ASA5505 - problem with email, OWA and VPN

vvii · ‎12-10-2007

I tried to setup the Cisco ASA 5505 (Version 7.1(1)) @ my own office.

My overall network:

DSL modem (200.0.0.169/29), which connected ASA outside VLAN2 (200.0.0.170/29) and then it connected to ASA inside VLAN1 (192.168.1.1/24)

200.0.0.169/29 is the public IP for my DSL modem

200.0.0.170/29 is the public IP for my cisco ASA (LAN IP: 192.168.1.1/24)

200.0.0.171/29 is the public IP for my exchange and VPN - vpn.mydomain.com (LAN IP: 192.168.1.5/24)

200.0.0.172/29 is the public IP for my DNS, DHCP (LAN IP: 192.168.1.3/24)

192.168.1.9/24 is a static IP for our MAIL FILTER server

Email should go to 192.168.1.9 then pass on to 192.168.1.5 to forward the email to our internal users.

Problem:

1) Can send email out, but cannot recevie email

2) Cannot access Ootlook Web Access from internet

3) For VPN access, users can VPN into our network if they use the 200.0.0.172 instead of 200.0.0.171, and I have to change the following 2 access-list:

access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq pptp

TO

access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.172 eq pptp

access-list outside_access_in extended permit gre any host 200.0.0.171

TO

access-list outside_access_in extended permit gre any host 200.0.0.172

But we would like to allow users to VPN into the network with 200.0.0.171

vvii · ‎12-10-2007

ASA Version 7.2(1)

!

hostname mwasa5505

domain-name mydomain.com

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 200.0.0.170 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan25

no nameif

no security-level

no ip address

!

interface Ethernet0/0

switchport access vlan 2

no nameif

no security-level

no ip address

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/3

no nameif

no security-level

no ip address

!

interface Ethernet0/4

no nameif

no security-level

no ip address

!

interface Ethernet0/5

no nameif

no security-level

no ip address

!

interface Ethernet0/6

no nameif

no security-level

no ip address

!

interface Ethernet0/7

no nameif

no security-level

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name mydomain.com

dns server-group DefaultDNSsunrpc

object-group service dynamictcp tcp

port-object range 1024 65535

object-group service timetcp udp

port-object eq ntp

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit gre any host 200.0.0.171

access-list outside_access_in extended permit tcp any host 200.0.0.173 eq https

access-list outside_access_in extended permit udp any host 200.0.0.173

access-list outside_access_in extended permit tcp any host 200.0.0.173 rangepcanywhere-data 5632

access-list outside_access_in extended permit tcp any host 200.0.0.171 eq www

access-list outside_access_in extended permit tcp any host 200.0.0.171 eq https

access-list outside_access_in extended permit tcp any host 200.0.0.171 eq smtp

access-list outside_access_in extended permit tcp any host 200.0.0.171 eq pptp

pager lines 24

mtu inside 1500

mtu outside 1500

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 200.0.0.171 https 192.168.1.5 https netmask 255.255.255.255

static (inside,outside) tcp 200.0.0.171 www 192.168.1.5 www netmask 255.255.255.255

static (inside,outside) tcp 200.0.0.171 smtp 192.168.1.9 smtp netmask 255.255.255.255

static (inside,outside) 200.0.0.172 192.168.1.3 netmask 255.255.255.255

static (inside,outside) 200.0.07.173 192.168.1.7netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 200.0.0.170 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

!

class-map inspection_

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

vvii · ‎12-10-2007

I am not sure why the VPN works for 200.0.0.173, but not 200.0.0.171, do I need the following inorder for VPN through this server??

static (inside,outside) tcp 200.0.0.171 pptp 192.168.1.5 pptp netmask 255.255.255.255