Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL help on ASA5505

I tried to setup my Cisco ASA 5505 (Version 7.1(1)) @ my own office.

LAN --> ASA --> ADSL router --> Internet

I need to go from outside any to inside 192.168.1.5 eq (www and https)

I need to go from outside any to inside 192.168.1.5 eq (pptp and gre)

(I am not sure if it should go to 192.168.1.5 or 192.168.1.9) I need to go from outside any to inside 192.168.1.4 eq (smtp)

My overall network:

ADSL modem (200.0.0.169/29), which connected ASA outside VLAN2 (200.0.0.170/29) and then it connected to ASA inside VLAN1 (192.168.1.1/24)

200.0.0.169/29 - DSL modem

200.0.0.170/29 - cisco ASA (LAN IP: 192.168.1.1/24)

200.0.0.171/29 - exchange and VPN (LAN IP: 192.168.1.5/24)

no public IP - MAIL FILTER server (LAN IP: 192.168.1.9/24)

25 REPLIES

Re: ACL help on ASA5505

Hi Victor

MrHusy here from experts-exchange. Your internet problem is solved in EE, Lets handle your second problem here :)

I see in your config that you have following route

route outside 0.0.0.0 0.0.0.0 209.112.47.170

but your interface IP is 200.0.0.170/29 . So this route does not work.

You should either configure your DSL modem in bridged mode and assign the public ip to ASA interface, or add the following route in ASA

route outside 0.0.0.0 0.0.0.0 200.0.0.170/29

And forward port 25 in DSL modem to 200.0.0.171

Or, forward all ports in DSL modem to interface IP (some modems call this forwarding type BIMAP) of ASA 200.0.0.170 then add the following to your config

static (inside,outside) tcp interface smtp 192.168.1.9 smtp netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq smtp

Regards

New Member

Re: ACL help on ASA5505

Thank you for your reply.

I have updated the following in my ASA:

- route outside 0.0.0.0 0.0.0.0 200.0.0.170 1

- static (inside,outside) tcp 200.0.0.171 smtp 192.168.1.9 smtp netmask 255.255.255.255

- access-list outside_access_in extended permit tcp any host 200.0.0.171 eq smtp

Please let me know if I have make any mistake, and does this also fixed my OWA.

Currently still facing the VPN problem to the 200.0.0.171 server.

New Member

Re: ACL help on ASA5505

If your ADSL router is 200.0.0.169, the default route on the ASA should point at that i.e.

route outside 0.0.0.0 0.0.0.0 200.0.0.169

Re: ACL help on ASA5505

John is right, I got confused,. Do the following modification

no route outside 0.0.0.0 0.0.0.0 200.0.0.170

route outside 0.0.0.0 0.0.0.0 200.0.0.169

Did you do do port forwarding in modem?

New Member

Re: ACL help on ASA5505

Thanks for all the inputs, it's always good to heard something back from the experts.

I am not sure how to do the port forwarding for my modem yet, so I have to look into that, actually is there another work around on that?

Any idea regarding to the Window VPN access to 200.0.0.171?

Re: ACL help on ASA5505

Following link contains a huge list of routers/modems port forwarding instructions. Choose yours and follow the steps

http://www.portforward.com/english/routers/port_forwarding/routerindex.htm

What do you mean by VPN access to 200.0.0.171?

New Member

Re: ACL help on ASA5505

When I am @ home, I would need to VPN into my company's network, with IP 200.0.0.171, and then connect to any internal servers.

Acutally, it works when I VPN into our network if I use the 200.0.0.172 instead of 200.0.0.171, and all I have to change are following 2 access-list:

FROM

access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq pptp

TO

access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.172 eq pptp

FROM

access-list outside_access_in extended permit gre any host 200.0.0.171

TO

access-list outside_access_in extended permit gre any host 200.0.0.172

But we would like to allow users to VPN into the network with 200.0.0.171, any ideas? I am wondering if this

static (inside,outside) 200.0.0.172 192.168.1.3 netmask 255.255.255.255

Re: ACL help on ASA5505

So 192.168.1.3 is running RRAS or ISA a VPN server?

New Member

Re: ACL help on ASA5505

RRAS is on both 192.168.1.3 and 192.168.1.5, both servers are the domain controller.

Currently we have another firewall and users can VPN into our network with 200.0.0.171

Please let me know if you have any idea.

