Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
633
Views
0
Helpful
3
Replies

smtp out and h.323 in

Go to solution
patrifick
Level 1
Level 1

‎04-12-2010 03:28 AM - edited ‎03-11-2019 10:31 AM

Dear support,

I wonder whether you can help me with small configuration changes to my firewall ASA 5505.

What I want to achieve is this:

1)      I want to setup outgoing traffic for SMTP protocol to go out only from one IP address 10.1.5.4 no other traffic should be restricted and should go out as any if that is possible.

2)      We have a video conferencing device on the network, Polycom VSX7000e and I need to setup the firewall to pass the h.323 traffic to go to IP address 10.1.5.15

3) would you also be able to advise on a free syslog server where we can monitor the traffic on the firewall?

Thank you

Patrick Babic

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(2)

!

names

name 10.1.4.4 ctxsvr01

name 10.1.4.5 itsvr

name 10.1.4.10 unicornsvr

name 10.1.4.12 blbsvr

name 10.1.4.13 exchsvr

name 10.1.5.4 barracuda

name 10.1.5.15 video-conferencing-unit

name 192.168.1.5 ctxdmz

name 62.253.196.178 outside

name 62.253.196.179 remote-outside-179

name 62.253.196.180 webmail-outside-180

name 62.253.196.181 connect-outside-181

name 62.253.196.182 unicorn-outside-182

name 62.253.196.184 sirsi-outside-184

name 62.253.196.185 blb-outside-185

name 62.253.196.188 streaming-outside-188

name 62.253.196.189 video-conferencing-outside-189

name 82.111.186.146 sdt-rdc

name 150.147.68.20 sirsi-1

name 193.110.143.20 sirsi-2

name 10.1.5.16 streaming-unit

name 192.168.1.1 dmz

name 62.253.196.186 email-outside-186

name 62.253.196.187 Logmein-outside-187

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.5.1 255.255.0.0

ospf cost 10

!

interface Vlan3

nameif dmz

security-level 50

ip address dmz 255.255.255.0

ospf cost 10

!

interface Vlan12

nameif outside

security-level 0

ip address outside 255.255.255.240

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 12

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

ftp mode passive

clock timezone GMT 0

dns server-group DefaultDNS

domain-name chathamhouse.org.uk

object-group network sirsi-support

network-object host sirsi-1

network-object host sirsi-2

object-group service backup-exec tcp

port-object eq 10000

port-object eq 3106

port-object eq 3527

port-object eq 6101

port-object eq 6103

port-object eq 6106

object-group service barracuda-8000 tcp

port-object eq 8000

object-group service blackberry-3101 tcp

port-object eq 3101

object-group service citrix-session-reliability-2598 tcp

port-object eq 2598

object-group service rdc-3389 tcp

port-object eq 3389

object-group service sql-1433 tcp

port-object eq 1433

object-group service streaming-1935 tcp

port-object eq 1935

object-group service video-streaming-tcp-udp tcp

port-object eq 3230

port-object eq 3231

port-object eq 3232

port-object eq 3233

port-object eq 3234

port-object eq 3235

object-group service rdp tcp

port-object eq 3389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network DM_INLINE_NETWORK_1

network-object host remote-outside-179

network-object host webmail-outside-180

object-group network DM_INLINE_NETWORK_2

network-object host unicorn-outside-182

network-object host email-outside-186

object-group service DM_INLINE_TCP_1 tcp

port-object eq h323

group-object video-streaming-tcp-udp

group-object streaming-1935

object-group service Reuters udp

port-object eq 10202

port-object eq 10302

port-object eq 9876

access-list outside_access_in extended permit tcp any any object-group rdc-3389

access-list outside_access_in extended permit tcp any host blbsvr object-group blackberry-3101

