06-08-2007 07:14 AM - edited 03-11-2019 03:27 AM
I am trying to setup up our ASA5505 on our T1. I have outside interface setup on xx.xx.170.18 (the first open public IP). We want non encrypted SMTP traffic to flow from this IP to the mail server at 192.168.1.50. Then I want encrypted mail on our next available public ip xx.xx.170.20 to come into the ASA5505 and route to 192.168.1.30 via SMTP port 25 also. I am stumped though as to how to accomplish this. Do I need an additional "outside" interface for the other public ip? There is 1 T1 line can that "line" have 2 ip addresses?
Thanks for the help.
Solved! Go to Solution.
06-08-2007 08:08 AM
device access -> aaa access -> check enable server group local and check ssh server group local
you should then be able to use the username you created in asa.
06-08-2007 11:02 AM
That's a lot of pressure, haha, but yes it looks fine.
06-08-2007 07:23 AM
The whole /29 network is routed to you by the isp so you do not need another physical interface. You just need to add another static and acl entry for the new server.
access-list out2in extended permit tcp any host xx.xx.170.20 eq smtp
static (inside,outside) xx.xx.170.20 192.168.1.30 netmask 255.255.255.255
06-08-2007 07:31 AM
Ok,
I am struggling with inputting these via the ASDM I always seem to get them backwards. So how do I telnet or SSH to the device so that I can CLI these commands to the device.
Again sorry to be such a newbie.
I try and access via telnet and I get:
User Access verification
PASSWORD:
When I try the password that I use for ASDM it does not work.
06-08-2007 07:35 AM
Configuration -> Properties -> Device Access
Add your ip address or network you are on to ssh or telnet lists. I recommend ssh.
06-08-2007 07:40 AM
I did that and SSH times out (trying via PuTTY).
Telnet wants a password and I try the password that I use same password that I use for ASDM and no luck
06-08-2007 07:51 AM
Try Config -> Properties -> Certificates -> Key pair
You should have a general purpose 1024 key there, if not hit add and generate now. Then try ssh.
check your config for
aaa authentication ssh console LOCAL
06-08-2007 08:03 AM
ok I generated the general purpose cert and can now get putty to connect via ssh but still can;t logon.
It asks logon as:
I have tried blank
I have tried enable_15
and a user id that I created to no avail.
06-08-2007 08:08 AM
device access -> aaa access -> check enable server group local and check ssh server group local
you should then be able to use the username you created in asa.
06-08-2007 08:11 AM
that resolved my ssh access. thanks so much for your help. I will now try to apply these rules to fix my original issues.
06-08-2007 10:11 AM
If I use this then email flows in from the outside.
static (inside,outside) tcp interface 25 192.168.1.50 25 netmask 255.255.255.255 0 0
As soon as I change this to
static (inside,outside) xx.xx.170.18 192.168.1.50 netmask 255.255.255.255
mail flow stops.
I need to be able to point at the specific incoming IP so that I can route between x.x.x.18 smtp and x.x.x.20 smtp zixvpm.
any ideas?
06-08-2007 10:16 AM
You said you wanted xx.xx.170.18 to map to 192.168.1.30....not 192.168.1.50.
Is that correct or no?
06-08-2007 10:18 AM
xx.xx.170.18 -> 192.168.1.50
xx.xx.170.20 -> 192.168.1.30
06-08-2007 10:21 AM
Sorry, when the address is also your outside interface address and you are doing pat then you need to use the "interface" keyword in your static. Since xx.xx.172.18 = ASA outside interface address then...
static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255
static (inside,outside) xx.xx.170.20 192.168.1.30 netmask 255.255.255.255
06-08-2007 10:31 AM
ok I have tried those.
Do I need to do the PAT here as well for the smtp?
Below is the new running config
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(2)
!
hostname ASA5505
domain-name amcinc.us
enable password 8aPd93D5bXaT2fFZ encrypted
names
!
interface Vlan1
mac-address 0012.3f7f.9876
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description NuVox T1
nameif outside
security-level 0
ip address x.x.170.18 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
domain-name amcinc.us
object-group icmp-type icmp_grp
icmp-object echo-reply
icmp-object information-reply
icmp-object traceroute
access-list out2in extended permit tcp any any eq smtp
access-list out2in extended permit tcp any host x.x.170.18 eq https
access-list out2in extended permit tcp any host x.x.170.18 eq 9850
access-list out2in extended permit tcp any any eq 1677
access-list out2in extended permit tcp any any eq 7205
access-list out2in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
logging from-address thomas.estes@amcinc.us
logging recipient-address thomas.estes@amcinc.us level errors
logging host inside 192.168.1.114
logging permit-hostdown
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255
static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255
static (inside,outside) x.x.170.20 192.168.1.30 netmask 255.255.255.255
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.170.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username xxxx password pfaW5bAu431sHznu encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.110 255.255.255.255 inside
ssh 192.168.1.114 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.149 inside
dhcpd dns 64.89.70.2 64.89.74.2 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg
prompt hostname context
Cryptochecksum:1f035eed7192c5ef42cf50d5e477e8d3
: end
06-08-2007 10:35 AM
This is pat...
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
and it has nothing to do with your smtp problem. Your config looks fine, .20 is not working or what? Try a "clear xlate".
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: