Re: ASA5505 Configuration issue

suthakar sundaralingam · ‎12-27-2011

Hi Guys,

I’m trying to configure my ASA 5505, in order to allow my inbound and outbound mail communications. Here with this mail I’ve attached a diagram which illustrates my exact network setup along with ip addresses.

In this setup I’ve enabled port forwarding on my ADSL router (port 25 and 110) and configured the ASA accordingly, and my mail server is located inside my network.

My problem is currently I can send mails from my inside network to outside but my not receiving any mails which originate from outside. I’ve attached my current ASA configuration as well,

Can someone assist me with this request?

C:\Users\Suthakar\Documents\Office_Docs\Thakral\ABC Computers

/////////////////////////

Final config on ASA5505

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.155.201 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 30.0.0.10 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any inactive

access-list outside_access_in extended permit tcp any host 30.0.0.10 eq smtp

access-list outside_access_in extended permit tcp any host 30.0.0.10 eq pop3

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp

30.0.0.50

smtp 192.168.155.3 smtp netmask 255.255.255.255 (this ip is not used anywhere in the asa or network)

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 30.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.155.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.155.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:e05333a5df17af9d37e5415caeb89daf

: end

ciscoasa#

Thanks,

suthakar

Julio Carvajal · ‎12-27-2011

Hello Suthakar,

After checking your configuration I can see the following:

static (inside,outside) tcp 30.0.0.50 smtp 192.168.155.3 smtp netmask 255.255.255.255 (this ip is not used anywhere in the asa or network)

What do you mean by that??

I mean what is the ip address of the SMTP server?? 192.168.155.3 right?

We need to do an static nat or Port forwarding based on that IP and then allow access to that server to allow inbound connections from a higher to a lower security level when nat control is enabled.

So the static is fine, but the ACL is wrong. It should be like this:

access-list permit outside_access_in tcp any host 30.30.0.50 eq 25

access-list permit outside_access_in tcp any host 30.30.0.50 eq 110

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

suthakar sundaralingam · ‎12-28-2011

Hi Julio,

I've used 30.0.0.50, because obviously you can put a one-to-one static NAT to the same interface ip (30.0.0.10) right?

and 192.168.155.3 is the SMTP server.

Further I've used the above given ACL as well ( access-list permit outside_access_in tcp any host 30.30.0.50 eq 25 ,

access-list permit outside_access_in tcp any host 30.30.0.50 eq 110 )

but still i've the same issue

Regards,

Suthakar

Julio Carvajal · ‎12-28-2011

Hello,

On the configuration you provided we cannot see the following line

access-list permit outside_access_in tcp any host 30.30.0.50 eq 110

But if you say is there you got to be right.

So lets do the following packet tracer and see the result, then based on that we will create some captures

packet-tracer input outside tcp 4.2.2.2 1025 30.30.0.50 25

Regards,

Do please rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC