Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot get RDP and E-mail out through ASA 5510 5520

I've been trying to switch out our old firewall which is a 5510 for our new 5520, but we keep running into this problem on both devices with almost the exact same configs. Currently I have the 5510 installed, and I cannot get our email server and RDP server to ping out to our internet gateway.

Attached is a sanitized config. From the config you can see the internal address of the email server is 11.2.1.29, external address is 73.13.198.211. RDP server is internal address 11.2.1.33, external 73.13.198.212. Our internet gateway is 73.13.198.209.

From another computer with a 11.2.1.X address I can ping out to the internet gateway. The other two devices drop (I believe) when they hit the firewall.

Static mappings (again from config):

static (inside,outside) 73.13.198.211 11.2.1.33 netmask 255.255.255.255

static (inside,outside) 73.13.198.212 11.2.1.29 netmask 255.255.255.255

Original access list:

access-list outside_access_in extended permit tcp 64.19.0.0 255.255.240.0 host 73.13.198.212 eq smtp

access-list outside_access_in extended permit tcp host 67.228.177.117 host 73.13.198.212 eq smtp

access-list outside_access_in extended permit tcp host 206.217.202.43 host 73.13.198.212 eq smtp

access-list outside_access_in extended permit udp host 64.154.41.100 host 73.13.198.210 eq 4569

access-list outside_access_in extended permit udp host 64.154.41.100 host 73.13.198.210 range 10000 20000

access-list outside_access_in extended permit tcp host 64.154.41.100 host 73.13.198.210 range 10000 20000

access-list outside_access_in extended permit tcp any host 72.12.198.211 eq 3389

access-list outside_access_in extended permit object-group Android_iOS_Ports interface inside any

access-list outside_access_in extended permit tcp host 222.186.17.160 any

access-list outside_access_in extended permit object-group VSP_in_Ports any host 73.13.198.214

access-list outside_access_in extended permit tcp any host 73.13.198.213 eq https

access-list outside_access_in extended permit tcp any 12.6.35.96 255.255.255.224 eq https

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 990

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 999

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 5721

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 5678

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 5679

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 26675

access-list outside_access_in extended permit tcp any host 73.13.198.212 eq www

access-list outside_access_in extended permit tcp any host 73.13.198.212 eq https

access-list outside_access_in extended permit icmp any any

ACL application:

access-group outside_access_in in interface outside

If I pull the static mappings, pings can get through.

I've trimmed my ACL to just the RDP and Email lines:

access-list outside_access_in extended permit tcp any host 72.12.198.211 eq 3389

access-list outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 host 72.12.198.212 eq smtp

No one can RDP in. No one can email in. Any other computer can get to the internet on our site so it's not the internet connection.

What is blocking the traffic? Any help is appreciated as this site is currently cut off from email.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Cannot get RDP and E-mail out through ASA 5510 5520

Hi Bro

Your configuration needs to be cleaned up. Please do this for me, and let me know how it goes. Please do this exactly, do not skip a step. Just paste these configs, you can remove the static nats if you want to, issue a clear xlate command and give it a try

no static (inside,dmz) 11.1.0.0 11.1.0.0 netmask 255.0.0.0
static (inside,dmz) 11.0.0.0 11.0.0.0 netmask 255.0.0.0

no dns domain-lookup inside
no dns domain-lookup dmz
no dns domain-lookup outside
no same-security-traffic permit inter-interface


no global (dmz) 1 interface

access-list inside permit ip any any
access-group inside in interface inside


router eigrp 101
no network 173.17.1.0 255.255.255.0
no passive-interface outside

clear configure access-list no_nat

clear configure access-list no_nat_dmz

no nat (inside) 0 access-list no_nat

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
6 REPLIES
New Member

Cannot get RDP and E-mail out through ASA 5510 5520

Traceroute from external email filtering site doesn't even hit our external subnet.

Cannot get RDP and E-mail out through ASA 5510 5520

Hi Bro

Your configuration needs to be cleaned up. Please do this for me, and let me know how it goes. Please do this exactly, do not skip a step. Just paste these configs, you can remove the static nats if you want to, issue a clear xlate command and give it a try

no static (inside,dmz) 11.1.0.0 11.1.0.0 netmask 255.0.0.0
static (inside,dmz) 11.0.0.0 11.0.0.0 netmask 255.0.0.0

no dns domain-lookup inside
no dns domain-lookup dmz
no dns domain-lookup outside
no same-security-traffic permit inter-interface


no global (dmz) 1 interface

access-list inside permit ip any any
access-group inside in interface inside


router eigrp 101
no network 173.17.1.0 255.255.255.0
no passive-interface outside

clear configure access-list no_nat

clear configure access-list no_nat_dmz

no nat (inside) 0 access-list no_nat

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

Cannot get RDP and E-mail out through ASA 5510 5520

Thanks! E-mail appears to working, I can ping out to the internet gateway through the email server. RDP is still not working. Still can't ping the gateway.

Cleared xlate several times

New Member

Cannot get RDP and E-mail out through ASA 5510 5520

Last time I cleared up RDP issues by moving the RDP rule up in the ACL, but it's as high up as I want it to be right now.

New Member

Cannot get RDP and E-mail out through ASA 5510 5520

Looks like RDP is working now. I guess it needed time to work it's way through the network?

New Member

Cannot get RDP and E-mail out through ASA 5510 5520

Thanks so much Ramraj

947
Views
0
Helpful
6
Replies
CreatePlease to create content