Opening Ports on ASA 5505

Answered Question
Dec 27th, 2010

I need to open ports 25, 993, 995, 443 and 465 to setup MS-Exchange.  I don't have an inhouse IT guy and this seems pretty straight-forward in theory but I can't figure it out and need help.

I have this problem too.
0 votes
Correct Answer by hobbe about 3 years 3 months ago

You are most welcome

Thank you for the rating.

Its never wrong to want to learn more things its all good !

Sometimes its hard to know what questions to ask so that the results comes out the best way.

What is it that you are trying to do ?

If you are trying to have the users connect from home or other place ?

Maybe a vpn klient would be a safer choise ?

or maybe the exchange webmail ?

Just a thought.

HTH

Correct Answer by hobbe about 3 years 3 months ago

Actually it all depends.

you have not given enough information in your post for us to help you.

BUT I will try to show you how to do it.

If you only wants the answer go to  -----------------------

but there might  be a thing or two to make you think about stuff if you read this too.

Ok here is what I think its harsh non sugercoated but honest and in the best of intentions.

First of all,  people like yourself (now I am generalising so do not take it personal) have no idea what they are doing and why.

That means that they open up to much or the wrong things and get hacked/botnet/virus and so on. and all for what ?

To save a buck just to loose it and then some to cleanupkosts after beeing hacked instead ?

its all good and well to want to try things yourself but the real issue is to learn why things needs to be done in certain ways.

Things are very easy to do today when it comes to the actual doing, there is a lot of info on the Internet, you can go to websites such as this and get the answer on how to do it, the web interfaces are quite capable, but the question is actually not how, thats easy, but why and how does it impact the big picture of  the security at the site.

These are things why you should have professionals doing the work. or atleast a discussion with them.

----------------------------------------------

you need to do two things but since I do not know your setup i will have to generalize a bit.

FX I do not know what version of software you have, so I i will give you the answer on an 8.2 version.

I do not know your setup or ip addresses, (nor do I want to, this is an open channel that anyone can read)

First you need a static

then an access list to let the traffic through.

then an access-group to add the access-list to the correct interface and direction of the traffic

it looks something like this but you will have to change it so that it works in your environment.

static (inside,outside) tcp interface 25 192.168.1.100 25 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 25

access-group outside_access_in in interface outside

broken down explanation

static is the command

(inside,outside) the interfaces

tcp = protcol to use (could be fx udp, icmp or ip and so on)

Interface = the interface ip adress, this is a little special, you can replce this with an ip address (not the interface ip address)

25 = the recieveing port

192.168.1.100 = the destination ie in your case the exchange server

25 = the destination port on the exchange server

netmask 255.255.255.255 = this is for one address only.

Access-list outside_access_in extended permit tcp any interface outside eq 25

broken down explanation

Access-list = this is the command
outside_acces_in = this is the name of the access-list, only one per direction on the interface
extended = this is an extended access-list
permit = this traffic will be allowed
tcp = traffic protocol
any = from any address
interface outside = to the interface address of outside
eq = equal = this destination port only
25 = the tcp port destination
access-group outside_access_in in interface outside
broken down explanation
access-group = the command
outside_access_in = the access-list name to apply
in = the direction of traffic incoming out outgoing
interface outside = the interface the access-list is to be aplied to.
Do not forget only one access-list per interface so if you hae one already you must add to that instead of making a new one.
This is the link to the command reference on version 8.2
Good luck
HTH
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
hobbe Tue, 12/28/2010 - 03:28

Actually it all depends.

you have not given enough information in your post for us to help you.

BUT I will try to show you how to do it.

If you only wants the answer go to  -----------------------

but there might  be a thing or two to make you think about stuff if you read this too.

Ok here is what I think its harsh non sugercoated but honest and in the best of intentions.

First of all,  people like yourself (now I am generalising so do not take it personal) have no idea what they are doing and why.

That means that they open up to much or the wrong things and get hacked/botnet/virus and so on. and all for what ?

To save a buck just to loose it and then some to cleanupkosts after beeing hacked instead ?

its all good and well to want to try things yourself but the real issue is to learn why things needs to be done in certain ways.

Things are very easy to do today when it comes to the actual doing, there is a lot of info on the Internet, you can go to websites such as this and get the answer on how to do it, the web interfaces are quite capable, but the question is actually not how, thats easy, but why and how does it impact the big picture of  the security at the site.

These are things why you should have professionals doing the work. or atleast a discussion with them.

----------------------------------------------

you need to do two things but since I do not know your setup i will have to generalize a bit.

FX I do not know what version of software you have, so I i will give you the answer on an 8.2 version.

I do not know your setup or ip addresses, (nor do I want to, this is an open channel that anyone can read)

First you need a static

then an access list to let the traffic through.

then an access-group to add the access-list to the correct interface and direction of the traffic

it looks something like this but you will have to change it so that it works in your environment.

static (inside,outside) tcp interface 25 192.168.1.100 25 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any interface outside eq 25

access-group outside_access_in in interface outside

broken down explanation

static is the command

(inside,outside) the interfaces

tcp = protcol to use (could be fx udp, icmp or ip and so on)

Interface = the interface ip adress, this is a little special, you can replce this with an ip address (not the interface ip address)

25 = the recieveing port

192.168.1.100 = the destination ie in your case the exchange server

25 = the destination port on the exchange server

netmask 255.255.255.255 = this is for one address only.

Access-list outside_access_in extended permit tcp any interface outside eq 25

broken down explanation

Access-list = this is the command
outside_acces_in = this is the name of the access-list, only one per direction on the interface
extended = this is an extended access-list
permit = this traffic will be allowed
tcp = traffic protocol
any = from any address
interface outside = to the interface address of outside
eq = equal = this destination port only
25 = the tcp port destination
access-group outside_access_in in interface outside
broken down explanation
access-group = the command
outside_access_in = the access-list name to apply
in = the direction of traffic incoming out outgoing
interface outside = the interface the access-list is to be aplied to.
Do not forget only one access-list per interface so if you hae one already you must add to that instead of making a new one.
This is the link to the command reference on version 8.2
Good luck
HTH
tonywilliamson1318 Tue, 12/28/2010 - 07:39

I appreciate your candidness and decided to bring in a Certified Cisco Engineer.  It is definitely over my head and I want it done right.  Sometimes you have to try but recognize when knowledge and experience required.  I'm there.  Thanks.

Correct Answer
hobbe Tue, 12/28/2010 - 08:35

You are most welcome

Thank you for the rating.

Its never wrong to want to learn more things its all good !

Sometimes its hard to know what questions to ask so that the results comes out the best way.

What is it that you are trying to do ?

If you are trying to have the users connect from home or other place ?

Maybe a vpn klient would be a safer choise ?

or maybe the exchange webmail ?

Just a thought.

HTH

tonywilliamson1318 Tue, 12/28/2010 - 08:49

I'm trying to configure Exchange Server running on Windows Small Business Server 2003.  The Exchange guy told me to open up 5 ports.  I thought I could just jump in and do it but little did I know.

hobbe Tue, 12/28/2010 - 09:47

ok lets see here.

I would think that you would need to open port 25 from the internet this is so that anyone can send you email. and maybe 443 if you want webmail.

Right about here it would be good, I think, to point out that as a general rule one wants to put any server facing the internet out on a dmz, in the case of SBS that is just not possible, however if/when you are thinking of getting a mailfilter you can put that on a dmz leading the mails into the exchange server from the internet.

Tthe other ports are.

Port 993 = IMAP4 over SSL

Port 995 Is POP3 over SSL

http://support.microsoft.com/kb/176466

Port 465 = SMTPS (secure smtp/smtp over SSL)

It seems to me that they all are for users that are connecting from another place.

If I where you I would atleast take a look if you could use the Cisco VPN klient. Together with webmail I think you can get quite far with that.

and as a bonus you can get other services up and running in a secure way.

As a general rule the less ports you open from the internet to your servers the better.

and PS if you do not have a syslog server, then i would recomend taking a look at it or atleast talking it over with the person you are to consult with.

Best of luck

HTH

Actions

Login or Register to take actions

This Discussion

Posted December 27, 2010 at 1:41 PM
Stats:
Replies:5 Avg. Rating:5
Views:1623 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard