09-01-2010 03:24 PM - edited 03-05-2019 06:43 AM
I have an ASA 5505 v7.2(2)
Can someone please clarify this for me.
Setting: static (inside,outside) XXX.XXX.XXX.XXX 192.168.16.3 netmask 255.255.255.255
Result: Cisco VPN Client can connect and smtp traffic does not pass
Setting: static (inside,outside) interface 192.168.16.3 netmask 255.255.255.255
Result: smtp traffic passes but VPN Clients can't connect.
I have way more time into this than I would like to admit.
Thank you,
Mike
09-01-2010 03:47 PM
If the interface IP is used in a 1-to-1 NAT with an inside host then the IPSEC session will be forwared to that inside address; I'm assuming your email server. If you only have one public IP you can try a PAT (Port address Translation) intsead. If you are using version 8.2 or older try something like this:
static (inside,outside) tcp XXX.XXX.XXX.XXX 25 192.168.16.3 25 netmask 255.255.255.255
Chris
09-01-2010 07:11 PM
Chris
Thank you for your post. What Static Routes would I have to add to get the Cisco VPN client IPSEC/UDP working?
Thanks again,
Mike
09-01-2010 07:29 PM
Mike,
That should fix both problems. Keep in mind these are not static routes; they are static translations on the ASA. Static routes are in reference to seting a next hop at the IP (network) layer versus translating a public address to a private address.
The translation above will forward TCP port 25 to your mail server. The ASA interface won't need a translation and will be listening for IKE (UDP port 500) and IPSEC (UDP port 4500 and ESP protocol number 50).
If you could spare a dedicated public IP for you mail server it would work out better; especially since reverse DNS is so critical in regard to the helo message your mail server sends at connection establishment. If these don't match your traffic will often be deemed spam.
Chris
09-01-2010 07:46 PM
Chris,
You are correct dropping my old static route and using static translation for smtp and other services did get everything flowing. I just finished testing. We have a block of 5 ip's so I should be able to dedicate 1 to mail traffic.
Thank you again for your fast and accurate response.
-Mike
09-02-2010 10:27 AM
Chris,
I thought I had this beat last night. Sadly not! Can you please have a peek at my config file. I'm signing up for classes as soon as I can, this is driving me nuts.
Thank you,
Mike
: Saved
:
ASA Version 7.2(2)
!
hostname NutmegASA
domain-name default.domain.invalid
enable password ************* encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.28.13 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ****************** encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list fw extended permit tcp any any eq pop3
access-list fw extended permit tcp any any eq imap4
access-list fw extended permit tcp any any eq https
access-list fw extended permit tcp any any eq smtp
access-list fw extended permit tcp any any eq 4125
access-list inside_nat0_outbound extended permit ip any 172.16.116.96 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ippool 172.16.116.100-172.16.116.109 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XXX.XXX.28.13 smtp 192.168.16.3 smtp netmask 255.255.255.255
access-group fw in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.28.14 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server DefaultRAGroup protocol radius
aaa-server DefaultRAGroup host 192.168.16.3
timeout 5
key D1gital!
group-policy NutmegVPNgrp internal
group-policy NutmegVPNgrp attributes
wins-server value 192.168.16.3
dns-server value 192.168.16.3
vpn-tunnel-protocol IPSec
username nutmegadmin password *********** encrypted privilege 15
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group NutmegVPNgrp type ipsec-ra
tunnel-group NutmegVPNgrp general-attributes
address-pool ippool
authentication-server-group DefaultRAGroup
default-group-policy NutmegVPNgrp
tunnel-group NutmegVPNgrp ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:******************
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
end
09-02-2010 11:52 AM
Mike,
Is it mail, IPSEC or something else that's not working? If it's a mail problem is it sending mail or receiving mail that is troublesome?
Another thing to attempt with the static command is to use the keyword 'interface' if it will let you with PAT; I can't recall.
static (inside,outside) tcp interface 25 192.168.16.3 25 netmask 255.255.255.255
Chris
09-02-2010 01:40 PM
Hi Chris.
SMTP Inbound is the issue with the current config. I will test the Interface vs IP.
Thank you,
Mike
09-07-2010 05:31 AM
Chris,
The keyword interface was usable, but SMTP inbound traffic was blocked as soon as I applied the PAT.
Thank you,
Mike
09-07-2010 05:40 AM
Hello,
What is the FQDN address for your mail server? If it is not pointing to the
interface IP, then it will not work. Also, you need to make sure that
outside devices are contacting your mail server on port 25 alone. Do you
have any mail relay on the outside through which you are getting the mails?
Can you check the port settings and make sure that we are configuring the
correct port here?
Regards,
NT
09-07-2010 06:45 AM
Chris,
It was my access-list. I used the "interface outside" instead of "any" and it worked.
Wrong entry - access-list fw extended permit tcp any any eq smtp
Working Entry - access-list fw extended permit tcp any interface outside eq smtp
Thank you for your quick replies and knowledge, without it I would probably be bashing my head against an old monster crt.
-Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: