10-08-2008 11:32 AM - edited 03-11-2019 06:54 AM
I'm having some problems getting my ASA5505 running like I wan't it to. To be clear this is my first ever Cisco firewall. My experience is with Juniper and Watchguard.
The DMZ is just for future sake. For now the email server runs in the internal network here at home.
I wan't the email server to be published on ports smtp and https.
I used ASDM to configure my device but there are some strange things going on here and I have no idea why.
The publish seems to work because I can access the server from the outside world, but, the ASA sometimes, not all the time but sometimes starts blocking internal network traffic! How is that even possible since it should not even be routed trough the gateway.
The problem can be DNS,MS remote desktop, Exchange server connection, filesharing. So I messed up something really bad here.
Some help needed here.
The configuration as follows
ASA Version 7.2(4)
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.128
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.X
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.128
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server mars
domain-name nixadmins.net
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any host mail object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.128 10.10.10.0 255.255.255.128 log disable
access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.128 any log disable
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.128 10.10.10.0 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool Default 10.10.10.81-10.10.10.90 mask 255.255.255.128
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 mail-X.X.X.X netmask 255.255.255.X
global (outside) 2 webmail netmask 255.255.255.255
global (outside) 3 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 3 0.0.0.0 0.0.0.0
static (inside,inside) tcp mars https mail https netmask 255.255.255.255
static (inside,inside) tcp mars smtp mail smtp netmask 255.255.255.255
static (inside,outside) tcp mail https mars https netmask 255.255.255.255
static (inside,outside) tcp mail smtp mars smtp netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server NixadminsAD protocol nt
aaa-server NixadminsAD (inside) host mars
nt-auth-domain-controller mars
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.0 255.255.255.128 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no vpn-addr-assign local
telnet timeout 5
console timeout 0
dhcpd auto_config outside
!
10-08-2008 02:27 PM
Hi ..I am not too sure what you are trying to achieve ..
global (outside) 1 mail-X.X.X.X netmask 255.255.255.X <- What are you trying to achieve here ? there is not corresponding nat ID (1) for this entry
global (outside) 2 webmail netmask 255.255.255.255 <- What are you trying to achieve here ? there is not corresponding nat ID (2) for this entry
global (outside) 3 interface
nat (inside) 0 access-list inside_nat0_outbound <- what are you trying to achieve here ?
nat (inside) 3 0.0.0.0 0.0.0.0 (This together with the access-list applied to the inside interface will allow outbound access from inside to be translated to the IP of the outside interface)
static (inside,inside) tcp mars https mail https netmask 255.255.255.255 <- what are you trying to achieve here ?
static (inside,inside) tcp mars smtp mail smtp netmask 255.255.255.255 <- what are you trying to achieve here ?
static (inside,outside) tcp mail https mars https netmask 255.255.255.255 (here you are using port forwarding for inbound traffic hitting mail on port 443 to be redirected to mars on port 443)
static (inside,outside) tcp mail smtp mars smtp netmask 255.255.255.255 (as above but using port 25)
Basically you need to specify what you want to achieve first and then we can work out the configuration.
I hope it helps .. please rate helpful posts
10-08-2008 11:06 PM
The config is from ASDM. And I'm guessing there is alot wrong there. So instead of looking at that what I need is the following.
Interfaces Outside,Inside and DMZ.
ASA to NAT everything outgoing.
I have five static IP:s and one of them is for the ASAs SSL vpn(34), one for the mailserver(35).
The mailserver is in the internal network, not DMZ, because it's a Domain controller also. So I need ports 443(https) and 25(smtp) redirected to the inside when comming to the outside IP X.X.X.35.
I'm guessing from your What are you trying to achieve here lines that I should dump the config and start over. And also since that is ASDM genereated source I might be better of doing this trough the cli so I get a hang of it.
10-09-2008 12:19 AM
And to make it more? clear here is a image of it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide