you have in your config should work fine for the second smtp server.

thomas.estes Fri, 06/08/2007 - 10:59

Last time, (hopefully).

Since I am paranoid and skeptical.

Here is my config. that I hope will allow traffic from our 2 different public IPs to one interface both on port 25.

Result of the command: "show running-config"

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address x.x.170.18 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

object-group icmp-type icmp_grp

icmp-object echo-reply

icmp-object information-reply

icmp-object traceroute

access-list out2in extended permit tcp any host x.x.170.18 eq smtp

access-list out2in extended permit tcp any host x.x.170.20 eq smtp

access-list out2in extended permit tcp any host x.x.170.18 eq https

access-list out2in extended permit tcp any host x.x.170.18 eq 9850

access-list out2in extended permit tcp any host x.x.170.18 eq 1677

access-list out2in extended permit tcp any host x.x.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

logging from-address [email protected]

logging recipient-address [email protected] level errors

logging host inside 192.168.1.114

logging permit-hostdown

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) x.x.170.20 192.168.1.30 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username xxxxx password pfaW5bAu431sHznu encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.114 255.255.255.255 inside

snmp-server host inside 192.168.1.1 community ASA5505

snmp-server location Data Room

snmp-server contact Tom Estes

snmp-server community ASA5505

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.110 255.255.255.255 inside

ssh 192.168.1.114 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

prompt hostname context

Cryptochecksum:1f035eed7192c5ef42cf50d5e477e8d3

: end

Correct Answer
acomiskey Fri, 06/08/2007 - 11:02

That's a lot of pressure, haha, but yes it looks fine.

thomas.estes Fri, 06/08/2007 - 11:05

Thank you so very much.

If you are ever any where near Ohio let me know and I will by you a round of drinks!

acomiskey Fri, 06/08/2007 - 11:07

Also, not to complicate matters but if you are not going to use .18 for anything other than 192.168.1.50 then you can remove all those statics and just do one..

no static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

no static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

no static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

no static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

no static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

I just might..but I don't know if you'd be able to buy a steeler fan drinks.

thomas.estes Fri, 06/08/2007 - 11:14

kk

did that, below are teh results:

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address x.x.170.18 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

object-group icmp-type icmp_grp

icmp-object echo-reply

icmp-object information-reply

icmp-object traceroute

access-list out2in extended permit tcp any host x.x.170.18 eq smtp

access-list out2in extended permit tcp any host x.x.170.20 eq smtp

access-list out2in extended permit tcp any host x.x.170.18 eq https

access-list out2in extended permit tcp any host x.x.170.18 eq 9850

access-list out2in extended permit tcp any host x.x.170.18 eq 1677

access-list out2in extended permit tcp any host x.x.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

logging from-address [email protected]

logging recipient-address [email protected] level errors

logging host inside 192.168.1.114

logging permit-hostdown

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) x.x.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username xxxx password pfaW5bAu431sHznu encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.114 255.255.255.255 inside

snmp-server host inside 192.168.1.1 community ASA5505

snmp-server location Data Room

snmp-server contact Tom Estes

snmp-server community ASA5505

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.110 255.255.255.255 inside

ssh 192.168.1.114 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

prompt hostname context

Cryptochecksum:aeb680ce0caab7808916b2340f8eee7a

: end

acomiskey Fri, 06/08/2007 - 11:16

Looks good, now if you need another port for .18, instead of adding another static like before, you just have to allow it in the acl. Looks much cleaner too. Enjoy.

thomas.estes Fri, 06/08/2007 - 11:24

Thanks again for all of your help.

One last question.

So that I am not relying on the kindness of strangers to help me and for my own edification can you recommend any good books that would cover my last couple of questions.

Thanks!

Actions

This Discussion