cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1506
Views
0
Helpful
25
Replies

ASA5505 Newbie, T1 interface multiple public IPs

thomas.estes
Level 1
Level 1

I am trying to setup up our ASA5505 on our T1. I have outside interface setup on xx.xx.170.18 (the first open public IP). We want non encrypted SMTP traffic to flow from this IP to the mail server at 192.168.1.50. Then I want encrypted mail on our next available public ip xx.xx.170.20 to come into the ASA5505 and route to 192.168.1.30 via SMTP port 25 also. I am stumped though as to how to accomplish this. Do I need an additional "outside" interface for the other public ip? There is 1 T1 line can that "line" have 2 ip addresses?

Thanks for the help.

2 Accepted Solutions

Accepted Solutions

device access -> aaa access -> check enable server group local and check ssh server group local

you should then be able to use the username you created in asa.

View solution in original post

That's a lot of pressure, haha, but yes it looks fine.

View solution in original post

25 Replies 25

acomiskey
Level 10
Level 10

The whole /29 network is routed to you by the isp so you do not need another physical interface. You just need to add another static and acl entry for the new server.

access-list out2in extended permit tcp any host xx.xx.170.20 eq smtp

static (inside,outside) xx.xx.170.20 192.168.1.30 netmask 255.255.255.255

Ok,

I am struggling with inputting these via the ASDM I always seem to get them backwards. So how do I telnet or SSH to the device so that I can CLI these commands to the device.

Again sorry to be such a newbie.

I try and access via telnet and I get:

User Access verification

PASSWORD:

When I try the password that I use for ASDM it does not work.

Configuration -> Properties -> Device Access

Add your ip address or network you are on to ssh or telnet lists. I recommend ssh.

I did that and SSH times out (trying via PuTTY).

Telnet wants a password and I try the password that I use same password that I use for ASDM and no luck

Try Config -> Properties -> Certificates -> Key pair

You should have a general purpose 1024 key there, if not hit add and generate now. Then try ssh.

check your config for

aaa authentication ssh console LOCAL

ok I generated the general purpose cert and can now get putty to connect via ssh but still can;t logon.

It asks logon as:

I have tried blank

I have tried enable_15

and a user id that I created to no avail.

device access -> aaa access -> check enable server group local and check ssh server group local

you should then be able to use the username you created in asa.

that resolved my ssh access. thanks so much for your help. I will now try to apply these rules to fix my original issues.

If I use this then email flows in from the outside.

static (inside,outside) tcp interface 25 192.168.1.50 25 netmask 255.255.255.255 0 0

As soon as I change this to

static (inside,outside) xx.xx.170.18 192.168.1.50 netmask 255.255.255.255

mail flow stops.

I need to be able to point at the specific incoming IP so that I can route between x.x.x.18 smtp and x.x.x.20 smtp zixvpm.

any ideas?

You said you wanted xx.xx.170.18 to map to 192.168.1.30....not 192.168.1.50.

Is that correct or no?

xx.xx.170.18 -> 192.168.1.50

xx.xx.170.20 -> 192.168.1.30

Sorry, when the address is also your outside interface address and you are doing pat then you need to use the "interface" keyword in your static. Since xx.xx.172.18 = ASA outside interface address then...

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

static (inside,outside) xx.xx.170.20 192.168.1.30 netmask 255.255.255.255

ok I have tried those.

Do I need to do the PAT here as well for the smtp?

Below is the new running config

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(2)

!

hostname ASA5505

domain-name amcinc.us

enable password 8aPd93D5bXaT2fFZ encrypted

names

!

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address x.x.170.18 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

object-group icmp-type icmp_grp

icmp-object echo-reply

icmp-object information-reply

icmp-object traceroute

access-list out2in extended permit tcp any any eq smtp

access-list out2in extended permit tcp any host x.x.170.18 eq https

access-list out2in extended permit tcp any host x.x.170.18 eq 9850

access-list out2in extended permit tcp any any eq 1677

access-list out2in extended permit tcp any any eq 7205

access-list out2in extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

logging from-address thomas.estes@amcinc.us

logging recipient-address thomas.estes@amcinc.us level errors

logging host inside 192.168.1.114

logging permit-hostdown

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) x.x.170.20 192.168.1.30 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username xxxx password pfaW5bAu431sHznu encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

ssh 192.168.1.110 255.255.255.255 inside

ssh 192.168.1.114 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

prompt hostname context

Cryptochecksum:1f035eed7192c5ef42cf50d5e477e8d3

: end

This is pat...

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

and it has nothing to do with your smtp problem. Your config looks fine, .20 is not working or what? Try a "clear xlate".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: