06-19-2008 03:45 PM - edited 03-11-2019 06:02 AM
I have an issue getting email through the Cisco ASA to our email server 10.100.50.172 255.255.0.0
Everything else is working. We have internet. All outgoin traffic is OK. Is anybody see what's wrong. Thanks,
ASA Version 8.0(2)
!
hostname ASA
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.86.1 255.255.0.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.yyy.15.10 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ABC.com
object-group service VideoFlow
service-object tcp range 3230 3253
service-object tcp eq h323
service-object udp range 3230 3235
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.100.0.0 255.255.0.0
static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.100.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 10.100.0.0 255.255.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30
dhcpd auto_config outside
!
no threat-detection basic-threat
no threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
Solved! Go to Solution.
06-19-2008 06:43 PM
Change
static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255
to
static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255
06-19-2008 03:57 PM
Hi,
Try disabling inspect esmtp from your default-inspection-traffic rule.
From config mode:
policy-map global_policy
class inspection_default
no inspect esmtp
I hope it helps .. please rate helpful posts
06-19-2008 06:43 PM
Change
static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255
to
static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255
06-19-2008 10:08 PM
if you are using the same public IP the one on global (outside)
you'd better try to make a static PAT to forward the smtp for example in the inbound direction to you internal mail server
rate if worked please,
06-20-2008 06:45 AM
Great! It's working.
But I would like to configure xxx.yyy.15.10 for my emai traffic and xxx.yyy.15.11 for video conferencing? How I suppose to do it now? What is the best way to configure this?
Thanks,
06-20-2008 07:58 AM
no static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.100.50.172 smtp netmask 255.255.255.255
then add another static with the new port and new destination address...example....
static (inside,outside)
06-20-2008 01:28 PM
This is fine if we have just one protocol, but in my case I need to open tcp 3230-3238, udp 3230-3258. And with PAT I can't use object groups. How I can resolve this? Thanks for the help!
06-20-2008 04:26 PM
first i guess the way i have sent you solved your problem i mean static PAT ?
secondley for VOIP and vedio you dont have to open these udp ports, what you have to do first make (access lists) and static PAT for the tcp signaling protocols only
then make a policy inspection for that vedio traffic for example H323
if you gonna open all these udp port as u said then you dont need firewall because this security will be so weak..
thanks and let me know if worked
Marwan
06-22-2008 07:12 PM
I totally agree with you, but this is a customer firewall and the management is asking me to open all these ports. How I can do this just with one IP address xxx.yyy.15.10? If it's not possibel, what will be the config if we get second IP address.
Why with ASA the command
static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255
is not working and need to be replaced with
static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255
It's working on another ASA5510.
Thanks for the help!
06-22-2008 07:28 PM
about the static nat if you static IP address it supposed to work, unless u have DHCP address from you ISP in this case the interface word will be must
and about opening ports with pat could you send me the case in more details and what the required result
06-22-2008 07:48 PM
This is what I need exactly to do:
I need to forward all HTTP, HTTPS, SMTP traffic to 10.100.50.72 and all the packets on the range of tcp 3230-3238 and udp ports 3230-3258 and h323 to 10.100.50.70 (this is for video conferencing, it's not cisco, not sure what kind).
We have just one IP address xxx.yyy.15.10? Can I do this?
With my firs config that I had posted niether one was working.When I replaced
static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255
with
static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255
I got it working for 10.100.50.172.
Why the first one is not working here, no idea. It's working on another ASA5510.
Can I forward now the video conferencing traffic to 10.100.50.170.
Also if it's not possible what will be the config if we get a second IP address.
Thanks for the help!
06-22-2008 08:28 PM
i am not sure but try this method and rate if helpful
make a NAMED ACL which contains in its ACE
source of any and distination should be 10.100.50.172
and with the acl entry make the http, https and range of udp and so on make all the required entries
than
go to the static pat stage
remove th old one
and make new one that should be like
static (inside, outside) xx.yyy access-list (ACL NAME)
and let me know
06-23-2008 01:06 PM
This is what I'm getting when I try this:
ASA(config)# static (inside,outside) interface access-list ABC
WARNING: static redireting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.
ERROR: Invalid netmask with interface option
What I'M putting wrong? I tried with Netmask 255.255.255.255 option but I'm getting the same.
06-23-2008 04:35 PM
try to replacethe interface by the ip address u have and see what happen !
06-23-2008 08:12 PM
When I tried this I'm getting:
RedRiverASA(config)# static (inside,outside) 209.155.15.10 access-list ABC
global address overlaps with mask
Usage: [no] static [(real_ifc, mapped_ifc)]
......
I tried also 209.155.15.11 and I get the same
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide