cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8278
Views
0
Helpful
33
Replies

ASA5510 how to open port 25

Edward Luna
Level 1
Level 1

Hello

We have an ASA5510 that we need to open port 25 to allow mail traffic to our internal Exchange server.

We have 2 interfaces defined... one named Internal on eth0/3 ip 10.1.x.x and one named Internet on eth 0/0 ip 96.56.x.x

We followed the instructions in ASDM for allowing access to a public server but confusion over definitions have stopped us.

ASDM asks for the internal interface and the internal server IP... no problem there because the internal interface and server have two different IP addresses.  The Internal interface is eth 0/3 (10.1.1.1) and the server is 10.1.1.2.

However, when we get to the External interface (eth 0/1) there is only a single IP address 96.56.x.x but the ASDM asks for an Interface IP and the IP people would use to get to the mail server from the outside.  Inasmuch as we have only 1 external IP address (which connects to our upstream Cisco router which in turn connects to the ISP modem) we used the same IP for both but the ASDM returns an error indicating they must be different.

Apparently we do not have a clear understanding of what the ASDM is actually asking for.  When the ASDM asks for the external interface we assumed it was asking for the named value we gave the interface (which is Internet).  The named value "Internet" has an ip associated with it 96.56.x.x.  But when the ASDM asks for the ip people on the outside would use to get to the mail server (we created a named value called "mail server" and gave it the same ip address as the external named value.  This duplication of ip address causes the ASDM to return the error stating that external Interface to be used and the external ip to be used cannot be the same.

Have we made an error when we assumed that when the ASDM asked for the external interface it meant the ip of the external interface or was it asking for the eth number (as in eth 0/0) for the interface? 

Thanks  

33 Replies 33

JohnTylerPearce
Level 7
Level 7

Personally, I don't use the ASDM because IMO I think its sucks donkey. Don't take that the wrong way by any means, I started learning about ASA's via the ASDM, but switched to command line only, unless something is just way easier to configure via ASDM.

It sounds like you just want access from the outside to your internal Exchange Server.

Configure the ACE entry on the ACL that is assigned to your outside interface in this case.

access-list outside_access_in extended permit tcp any host x.x.x.x 25

This will allow anything from the outside, to access your exchange server via port 25. You can also change this, so your're only allowing specific users or everyone from the outside.

You have to define NAT ....if its latest version check the real ip concept on Cisco website

Hello guys

Sorry... but I am totally lost.  I have read everything I can find... and I've watched the video but I'm no closer to opening the ports I need to open.  The ASDM is very confusing in that it appears to function backwards from what I need to do. It looks like you define NAT for the internal to external but I need to forward any data received on the external (port 25) to my Exchange server on my internal network. 

The CLI instructions in the video apply to version 8.3 which is very different from my version which is 8.2.

I have no preference one way or the other... I am equally unfamiliar with ASDM and CLI so either will work for me but I need painfully specific step by step instructions.  Please don't assume that I know anything about the Cisco Appliance or the configuration utilities because I don't.

Thanks in advance.

Ed

Hi Ed,

If you can log on to the CLI and do "sh run" and than Paste that configuration over here. Mention private IP on the server and external IP for NAT.

someone will type in the rest of the configuration you need for it to work over here and than you can copy paste it in.

Manish ;-)

Thank you so much... that will be very helpful.

Private ip of server is 10.1.1.2

Exteral ip is 96.56.127.171

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name smsbconsulting
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 96.56.127.169 Gateway description Default gateway
!
interface Ethernet0/0
description Static IP external interface
nameif Internet
security-level 0
ip address 96.56.127.171 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif Internal
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name smsbconsulting
same-security-traffic permit intra-interface
object-group network inside-net
access-list Internal_access_out remark Outgoing
access-list Internal_access_out extended permit ip any any
access-list Internet_access_in extended permit tcp any interface Internal eq smtp
pager lines 24
logging enable
logging asdm informational
mtu Internet 1500
mtu Internal 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (Internet) 101 interface
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255
access-group Internet_access_in in interface Internet
access-group Internal_access_out out interface Internal
route Internet 0.0.0.0 0.0.0.0 Gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.5-10.1.1.199 Internal
dhcpd dns 167.206.254.2 167.206.254.1 interface Internal
dhcpd domain smsbconsulting.local interface Internal
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:65f39ed3a92a8f8f3f11e9e9bef72dc9
: end

asa#conf t

asa(config)# no access-list Internet_access_in extended permit tcp any interface Internal eq smtp

asa(config)#access-list Internet_access_in extended permit tcp any host 96.56.127.171 eq smtp

asa(config)#exit

asa#exit

Manish

Thanks a million.

I'll try it as soon as I get to the office in the morning.

Thanks again.

Ed

I tried the commands above but I still don't have access.

I can ping the mail server ip (which is the external ip of the asa but that's all.

I tried adding a second access list entry for telnet but I can't connect with telnet either.

Do I need to addd access rules in addition to access lists?

Any suggestions would be greatly appreciated.

Ed

Hi,

you must change this also:

no static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

static (Internal,Internet) tcp interface Internet smtp 10.1.1.2 netmask 255.255.255.255

Regards.

Alain

Don't forget to rate helpful posts.

error on second static command... Invalid Hostname

I changed the static command

from.... static (Internal,Internet) tcp interface Internet smtp 10.1.1.2 netmask 255.255.255.255

To......  static (Internal,Internet) tcp interface smtp 10.1.1.2 smtp netmask 255.255.255.255

Now the command doesn't result in an error... but I don't know if it is working yet.

I'll post the results shortly.

Hi, 

my bad I did this by mind but my mind seems rusted 

static (Internal,Internet) tcp interface  smtp 10.1.1.2 smtp netmask 255.255.255.255

Regards.

Alain

Don't forget to rate helpful posts.

Well... no joy... I still can't get through the Cisco asa5510 from the outside.

All mail functions are normal from inside the network and I can even send emails out.  I just can't connect to the mail server from the outside.

I tried to telnet into port 25 from the external interface but no good.

Is there anyway I can see why the ASA is blocking the connection?  An error log anyplace?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: