ASA 5505 incoming traffic issue

Answered Question
Jun 19th, 2008

I have an issue getting email through the Cisco ASA to our email server 10.100.50.172 255.255.0.0

Everything else is working. We have internet. All outgoin traffic is OK. Is anybody see what's wrong. Thanks,

ASA Version 8.0(2)

!

hostname ASA

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.100.86.1 255.255.0.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.yyy.15.10 255.255.255.248

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name ABC.com

object-group service VideoFlow

service-object tcp range 3230 3253

service-object tcp eq h323

service-object udp range 3230 3235

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.100.0.0 255.255.0.0

static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255

access-group out_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.100.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 10.100.0.0 255.255.0.0 inside

telnet timeout 30

ssh timeout 5

console timeout 30

dhcpd auto_config outside

!

no threat-detection basic-threat

no threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

!

service-policy global_policy global

prompt hostname context

I have this problem too.
0 votes
Correct Answer by acomiskey about 8 years 5 months ago

Change

static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255

to

static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Fernando_Meza Thu, 06/19/2008 - 15:57

Hi,

Try disabling inspect esmtp from your default-inspection-traffic rule.

From config mode:

policy-map global_policy

class inspection_default

no inspect esmtp

I hope it helps .. please rate helpful posts

Correct Answer
acomiskey Thu, 06/19/2008 - 18:43

Change

static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255

to

static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255

Marwan ALshawi Thu, 06/19/2008 - 22:08

if you are using the same public IP the one on global (outside)

you'd better try to make a static PAT to forward the smtp for example in the inbound direction to you internal mail server

rate if worked please,

rashev_kamen Fri, 06/20/2008 - 06:45

Great! It's working.

But I would like to configure xxx.yyy.15.10 for my emai traffic and xxx.yyy.15.11 for video conferencing? How I suppose to do it now? What is the best way to configure this?

Thanks,

acomiskey Fri, 06/20/2008 - 07:58

no static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 10.100.50.172 smtp netmask 255.255.255.255

then add another static with the new port and new destination address...example....

static (inside,outside) interface netmask 255.255.255.255

rashev_kamen Fri, 06/20/2008 - 13:28

This is fine if we have just one protocol, but in my case I need to open tcp 3230-3238, udp 3230-3258. And with PAT I can't use object groups. How I can resolve this? Thanks for the help!

Marwan ALshawi Fri, 06/20/2008 - 16:26

first i guess the way i have sent you solved your problem i mean static PAT ?

secondley for VOIP and vedio you dont have to open these udp ports, what you have to do first make (access lists) and static PAT for the tcp signaling protocols only

then make a policy inspection for that vedio traffic for example H323

if you gonna open all these udp port as u said then you dont need firewall because this security will be so weak..

thanks and let me know if worked

Marwan

rashev_kamen Sun, 06/22/2008 - 19:12

I totally agree with you, but this is a customer firewall and the management is asking me to open all these ports. How I can do this just with one IP address xxx.yyy.15.10? If it's not possibel, what will be the config if we get second IP address.

Why with ASA the command

static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255

is not working and need to be replaced with

static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255

It's working on another ASA5510.

Thanks for the help!

Marwan ALshawi Sun, 06/22/2008 - 19:28

about the static nat if you static IP address it supposed to work, unless u have DHCP address from you ISP in this case the interface word will be must

and about opening ports with pat could you send me the case in more details and what the required result

rashev_kamen Sun, 06/22/2008 - 19:48

This is what I need exactly to do:

I need to forward all HTTP, HTTPS, SMTP traffic to 10.100.50.72 and all the packets on the range of tcp 3230-3238 and udp ports 3230-3258 and h323 to 10.100.50.70 (this is for video conferencing, it's not cisco, not sure what kind).

We have just one IP address xxx.yyy.15.10? Can I do this?

With my firs config that I had posted niether one was working.When I replaced

static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255

with

static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255

I got it working for 10.100.50.172.

Why the first one is not working here, no idea. It's working on another ASA5510.

Can I forward now the video conferencing traffic to 10.100.50.170.

Also if it's not possible what will be the config if we get a second IP address.

Thanks for the help!

Marwan ALshawi Sun, 06/22/2008 - 20:28

i am not sure but try this method and rate if helpful

make a NAMED ACL which contains in its ACE

source of any and distination should be 10.100.50.172

and with the acl entry make the http, https and range of udp and so on make all the required entries

than

go to the static pat stage

remove th old one

and make new one that should be like

static (inside, outside) xx.yyy access-list (ACL NAME)

and let me know

rashev_kamen Mon, 06/23/2008 - 13:06

This is what I'm getting when I try this:

ASA(config)# static (inside,outside) interface access-list ABC

WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.

ERROR: Invalid netmask with interface option

What I'M putting wrong? I tried with Netmask 255.255.255.255 option but I'm getting the same.

rashev_kamen Mon, 06/23/2008 - 20:12

When I tried this I'm getting:

RedRiverASA(config)# static (inside,outside) 209.155.15.10 access-list ABC

global address overlaps with mask

Usage: [no] static [(real_ifc, mapped_ifc)]

......

I tried also 209.155.15.11 and I get the same

rashev_kamen Mon, 06/23/2008 - 20:45

When I replaced the 'any' with the external IP address xxx.yyy.15.10 in the access list

#access-list AAA extended permit tcp host xxx.yyy.15.10 host 10.100.50.172 eq smtp

I was able to apply

#static (inside,outside) interface access-list AAA

or

#static (inside,outside) xxx.yyy.15.10 access-list AAA

But either one I use the traffic is not getting in again.

Marwan ALshawi Mon, 06/23/2008 - 22:02

i think better to try the simplist way

which as follow

first make you global nat with interface or ip address given to u by the ISP

then make a normal simple static nat

without puting any tcp or udp to translate evry thing in inbound direction to the internal server

finaly make an access-list to limit what is permited from any source to ur nated outside interface ip

in this case with static nat u gonna translte evry thing comes to ur public ip adddress to ur inside server

then by the ACL u gonna fillter what permited and whats not

and let me know

good luck

keep it as simple as possible

by the way dont forget to remove the old nat config!

Actions

This Discussion