Much appreciated

Re: ACL help on ASA5505

static (inside,outside) tcp 200.0.0.171 pptp 192.168.1.3 pptp netmask 255.255.255.255

static (inside,outside) tcp 200.0.0.171 gre 192.168.1.3 gre netmask 255.255.255.255

And leave the access-lists that are applied to 200.0.0.171. Dont change them to 200.0.0.172

New Member

Re: ACL help on ASA5505

Correct me if I am wrong, but am I suppose to add the following instead?

static (inside,outside) tcp 200.0.0.171 pptp 192.168.1.5 pptp netmask 255.255.255.255

static (inside,outside) tcp 200.0.0.171 gre 192.168.1.5 gre netmask 255.255.255.255

since I don't want 192.168.1.3 have anything to do with the VPN anymore, since we are planning to remove this server very soon.

Please advise.

Re: ACL help on ASA5505

You are correct. I thought 1.3 was active.

New Member

Re: ACL help on ASA5505

asa5505(config)# static (inside,outside) tcp 200.0.0.171 gre ?

ERROR: % Unrecognized command

<0-65535> Enter port number (0 - 65535)

aol

bgp

chargen

cifs

citrix-ica

cmd

ctiqbe

daytime

discard

domain

echo

exec

finger

ftp

ftp-data

gopher

h323

hostname

http

https

ident

imap4

Please advise.

Re: ACL help on ASA5505

Hmm, dont forward gre, it is an IP protocol. Check if it is working without gre

New Member

Re: ACL help on ASA5505

Please let me know if there any incorrect configuration, I will try to test it out tonight, during off hours.

ASA Version 7.2(1)

!

hostname asa5505

domain-name mydomain.com

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 200.0.0.170 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

no nameif

no security-level

no ip address

!

passwd xxx

level

ftp mode passive

dns server-group DefaultDNS

domain-name mydomain.com

dns server-group DefaultDNSsunrpc

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit gre any host 200.0.0.171

access-list outside_access_in extended permit tcp any host 200.0.0.173 eq https

access-list outside_access_in extended permit udp any host 200.0.0.173

access-list outside_access_in extended permit tcp any host 200.0.0.173 rangepcanywhere-data 5632

access-list outside_access_in extended permit tcp any host 200.0.0.171 eq www

access-list outside_access_in extended permit tcp any host 200.0.0.171 eq https

access-list outside_access_in extended permit tcp any host 200.0.0.171 eq pptp

access-list outside_access_in extended permit tcp any interface outside eq smtp

pager lines 24

mtu inside 1500

mtu outside 1500

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 200.0.0.171 https 192.168.1.5 https netmask 255.255.255.255

static (inside,outside) tcp 200.0.0.171 www 192.168.1.5 www netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.9 smtp netmask 255.255.255.255

static (inside,outside) tcp 200.0.0.171 pptp 192.168.1.5 pptp netmask 255.255.255.255

static (inside,outside) 200.0.0.172 192.168.1.3 netmask 255.255.255.255

static (inside,outside) 200.0.0.173 192.168.1.7 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 200.0.0.179 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

!

!

class-map inspection_

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Re: ACL help on ASA5505

route outside 0.0.0.0 0.0.0.0 200.0.0.179

should be

route outside 0.0.0.0 0.0.0.0 200.0.0.169

and we better dedicate 171 to 5. Apply the following please

no static (inside,outside) tcp 200.0.0.171 https 192.168.1.5 https netmask 255.255.255.255

no static (inside,outside) tcp 200.0.0.171 www 192.168.1.5 www netmask 255.255.255.255

no static (inside,outside) tcp 200.0.0.171 pptp 192.168.1.5 pptp netmask 255.255.255.255

static (inside,outside) 200.0.0.171 192.168.1.5 netmask 255.255.255.255

access-list outside_access_in permit gre any host 200.0.0.171

New Member

Re: ACL help on ASA5505

Thanks husycisco, I will give this a try tonight, here I make the changes accordingly.

ASA Version 7.2(1)

!

hostname asa5505

domain-name mydomain.com

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 200.0.0.170 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

no nameif

no security-level

no ip address

!

interface Ethernet0/0

switchport access vlan 2

no nameif

no security-level

no ip address

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name mydomain.com

dns server-group DefaultDNSsunrpc

object-group service dynamictcp tcp

port-object range 1024 65535

object-group service timetcp udp

port-object eq ntp

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit gre any host 200.0.0.171

access-list outside_access_in extended permit tcp any host 200.0.0.173 eq https

access-list outside_access_in extended permit udp any host 200.0.0.173

access-list outside_access_in extended permit tcp any host 200.0.0.173 range pcanywhere-data 5632

access-list outside_access_in extended permit tcp any host 200.0.0.171 eq www

access-list outside_access_in extended permit tcp any host 200.0.0.171 eq https

access-list outside_access_in extended permit tcp any host 200.0.0.171 eq pptp

access-list outside_access_in extended permit tcp any interface outside eq smtp

pager lines 24

mtu inside 1500

mtu outside 1500

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 192.168.1.9 smtp netmask 255.255.255.255

static (inside,outside) 200.0.0.172 192.168.1.3 netmask 255.255.255.255

static (inside,outside) 200.0.0.173 192.168.1.7 netmask 255.255.255.255

static (inside,outside) 200.0.0.171 192.168.1.5 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 200.0.0.169 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

!

!

class-map inspection_

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Re: ACL help on ASA5505

You are welcome. Config looks OK.

Good luck

New Member

Re: ACL help on ASA5505

With the config above, I have no internet/smtp/VPN/OWA, nothing works.

I then added all my previous inside ACLs and applied

access-group inside_access_in in interface inside

I am then back to the point where I have intenet works, but not smtp/VPN/OWA.

I found that on my old config, internet works, if I have have either:

route outside 0.0.0.0 0.0.0.0 200.0.0.169 1

OR

route outside 0.0.0.0 0.0.0.0 200.0.0.170 1

and intenet stills works.

I have attached my current config, any advise will helps.

Thank you.

Re: ACL help on ASA5505

Believe me there is no difference between the above config in post and the config in attachment that can affect internet connectivity or etc. An ACL grouped to inside interface is just for filtering outbound connections, by default; traffic from inside interface(higher security level) to outside interface (lower sec lvl) is permit already. Maybe you did not run clear xlate clear route and clear arp to config really take effect, or didnt renew IP addresses of the inside clients.

"route outside 0.0.0.0 0.0.0.0 200.0.0.169 1

OR

route outside 0.0.0.0 0.0.0.0 200.0.0.170 1

and intenet stills works. "

Doesnt make sense. You are missing something in modem side in my opinion. Maybe your modem has an additional IP configured as 0.170 which conflicts with ASA interface

Did you forward necessary ports to related IPs in your modem?

You better configure your modem in bridged mode or ask your ISP to configure it.

Regards

New Member

Re: ACL help on ASA5505

Thank you again.

I called the ISP and confirm that our modem was in bridged mode already and nothing is blocking it.

I will try it again tomorrow morning with:

clear xlate

clear arp

clear route

I mean my configuration look fine and I will see how things goes.

Re: ACL help on ASA5505

Perfect, now we resolved the issue. If modem was already configured in bridged mode, that means you have to assign a real ip to outside interface.

Assuming that 209.112.47.170 is your gateway. Please ask your ISP for your IP network. It must be a network that covers 209.112.47.170. Then you will add the following route and configure your outside interface a real IP like 209.112.47.171

route outside 0.0.0.0 0.0.0.0 209.112.47.170

Regards

New Member

Re: ACL help on ASA5505

Now you got me confuse, should I use:

route outside 0.0.0.0 0.0.0.0 200.0.0.170 1

or

route outside 0.0.0.0 0.0.0.0 200.0.0.169 1

Please verify, since I will be doing this tonight.

New Member

Re: ACL help on ASA5505

Internet connection, Outlook Web Access and VPN are all UP !!!!

Only incoming smtp have to be fix, and here is the syslog:

4|Dec 21 2007|02:52:18|106023|213.22.82.144|200.0.0.171|Deny tcp src outside:213.22.82.144/4870 dst inside:200.0.0.171/25 by access-group "outside_access_in" [0x0, 0x0]

4|Dec 21 2007|02:52:18|106023|211.172.54.68|200.0.0.171|Deny tcp src outside:211.172.54.68/15519 dst inside:200.0.0.171/25 by access-group "outside_access_in" [0x0, 0x0]

4|Dec 21

2007|03:20:33|106023|211.136.107.165|200.0.0.171|Deny tcp src outside:211.136.107.165/1874 dst inside:200.0.0.171/53 by access-group "outside_access_in" [0x0, 0x0]

I found that if I change the following:

access_list outside_access_in extended permit tcp any host 200.0.0.171 eq smtp

We do get incoming emails, but it will then by-pass our Mail Filter Server(192.168.1.9), therefore we do got all the junk mails.

Any inputs will helps.

Thank you.

Re: ACL help on ASA5505

please post your current running config

188
Views
0
Helpful
25
Replies