cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1707
Views
4
Helpful
16
Replies

ASA 5505 incoming traffic issue

rashev_kamen
Level 1
Level 1

I have an issue getting email through the Cisco ASA to our email server 10.100.50.172 255.255.0.0

Everything else is working. We have internet. All outgoin traffic is OK. Is anybody see what's wrong. Thanks,

ASA Version 8.0(2)

!

hostname ASA

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.100.86.1 255.255.0.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.yyy.15.10 255.255.255.248

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name ABC.com

object-group service VideoFlow

service-object tcp range 3230 3253

service-object tcp eq h323

service-object udp range 3230 3235

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https

access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.100.0.0 255.255.0.0

static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255

access-group out_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.100.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 10.100.0.0 255.255.0.0 inside

telnet timeout 30

ssh timeout 5

console timeout 30

dhcpd auto_config outside

!

no threat-detection basic-threat

no threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

!

service-policy global_policy global

prompt hostname context

1 Accepted Solution

Accepted Solutions

Change

static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255

to

static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255

View solution in original post

16 Replies 16

Fernando_Meza
Level 7
Level 7

Hi,

Try disabling inspect esmtp from your default-inspection-traffic rule.

From config mode:

policy-map global_policy

class inspection_default

no inspect esmtp

I hope it helps .. please rate helpful posts

Change

static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255

to

static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255

if you are using the same public IP the one on global (outside)

you'd better try to make a static PAT to forward the smtp for example in the inbound direction to you internal mail server

rate if worked please,

Great! It's working.

But I would like to configure xxx.yyy.15.10 for my emai traffic and xxx.yyy.15.11 for video conferencing? How I suppose to do it now? What is the best way to configure this?

Thanks,

no static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 10.100.50.172 smtp netmask 255.255.255.255

then add another static with the new port and new destination address...example....

static (inside,outside) interface netmask 255.255.255.255

This is fine if we have just one protocol, but in my case I need to open tcp 3230-3238, udp 3230-3258. And with PAT I can't use object groups. How I can resolve this? Thanks for the help!

first i guess the way i have sent you solved your problem i mean static PAT ?

secondley for VOIP and vedio you dont have to open these udp ports, what you have to do first make (access lists) and static PAT for the tcp signaling protocols only

then make a policy inspection for that vedio traffic for example H323

if you gonna open all these udp port as u said then you dont need firewall because this security will be so weak..

thanks and let me know if worked

Marwan

I totally agree with you, but this is a customer firewall and the management is asking me to open all these ports. How I can do this just with one IP address xxx.yyy.15.10? If it's not possibel, what will be the config if we get second IP address.

Why with ASA the command

static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255

is not working and need to be replaced with

static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255

It's working on another ASA5510.

Thanks for the help!

about the static nat if you static IP address it supposed to work, unless u have DHCP address from you ISP in this case the interface word will be must

and about opening ports with pat could you send me the case in more details and what the required result

This is what I need exactly to do:

I need to forward all HTTP, HTTPS, SMTP traffic to 10.100.50.72 and all the packets on the range of tcp 3230-3238 and udp ports 3230-3258 and h323 to 10.100.50.70 (this is for video conferencing, it's not cisco, not sure what kind).

We have just one IP address xxx.yyy.15.10? Can I do this?

With my firs config that I had posted niether one was working.When I replaced

static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask 255.255.255.255

with

static (inside,outside) interface 10.100.50.172 netmask 255.255.255.255

I got it working for 10.100.50.172.

Why the first one is not working here, no idea. It's working on another ASA5510.

Can I forward now the video conferencing traffic to 10.100.50.170.

Also if it's not possible what will be the config if we get a second IP address.

Thanks for the help!

i am not sure but try this method and rate if helpful

make a NAMED ACL which contains in its ACE

source of any and distination should be 10.100.50.172

and with the acl entry make the http, https and range of udp and so on make all the required entries

than

go to the static pat stage

remove th old one

and make new one that should be like

static (inside, outside) xx.yyy access-list (ACL NAME)

and let me know

This is what I'm getting when I try this:

ASA(config)# static (inside,outside) interface access-list ABC

WARNING: static redireting all traffics at outside interface;

WARNING: all services terminating at outside interface are disabled.

ERROR: Invalid netmask with interface option

What I'M putting wrong? I tried with Netmask 255.255.255.255 option but I'm getting the same.

try to replacethe interface by the ip address u have and see what happen !

When I tried this I'm getting:

RedRiverASA(config)# static (inside,outside) 209.155.15.10 access-list ABC

global address overlaps with mask

Usage: [no] static [(real_ifc, mapped_ifc)]

......

I tried also 209.155.15.11 and I get the same

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: