Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

Allow Exchange server (SMTP) through ASA 8.2(5)

Please help me! Tomorrow I have to go to a client site and configure the firewall just to allow exchange server's traffic through it.

I am CCIE Routing & Switching certified.  But does not have enough hands on with the ASA.

 

Here is the running configuration of the firewall

 

QLC-11-FW-1# sh run
: Saved
:
ASA Version 8.2(5) 
!
hostname QLC-11-FW-1
enable password 42Vosoeb.xpDtu0m encrypted
passwd 42Vosoeb.xpDtu0m encrypted
names
name 10.10.128.0 Guest
name 10.10.129.0 Guest_Wirless
name 10.10.0.0 Internal_Networks
!
interface Ethernet0/0
 description " Connection to BB-1 Gi2/5 "
 nameif outside
 security-level 0\
 ip address 10.10.102.254 255.255.255.0 
!
interface Ethernet0/1
 description " Connection to BB-1 Gi2/3 "
 nameif inside
 security-level 100
 ip address 10.10.101.254 255.255.255.0 
!
interface Ethernet0/2
 description " Connection to BB-1 Gi2/7 "
 nameif DMZ
 security-level 50
 ip address 10.10.103.254 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
object-group network Guests
 network-object Guest 255.255.255.0
 network-object Guest_Wirless 255.255.255.0
object-group service Guest_services
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp eq www 
 service-object tcp eq https 
 service-object udp eq domain 
access-list splitTunnelAcl standard permit Internal_Networks 255.255.0.0 
access-list outside_in extended permit icmp any any 
access-list ips_traffic extended permit ip any any 
access-list inside_access_in extended permit object-group Guest_services object-group Guests any 
access-list inside_access_in extended deny ip object-group Guests any 
access-list inside_access_in extended permit ip Internal_Networks 255.255.0.0 any 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool ra_users 10.10.104.10-10.10.104.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.102.250 1
route inside Internal_Networks 255.255.0.0 10.10.101.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http Internal_Networks 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set remote esp-des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map ra_dynamic 10 set transform-set remote
crypto map ra 10 ipsec-isakmp dynamic ra_dynamic
crypto map ra interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh Internal_Networks 255.255.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GP internal
group-policy GP attributes
 dns-server value 212.77.192.60
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitTunnelAcl
username admin password gXmhyPjHxCEshixG encrypted privilege 15
username ahmed password vDClM3sGVs2igaOA encrypted
tunnel-group GP type remote-access
tunnel-group GP general-attributes
 address-pool ra_users
 default-group-policy GP
tunnel-group GP ipsec-attributes
 pre-shared-key *****
!
class-map ips_traffic_class
 match access-list ips_traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
 class ips_traffic_class
  ips inline fail-open
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:57e5e9b117c38869a93a645f88309571
: end

 

 

Thank  you

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

So I don't see any nat

So I don't see any nat configuration here so I'm assuming this is either a private wan or you have a router upstream doing nat??  If no Nat is required on the ASA then it should be as simple as

access-list outside_in extended permit tcp any host mail-server eq smtp

1 REPLY
New Member

So I don't see any nat

So I don't see any nat configuration here so I'm assuming this is either a private wan or you have a router upstream doing nat??  If no Nat is required on the ASA then it should be as simple as

access-list outside_in extended permit tcp any host mail-server eq smtp

1246
Views
0
Helpful
1
Replies