03-10-2008 09:36 AM - edited 03-11-2019 05:14 AM
I have an ASA 5505 with version 7.2(2) on it that I would like to forward ports to an Microsoft Exchange server on the inside of my network. I have configured the ASA with the following, but I am still unable to connect to the Exchange server remotely.
access-list outside_access_in extended permit tcp any host 69.x.x.x eq smtp
access-list outside_access_in extended permit tcp any host 69.x.x.x eq www
access-list outside_access_in extended permit tcp any host 69.x.x.x eq https
access-list outside_access_in extended permit tcp any host 69.x.x.x eq domain
static (inside,outside) tcp 69.x.x.x smtp 10.140.1.250 smtp netmask 255.255.255.255
static (inside,outside) tcp 69.x.x.x www 10.140.1.250 www netmask 255.255.255.255
static (inside,outside) tcp 69.x.x.x https 10.140.1.250 https netmask 255.255.255.255
static (inside,outside) tcp 69.x.x.x domain 10.140.1.250 domain netmask 255.255.255.255
access-group outside_access_in in interface outside
Any help would be greatly appreciated as I'm about to lose my last hair....
03-10-2008 09:58 AM
is the 69.x.x.x address your IP address of the outside interface?
if so, you need to change it using the interface keyword.
for example:
no static (inside,outside) tcp 69.x.x.x smtp 10.140.1.250 smtp
static (inside,outside) tcp interface smtp 10.140.1.250 smtp
do that for all of them. if this isn't your problem, let us know.
03-10-2008 10:16 AM
Thanks for your reply, I made the changes but I still am unable to telnet into port 25 remotely. Here is the configuration I'm using now.
name 10.140.51.0 voice description voice-vlan
!
interface Vlan1
nameif inside
security-level 100
ip address 10.140.1.1 255.255.255.0
!
interface Vlan2
description Outside Interface to CenturyTel
nameif outside
security-level 0
ip address 69.x.x.x 255.255.255.248
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list habitatvpn_splitTunnelAcl standard permit 10.140.1.0 255.255.255.0
access-list habitatvpn_splitTunnelAcl standard permit voice 255.255.255.0
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in extended permit tcp any host 69.x.x.x eq smtp
access-list outside_access_in extended permit tcp any host 69.x.x.x eq www
access-list outside_access_in extended permit tcp any host 69.x.x.x eq https
access-list outside_access_in extended permit tcp any host 69.x.x.x eq domain
access-list inside_nat0_outbound extended permit ip 10.140.1.0 255.255.255.0 10.150.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.150.1.0 255.255.255.0 10.140.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip voice 255.255.255.0 10.150.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.150.1.0 255.255.255.0 voice 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.140.1.0 255.255.255.0 10.140.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip voice 255.255.255.0 10.140.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.140.1.0 255.255.255.0 10.140.50.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.140.1.0 255.255.255.0 10.140.0.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip voice 255.255.255.0 10.140.50.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.140.1.0 255.255.255.0 10.140.50.0 255.255.255.0
access-list global_mpc extended permit ip voice 255.255.255.0 10.140.50.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.140.1.250 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.140.1.250 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.140.1.250 https netmask 255.255.255.255
static (inside,outside) tcp interface domain 10.140.1.250 domain netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside voice 255.255.255.0 10.140.1.2 1
route outside 0.0.0.0 0.0.0.0 69.x.x.x 1
group-policy habitatvpn internal
group-policy habitatvpn attributes
dns-server value 10.140.1.200 64.x.x.x
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value habitatvpn_splitTunnelAcl
dhcpd auto_config outside
!
dhcpd address 10.140.1.100-10.140.1.199 inside
dhcpd dns 10.140.1.200 64.x.x.x interface inside
!
priority-queue inside
priority-queue outside
!
class-map global-class
match default-inspection-traffic
class-map global-class1
description Voice_Traffic
match access-list global_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http test
description test
parameters
protocol-violation action drop-connection
policy-map global-policy
description Voice_Traffic
class global-class
inspect ftp
inspect netbios
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns
inspect icmp
inspect icmp error
inspect esmtp
inspect http
class global-class1
priority
!
service-policy global-policy global
03-10-2008 11:48 AM
Just in case you did not receive my update, the changes to the configuration did not allow traffic to the Exchange Server. I attempt to telnet into the smtp to see if I receive replies or not and it is still not working.
03-10-2008 11:59 AM
woops..also change your outside_access_in acl like the following:
no access-list outside_access_in extended permit tcp any host 69.x.x.x eq smtp
access-list outside_access_in extended permit tcp any interface outside eq smtp
....again, this assumes 69.x.x.x is actually your outside IP address.
03-10-2008 12:12 PM
Made the changes, but still no luck. My config changes. Yes the 69.x.x.x is my outside address of the ASA.
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq domain
static (inside,outside) tcp interface smtp 10.140.1.250 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.140.1.250 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.140.1.250 https netmask 255.255.255.255
static (inside,outside) tcp interface domain 10.140.1.250 domain netmask 255.255.255.255
access-group outside_access_in in interface outside
03-10-2008 12:22 PM
do any of the other services work, besides smtp?
www,https,dns?
can you telnet to port 25 of 10.140.1.250 from inside the network?
confirm your nat with "show xlate"...
and show access-list to see if your acl's are incrementing..
03-10-2008 12:40 PM
Great news, I removed the inspect esmtp from the policy-map and cleared the xlates and it is now working properly. Just for my information why would the ip address not work in the access-list but the interfaces name would? thanks very much for your help.
03-10-2008 01:21 PM
Here's the command structure for static.
static [(internal_if_name, external_if_name)] {tcp|udp} {global_ip|interface} global_port
local_ip local_port [netmask mask]
You have the option of using either global IP/interface name with port redirection and since you are using the outside interface as the global address for translation you need to use the interface name rather than the address.
HTH
Sundar
03-10-2008 01:50 PM
Sundar,
Thanks for your reply, I have been configuring Pix's for over 10 years now and I'm trying to get my arms around the ASA CLI, don't like the gui (old school). Thanks again for your help, have a great day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide