Forwarding Ports on ASA 5505

brian-alford · ‎03-10-2008

I have an ASA 5505 with version 7.2(2) on it that I would like to forward ports to an Microsoft Exchange server on the inside of my network. I have configured the ASA with the following, but I am still unable to connect to the Exchange server remotely.

access-list outside_access_in extended permit tcp any host 69.x.x.x eq smtp

access-list outside_access_in extended permit tcp any host 69.x.x.x eq www

access-list outside_access_in extended permit tcp any host 69.x.x.x eq https

access-list outside_access_in extended permit tcp any host 69.x.x.x eq domain

static (inside,outside) tcp 69.x.x.x smtp 10.140.1.250 smtp netmask 255.255.255.255

static (inside,outside) tcp 69.x.x.x www 10.140.1.250 www netmask 255.255.255.255

static (inside,outside) tcp 69.x.x.x https 10.140.1.250 https netmask 255.255.255.255

static (inside,outside) tcp 69.x.x.x domain 10.140.1.250 domain netmask 255.255.255.255

access-group outside_access_in in interface outside

Any help would be greatly appreciated as I'm about to lose my last hair....

srue · ‎03-10-2008

is the 69.x.x.x address your IP address of the outside interface?

if so, you need to change it using the interface keyword.

for example:

no static (inside,outside) tcp 69.x.x.x smtp 10.140.1.250 smtp

static (inside,outside) tcp interface smtp 10.140.1.250 smtp

do that for all of them. if this isn't your problem, let us know.

brian-alford · ‎03-10-2008

Thanks for your reply, I made the changes but I still am unable to telnet into port 25 remotely. Here is the configuration I'm using now.

name 10.140.51.0 voice description voice-vlan

!

interface Vlan1

nameif inside

security-level 100

ip address 10.140.1.1 255.255.255.0

!

interface Vlan2

description Outside Interface to CenturyTel

nameif outside

security-level 0

ip address 69.x.x.x 255.255.255.248

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list habitatvpn_splitTunnelAcl standard permit 10.140.1.0 255.255.255.0

access-list habitatvpn_splitTunnelAcl standard permit voice 255.255.255.0

access-list outside_access_in extended permit icmp any any inactive

access-list outside_access_in extended permit tcp any host 69.x.x.x eq smtp

access-list outside_access_in extended permit tcp any host 69.x.x.x eq www

access-list outside_access_in extended permit tcp any host 69.x.x.x eq https

access-list outside_access_in extended permit tcp any host 69.x.x.x eq domain

access-list inside_nat0_outbound extended permit ip 10.140.1.0 255.255.255.0 10.150.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.150.1.0 255.255.255.0 10.140.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip voice 255.255.255.0 10.150.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.150.1.0 255.255.255.0 voice 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.140.1.0 255.255.255.0 10.140.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip voice 255.255.255.0 10.140.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.140.1.0 255.255.255.0 10.140.50.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 10.140.1.0 255.255.255.0 10.140.0.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip voice 255.255.255.0 10.140.50.0 255.255.255.0

access-list outside_20_cryptomap extended permit ip 10.140.1.0 255.255.255.0 10.140.50.0 255.255.255.0

access-list global_mpc extended permit ip voice 255.255.255.0 10.140.50.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 10.140.1.250 smtp netmask 255.255.255.255

static (inside,outside) tcp interface www 10.140.1.250 www netmask 255.255.255.255

static (inside,outside) tcp interface https 10.140.1.250 https netmask 255.255.255.255

static (inside,outside) tcp interface domain 10.140.1.250 domain netmask 255.255.255.255

access-group outside_access_in in interface outside

route inside voice 255.255.255.0 10.140.1.2 1

route outside 0.0.0.0 0.0.0.0 69.x.x.x 1

group-policy habitatvpn internal

group-policy habitatvpn attributes

dns-server value 10.140.1.200 64.x.x.x

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value habitatvpn_splitTunnelAcl

dhcpd auto_config outside

!

dhcpd address 10.140.1.100-10.140.1.199 inside

dhcpd dns 10.140.1.200 64.x.x.x interface inside

!

priority-queue inside

priority-queue outside

!

class-map global-class

match default-inspection-traffic

class-map global-class1

description Voice_Traffic

match access-list global_mpc

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map type inspect http test

description test

parameters

protocol-violation action drop-connection

policy-map global-policy

description Voice_Traffic

class global-class

inspect ftp

inspect netbios

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

inspect dns

inspect icmp

inspect icmp error

inspect esmtp

inspect http

class global-class1

priority

!

service-policy global-policy global

brian-alford · ‎03-10-2008

Just in case you did not receive my update, the changes to the configuration did not allow traffic to the Exchange Server. I attempt to telnet into the smtp to see if I receive replies or not and it is still not working.

srue · ‎03-10-2008

woops..also change your outside_access_in acl like the following:

no access-list outside_access_in extended permit tcp any host 69.x.x.x eq smtp

access-list outside_access_in extended permit tcp any interface outside eq smtp

....again, this assumes 69.x.x.x is actually your outside IP address.

brian-alford · ‎03-10-2008

Made the changes, but still no luck. My config changes. Yes the 69.x.x.x is my outside address of the ASA.

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq domain

static (inside,outside) tcp interface smtp 10.140.1.250 smtp netmask 255.255.255.255

static (inside,outside) tcp interface www 10.140.1.250 www netmask 255.255.255.255

static (inside,outside) tcp interface https 10.140.1.250 https netmask 255.255.255.255

static (inside,outside) tcp interface domain 10.140.1.250 domain netmask 255.255.255.255

access-group outside_access_in in interface outside

srue · ‎03-10-2008

do any of the other services work, besides smtp?

www,https,dns?

can you telnet to port 25 of 10.140.1.250 from inside the network?

confirm your nat with "show xlate"...

and show access-list to see if your acl's are incrementing..

brian-alford · ‎03-10-2008

Great news, I removed the inspect esmtp from the policy-map and cleared the xlates and it is now working properly. Just for my information why would the ip address not work in the access-list but the interfaces name would? thanks very much for your help.

sundar.palaniappan · ‎03-10-2008

Here's the command structure for static.

static [(internal_if_name, external_if_name)] {tcp|udp} {global_ip|interface} global_port

local_ip local_port [netmask mask]

You have the option of using either global IP/interface name with port redirection and since you are using the outside interface as the global address for translation you need to use the interface name rather than the address.

HTH

Sundar

brian-alford · ‎03-10-2008

Sundar,

Thanks for your reply, I have been configuring Pix's for over 10 years now and I'm trying to get my arms around the ASA CLI, don't like the gui (old school). Thanks again for your help, have a great day.