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https

access-list outside_access_in extended permit tcp any host blbsvr eq ssh

access-list outside_access_in extended permit tcp any host ctxdmz eq ftp

access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_2 eq www

access-list outside_access_in extended permit tcp any host outside eq smtp

access-list outside_access_in remark SQL

access-list outside_access_in extended permit tcp any any object-group sql-1433

access-list outside_access_in extended permit tcp any host video-conferencing-outside-189 object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any any object-group backup-exec

access-list outside_access_in extended permit udp any any object-group Reuters

access-list outside_access_in extended permit tcp any host streaming-unit eq nntp

access-list dmz_access_in extended permit ip any any

access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group rdp

access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq www

access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 eq citrix-ica

access-list dmz_access_in extended permit tcp host ctxdmz 10.1.0.0 255.255.0.0 object-group citrix-session-reliability-2598

access-list dmz_access_in extended permit object-group TCPUDP host ctxdmz 10.1.0.0 255.255.0.0 eq domain

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 host ctxdmz

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu dmz 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any dmz

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp remote-outside-179 https ctxdmz https netmask 255.255.255.255

static (inside,outside) tcp connect-outside-181 3389 itsvr 3389 netmask 255.255.255.255

static (inside,outside) tcp interface smtp barracuda smtp netmask 255.255.255.255

static (inside,outside) tcp interface ssh barracuda ssh netmask 255.255.255.255

static (inside,outside) tcp blb-outside-185 3101 blbsvr 3101 netmask 255.255.255.255

static (inside,outside) tcp unicorn-outside-182 www unicornsvr www netmask 255.255.255.255

static (inside,outside) tcp streaming-outside-188 1935 streaming-unit 1935 netmask 255.255.255.255

static (inside,outside) tcp webmail-outside-180 https exchsvr https netmask 255.255.255.255

static (inside,outside) tcp email-outside-186 www exchsvr www netmask 255.255.255.255

static (inside,outside) tcp Logmein-outside-187 nntp streaming-unit nntp netmask 255.255.255.255

static (inside,outside) tcp sirsi-outside-184 3389 unicornsvr 3389 netmask 255.255.255.255

static (inside,outside) tcp video-conferencing-outside-189 h323 video-conferencing-unit h323 netmask 255.255.255.255

static (dmz,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.0.0

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 62.253.196.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.1.0.0 255.255.0.0 inside

http sdt-rdc 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 10.1.0.0 255.255.0.0 inside

telnet timeout 5

ssh 10.1.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

smtp-server 10.1.4.13

prompt hostname context

Cryptochecksum:87d40342041882f3775cd7f31750f0fc

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to patrifick

‎04-12-2010 04:16 AM

This is not TAC. Just forum between Cisco networking professionals.

Please open a TAC case if you require assistance from TAC engineer.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-12-2010 03:47 AM

1) For your SMTP requirement:

access-list inside_access_in line 1 extended permit tcp host 10.1.5.4 any eq 25
access-list inside_access_in line 2 extended deny tcp any any eq 25

2) You would need to know what protocol/port Polycom uses for the H323 connection. You have configured just TCP port redirection for TCP/1720. Moreover, there are limitation with static port address translation, so you might want to change the following static statement to 1:1 NAT:

Change from:

static (inside,outside) tcp video-conferencing-outside-189 h323  video-conferencing-unit h323 netmask 255.255.255.255

To:

static (inside,outside) video-conferencing-outside-189  video-conferencing-unit netmask 255.255.255.255

How is it failing? Does call signaling work? No video? No audio?

3) I believe there is free version of Kiwi Syslog server.

Hope that helps.

0 Helpful

Go to solution
patrifick
Level 1
Level 1
In response to Jennifer Halim

‎04-12-2010 04:13 AM

Hi,

thanks for the advise,

1) I have setup the smtp and it works

2) my colleague who is dealing with VC is not in today ( holiday ) so once he comes back we will be testing it.

3) I will check the Kiwi server

can you please keep the ticket open until we test the VC?

thanks

Patrick

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to patrifick

‎04-12-2010 04:16 AM

This is not TAC. Just forum between Cisco networking professionals.

Please open a TAC case if you require assistance from TAC engineer.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card