06-08-2007 07:14 AM - edited 03-11-2019 03:27 AM
I am trying to setup up our ASA5505 on our T1. I have outside interface setup on xx.xx.170.18 (the first open public IP). We want non encrypted SMTP traffic to flow from this IP to the mail server at 192.168.1.50. Then I want encrypted mail on our next available public ip xx.xx.170.20 to come into the ASA5505 and route to 192.168.1.30 via SMTP port 25 also. I am stumped though as to how to accomplish this. Do I need an additional "outside" interface for the other public ip? There is 1 T1 line can that "line" have 2 ip addresses?
Thanks for the help.
Solved! Go to Solution.
06-08-2007 10:41 AM
I think I told you this previously as well but you want to write your acl's to be more specific than any.
access-list out2in extended permit tcp any x.x.170.18 eq smtp
access-list out2in extended permit tcp any x.x.170.20 eq smtp
access-list out2in extended permit tcp any host x.x.170.18 eq https
access-list out2in extended permit tcp any host x.x.170.18 eq 9850
access-list out2in extended permit tcp any host x.x.170.18 eq 1677
access-list out2in extended permit tcp any host x.x.170.18 eq 7205
access-list out2in extended permit icmp any any echo-reply
06-08-2007 10:44 AM
You had, I just have been so paranoid about email not flowing in that I did not want to change them.
06-08-2007 10:45 AM
No probs, what you have in your config should work fine for the second smtp server.
06-08-2007 10:59 AM
Last time, (hopefully).
Since I am paranoid and skeptical.
Here is my config. that I hope will allow traffic from our 2 different public IPs to one interface both on port 25.
Result of the command: "show running-config"
interface Vlan1
mac-address 0012.3f7f.9876
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description NuVox T1
nameif outside
security-level 0
ip address x.x.170.18 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
domain-name amcinc.us
object-group icmp-type icmp_grp
icmp-object echo-reply
icmp-object information-reply
icmp-object traceroute
access-list out2in extended permit tcp any host x.x.170.18 eq smtp
access-list out2in extended permit tcp any host x.x.170.20 eq smtp
access-list out2in extended permit tcp any host x.x.170.18 eq https
access-list out2in extended permit tcp any host x.x.170.18 eq 9850
access-list out2in extended permit tcp any host x.x.170.18 eq 1677
access-list out2in extended permit tcp any host x.x.170.18 eq 7205
access-list out2in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
logging from-address thomas.estes@amcinc.us
logging recipient-address thomas.estes@amcinc.us level errors
logging host inside 192.168.1.114
logging permit-hostdown
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255
static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255
static (inside,outside) x.x.170.20 192.168.1.30 netmask 255.255.255.255
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.170.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username xxxxx password pfaW5bAu431sHznu encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.114 255.255.255.255 inside
snmp-server host inside 192.168.1.1 community ASA5505
snmp-server location Data Room
snmp-server contact Tom Estes
snmp-server community ASA5505
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.110 255.255.255.255 inside
ssh 192.168.1.114 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.149 inside
dhcpd dns 64.89.70.2 64.89.74.2 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
prompt hostname context
Cryptochecksum:1f035eed7192c5ef42cf50d5e477e8d3
: end
06-08-2007 11:02 AM
That's a lot of pressure, haha, but yes it looks fine.
06-08-2007 11:05 AM
Thank you so very much.
If you are ever any where near Ohio let me know and I will by you a round of drinks!
06-08-2007 11:07 AM
Also, not to complicate matters but if you are not going to use .18 for anything other than 192.168.1.50 then you can remove all those statics and just do one..
no static (inside,outside) tcp interface https 192.168.1.50 https netmask 255.255.255.255
no static (inside,outside) tcp interface 9850 192.168.1.50 9850 netmask 255.255.255.255
no static (inside,outside) tcp interface 1677 192.168.1.50 1677 netmask 255.255.255.255
no static (inside,outside) tcp interface 7205 192.168.1.50 7205 netmask 255.255.255.255
no static (inside,outside) tcp interface smtp 192.168.1.50 smtp netmask 255.255.255.255
static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255
I just might..but I don't know if you'd be able to buy a steeler fan drinks.
06-08-2007 11:14 AM
kk
did that, below are teh results:
interface Vlan1
mac-address 0012.3f7f.9876
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description NuVox T1
nameif outside
security-level 0
ip address x.x.170.18 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
domain-name amcinc.us
object-group icmp-type icmp_grp
icmp-object echo-reply
icmp-object information-reply
icmp-object traceroute
access-list out2in extended permit tcp any host x.x.170.18 eq smtp
access-list out2in extended permit tcp any host x.x.170.20 eq smtp
access-list out2in extended permit tcp any host x.x.170.18 eq https
access-list out2in extended permit tcp any host x.x.170.18 eq 9850
access-list out2in extended permit tcp any host x.x.170.18 eq 1677
access-list out2in extended permit tcp any host x.x.170.18 eq 7205
access-list out2in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
logging from-address thomas.estes@amcinc.us
logging recipient-address thomas.estes@amcinc.us level errors
logging host inside 192.168.1.114
logging permit-hostdown
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.170.20 192.168.1.30 netmask 255.255.255.255
static (inside,outside) interface 192.168.1.50 netmask 255.255.255.255
access-group out2in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.170.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username xxxx password pfaW5bAu431sHznu encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.114 255.255.255.255 inside
snmp-server host inside 192.168.1.1 community ASA5505
snmp-server location Data Room
snmp-server contact Tom Estes
snmp-server community ASA5505
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.110 255.255.255.255 inside
ssh 192.168.1.114 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.149 inside
dhcpd dns 64.89.70.2 64.89.74.2 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
csd image disk0:/securedesktop-asa-3.1.1.29-k9.pkg
prompt hostname context
Cryptochecksum:aeb680ce0caab7808916b2340f8eee7a
: end
06-08-2007 11:16 AM
Looks good, now if you need another port for .18, instead of adding another static like before, you just have to allow it in the acl. Looks much cleaner too. Enjoy.
06-08-2007 11:24 AM
Thanks again for all of your help.
One last question.
So that I am not relying on the kindness of strangers to help me and for my own edification can you recommend any good books that would cover my last couple of questions.
Thanks!
06-08-2007 11:30 AM
I don't have any myself but people usually mention the cisco press books...some may even be on the shelf at your local borders/barnes and noble.
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052091&rl=1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: