Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1569
Views
0
Helpful
25
Replies

ASA5505 Newbie, T1 interface multiple public IPs

Go to solution
thomas.estes
Level 1
Level 1

‎06-08-2007 07:14 AM - edited ‎03-11-2019 03:27 AM

I am trying to setup up our ASA5505 on our T1. I have outside interface setup on xx.xx.170.18 (the first open public IP). We want non encrypted SMTP traffic to flow from this IP to the mail server at 192.168.1.50. Then I want encrypted mail on our next available public ip xx.xx.170.20 to come into the ASA5505 and route to 192.168.1.30 via SMTP port 25 also. I am stumped though as to how to accomplish this. Do I need an additional "outside" interface for the other public ip? There is 1 T1 line can that "line" have 2 ip addresses?

Thanks for the help.

Labels:
0 Helpful
25 Replies 25

Go to solution
acomiskey
Level 10
Level 10
In response to acomiskey

‎06-08-2007 10:41 AM

I think I told you this previously as well but you want to write your acl's to be more specific than any.

access-list out2in extended permit tcp any x.x.170.18 eq smtp

access-list out2in extended permit tcp any x.x.170.20 eq smtp

access-list out2in extended permit tcp any host x.x.170.18 eq https

access-list out2in extended permit tcp any host x.x.170.18 eq 9850

access-list out2in extended permit tcp any host x.x.170.18 eq 1677

access-list out2in extended permit tcp any host x.x.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

0 Helpful

Go to solution
thomas.estes
Level 1
Level 1
In response to acomiskey

‎06-08-2007 10:44 AM

You had, I just have been so paranoid about email not flowing in that I did not want to change them.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to thomas.estes

‎06-08-2007 10:45 AM

No probs, what you have in your config should work fine for the second smtp server.

0 Helpful

Go to solution
thomas.estes
Level 1
Level 1
In response to acomiskey

‎06-08-2007 10:59 AM

Last time, (hopefully).

Since I am paranoid and skeptical.

Here is my config. that I hope will allow traffic from our 2 different public IPs to one interface both on port 25.

Result of the command: "show running-config"

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address x.x.170.18 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

object-group icmp-type icmp_grp

icmp-object echo-reply

icmp-object information-reply

icmp-object traceroute

access-list out2in extended permit tcp any host x.x.170.18 eq smtp

access-list out2in extended permit tcp any host x.x.170.20 eq smtp

access-list out2in extended permit tcp any host x.x.170.18 eq https

access-list out2in extended permit tcp any host x.x.170.18 eq 9850

access-list out2in extended permit tcp any host x.x.170.18 eq 1677

access-list out2in extended permit tcp any host x.x.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

logging from-address thomas.estes@amcinc.us

logging recipient-address thomas.estes@amcinc.us level errors

logging host inside 192.168.1.114

logging permit-hostdown

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) x.x.170.20 192.168.1.30 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username xxxxx password pfaW5bAu431sHznu encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.114 255.255.255.255 inside

snmp-server host inside 192.168.1.1 community ASA5505

snmp-server location Data Room

snmp-server contact Tom Estes

snmp-server community ASA5505

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.110 255.255.255.255 inside

ssh 192.168.1.114 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

prompt hostname context

Cryptochecksum:1f035eed7192c5ef42cf50d5e477e8d3

: end

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to thomas.estes

‎06-08-2007 11:02 AM

That's a lot of pressure, haha, but yes it looks fine.

0 Helpful

Go to solution
thomas.estes
Level 1
Level 1
In response to acomiskey

‎06-08-2007 11:05 AM

Thank you so very much.

If you are ever any where near Ohio let me know and I will by you a round of drinks!

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to acomiskey

‎06-08-2007 11:07 AM

Also, not to complicate matters but if you are not going to use .18 for anything other than 192.168.1.50 then you can remove all those statics and just do one..

no static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255

no static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255

no static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255

no static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255

no static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

I just might..but I don't know if you'd be able to buy a steeler fan drinks.

0 Helpful

Go to solution
thomas.estes
Level 1
Level 1
In response to acomiskey

‎06-08-2007 11:14 AM

kk

did that, below are teh results:

interface Vlan1

mac-address 0012.3f7f.9876

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description NuVox T1

nameif outside

security-level 0

ip address x.x.170.18 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

domain-name amcinc.us

object-group icmp-type icmp_grp

icmp-object echo-reply

icmp-object information-reply

icmp-object traceroute

access-list out2in extended permit tcp any host x.x.170.18 eq smtp

access-list out2in extended permit tcp any host x.x.170.20 eq smtp

access-list out2in extended permit tcp any host x.x.170.18 eq https

access-list out2in extended permit tcp any host x.x.170.18 eq 9850

access-list out2in extended permit tcp any host x.x.170.18 eq 1677

access-list out2in extended permit tcp any host x.x.170.18 eq 7205

access-list out2in extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

logging from-address thomas.estes@amcinc.us

logging recipient-address thomas.estes@amcinc.us level errors

logging host inside 192.168.1.114

logging permit-hostdown

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) x.x.170.20 192.168.1.30 netmask 255.255.255.255

static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.170.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username xxxx password pfaW5bAu431sHznu encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.114 255.255.255.255 inside

snmp-server host inside 192.168.1.1 community ASA5505

snmp-server location Data Room

snmp-server contact Tom Estes

snmp-server community ASA5505

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 192.168.1.110 255.255.255.255 inside

ssh 192.168.1.114 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.149 inside

dhcpd dns 64.89.70.2 64.89.74.2 interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg

prompt hostname context

Cryptochecksum:aeb680ce0caab7808916b2340f8eee7a

: end

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to thomas.estes

‎06-08-2007 11:16 AM

Looks good, now if you need another port for .18, instead of adding another static like before, you just have to allow it in the acl. Looks much cleaner too. Enjoy.

0 Helpful

Go to solution
thomas.estes
Level 1
Level 1
In response to acomiskey

‎06-08-2007 11:24 AM

Thanks again for all of your help.

One last question.

So that I am not relying on the kindness of strangers to help me and for my own edification can you recommend any good books that would cover my last couple of questions.

Thanks!

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to thomas.estes

‎06-08-2007 11:30 AM

I don't have any myself but people usually mention the cisco press books...some may even be on the shelf at your local borders/barnes and noble.

http://www.ciscopress.com/bookstore/product.asp?isbn=1587052091&rl=1

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card