Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Configuring ACL's 5520

I am new to Cisco firewalls and am having trouble getting the acls to work. I have a asa 5520 with version 7.2.2 software. I have it connected and can get to the internet but when I configure an acl to get my mail from the outside spam quarentine company I get no mail. I am not sure if I am doing the acl right or not.I did 1 from outside ip to inside ip allowing only port 3389 to go through.

29 REPLIES
Hall of Fame Super Blue

Re: Configuring ACL's 5520

Hi

Port 3389 is for terminal services. Mail is typically on port 25. Is this a typo ?

Could you send copy of config of ASA minus any sensitive info.

HTH

Jon

Green

Re: Configuring ACL's 5520

1. 3389 is rdp (remote desktop protocol)

2. You need a static translation for the destination of the mail

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

1.1.1.1=external address

192.168.1.1=internal address

3. Write the acl, this is for smtp tcp 25.

access-list outside_access_in extended permit tcp host host 1.1.1.1 eq 25

access-group outside_access_in in interface outside

Post you config if you have problems.

Community Member

Re: Configuring ACL's 5520

ASA Version 7.2(2)19

!

hostname ciscoasa

domain-name xxxxxxxx.com

enable password xxxxxxxx encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address xx.xxx.xxx.xx 255.255.255.224

!

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address xx.xxx.x.xx 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxxx encrypted

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name xxxxxxx.com

access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x

x eq https

access-list 110 extended permit tcp host xxx.xxx.xx.xx range 3268 3268 host xx.x

xx.x.xx range 3268 3268

access-list 110 extended permit tcp host xxx.xxx.xx.xx eq smtp host xx.xxx.x.xx

eq smtp

access-list Lan_nat_static extended permit ip interface Lan interface Wan

pager lines 24

logging enable

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (Wan) 1 interface

nat (Lan) 1 0.0.0.0 0.0.0.0

access-group 110 in interface Wan

route Wan 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

Community Member

Re: Configuring ACL's 5520

Sorry..3268 was the port

I have these 3 in the access rules for mail

Green

Re: Configuring ACL's 5520

Don't use source ports in your acl's

access-list 110 extended permit tcp host xx.xxx.xxx.xxx host xx.xxx.x.x

x eq https

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.x

xx.x.xx eq 3268

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx

eq smtp

Green

Re: Configuring ACL's 5520

What ip are they forwarding your mail to? You need a static translation for this address.

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

1.1.1.1=external address

192.168.1.1=internal address

or if the address is the outside interface of ASA you need

static (inside,outside) tcp interface 25 192.168.1.1 25 netmask 255.255.255.255

192.168.1.1=internal address

Community Member

Re: Configuring ACL's 5520

We first have a rule to check the global catalog for the user. then it gets pushed to the mail server internal.

I am new to the command line so I am using the gui.

would the source port be any?

Green

Re: Configuring ACL's 5520

A source port would normally be a random port above 1024. You do not use these in your acl as you would have no idea what it would be.

About the mail server, I mean what is the ip address that the spam quarantine company uses to send you mail?

Community Member

Re: Configuring ACL's 5520

it would be an external one

Green

Re: Configuring ACL's 5520

Yes, you need a static statement for this address if you want to get the mail.

Community Member

Re: Configuring ACL's 5520

I added the static and still no luck.

Green

Re: Configuring ACL's 5520

Can you post what the static is? Feel free to change the address to something different.

Community Member

Re: Configuring ACL's 5520

ASA Version 7.2(2)194 02 00 8086 1

!9

hostname ciscoasa 11

domain-name xxxxxxx.com

04 03 00

enable password xxxxxxxx encrypted

E

namesing B

dns-guards ...

!

interface GigabitEthernet0/0IOS Extension to setup ROMMO

nameif Wan

security-level 0isco Systems ROMM

ip address xx.xxx.xxx.xx 255.255.255.224:08 PST 2006

!

interface GigabitEthernet0/1

Platform ASA552

nameif Lan

security-level 100o interrupt boot.

ip address xx.xxx.x.xx 255.255.255.0SPACE to begin boot immediately.

!

interface GigabitEthernet0/2

Launching BootLoader...

shutdown

no nameifguration f

no security-levely.

no ip address

L

!d

interface GigabitEthe

!#

passwd xxxxencrypted##########################

boot system disk0:/asa722-19-k8.bin

ftp mode passive################

dns server-group DefaultDNS######################

domain-name xxxxxx.com

access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x########################

7 eq https

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx range 32

512MB

68 3268

T

access-list Lan_nat_static extended permit ip interface Lan interface Wan2546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 00 MAC: 001a.6d7c.8468

pager lines 24

logging enable

logging asdm informationalv03 Gigabit Ethernet @ irq

mtu Wan 1500x 01 MAC: 00

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1 2 index 02 MAC: 001a.6d7c.846a

asdm image disk0:/asdm-522.bin

no asdm history enableit Ethernet @ irq09 de

arp timeout 14400001a.6d7c.846b

nat-control

global (Wan) 1 interface

nat (Lan) 1 0.0.0.0 0.0.0.0net @ irq11 dev 1 index 05

static (Lan,Wan) xx.xxx.xxx.xxx xx.xxx.x.xx netmask 255.255.255.

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

Green

Re: Configuring ACL's 5520

1. you don't need the source port in this acl line.

access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x eq https

it should be...

access-list 110 extended permit tcp host xx.xxx.xxx.xxx host xx.xxx.x.x eq https

2. There is no point to have a "range 3268 3268"

it should be...

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx eq 3268

3. access-group 110 in interface Wan

4. Is the address in your static the same as the Wan address on the ASA?

Community Member

Re: Configuring ACL's 5520

The static is different then the wan ip

the static is a 1-1 nat rule

Community Member

Re: Configuring ACL's 5520

Still cannot get traffic to flow correctly. If I configure the same as my current firewall nothing works.I think I'm missing something simple but just cannot figure it out.

Green

Re: Configuring ACL's 5520

Could you post latest config without all the extra characters that were included in your last one?

Also, it's ok to block out your external ip's with x's but could you just change the external addresses to something we can follow throughout the config, like 64.x.x.x? That way we know you haven't flipped your statics etc.

Community Member

Re: Configuring ACL's 5520

ASA Version 7.2(2)19

!

hostname ciscoasa

Encryp

shun

domain-name fvxxc.comering of packets from un

enable password xnxxxsdsXC1MM encrypted

names

dns-guardconnect a

!p

interface GigabitEthernet0/0te-MC-Boot-Cisco-1.2t_static

nameif Wan

terminal

security-level 0f syslogging to t

ip address 65.444.444.98 255.255.255.224KE microcode: CNlite-MC-IP

test

!

interface GigabitEthernet0/1d interfacesg asdm informati

nameif Lan

security-level 100 undebug Di

ip address 10.146.4.12 255.255.255.0

no failover

!

no security-levelon to memory, netw

no ip addressl.0 0.0.0.0

!

interface Management0/0 |||

nameif managementoasa#

cis

security-level 100.0 0

cisco

ip address 192.168.1.1 255.255.255.0-19-k8.bin

timeout xlate 3:00:00

management-only

INFO:

!n

passwd 2KxxxxdU encrypted disk0:/asa722-19-k8.bin

boot system disk0:/asa722-19-k8.bin C i s c o S y

ciscoasa(con

ftp mode passive00:00 mgcp 0:05:

dns server-group DefaultDNSrsion 7.0(6)---------------

domain-name dsfff.com------------

domain-na

access-list Wan_access_in extended permit tcp host 205.333.33.36 host 10.146.4.3hxxxC1MM encryptedtware Version 7.2(2)19

names

time

dns-g

2 eq 3286

!

mtu Lan 1500local countr

mtu Wan 1500dress

no failovernterface Gi

icmp unreachable rate-limit 1 burst-size 1e

shutdown.

no nameifle timeout

asdm image disk0:/asdm-522.bin Cisc

no ip address products

no asdm history enableitEthernet0/3

arp timeout 14400m

shutdownparty

nat-controlifmport, ex

nat (Lan) 0 0.0.0.0 0.0.0.0context

no ip address

static (Lan,Wan) 65.444.444.106 10.146.4.32 netmask 255.255.255.255if management

security-level 100ors and users ar

static (Lan,Wan) 65.444.444.101 10.146.4.47 netmask 255.255.255.255

management-only and local count

!

passwd 2KdsdsfdsfsdfK

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

Green

Re: Configuring ACL's 5520

How are you capturing your config, it's still got a lot of extra/missing words and characters. But anyway your acl is wrong, and you have no access-group command to apply it. You need to use the 65. address in the acl, not the 10. Also not sure what you are trying to allow as it's not showing up in the config. I did this one for smtp.

access-list Wan_access_in extended permit tcp host 205.333.33.36 host 65.444.444.106 eq smtp

access-group Wan_access_in in interface Wan

Community Member

Re: Configuring ACL's 5520

I am capturing a config by sh run and then pasting it into notepad.

So basically when configuring this firewall I have to think public to public and then nat will translate to the correct inside address?

do i need to use the above command for the rest of the addresses or can i put them in via the gui.

what does the access-group Wan_access_in in interface Wan do?

Green

Re: Configuring ACL's 5520

Yes, when the request is coming from the Wan, it is for 65.x.x.x, it is not for 10.x.x.x. So the firewall will allow the packet then it will be translated to the proper address. You can do them by the gui if you wish.

"access-group Wan_access_in in interace Wan" applies the access-list Wan_access_in to the Wan interface in an inbound direction. Without this, the access-list is not applied and will not do anything.

Community Member

Re: Configuring ACL's 5520

How would you do this in the gui?

"access-group Wan_access_in in interace Wan" applies the access-list Wan_access_in to the Wan interface in an inbound direction. Without this, the access-list is not applied and will not do anything.

Green

Re: Configuring ACL's 5520

You don't do it in the gui, it should be there automatically when you create an access rule from the gui.

Do this instead from gui...

File -> Show Running Configuration in New Window

Then paste the config here, for some reason your config is not right when you capture it and is just most likely missing the command.

Community Member

Re: Configuring ACL's 5520

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address 65.444.444.98 255.255.255.224

!

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address 10.333.3.12 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255

management-only

!

passwd xxx encrypted

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name 2323232.com

access-list Wan_access_in extended permit tcp any host 10.333.3.47 eq https

access-list Wan_access_in extended permit tcp host 205.333.33.36 host 65.333.333

.101 eq smtp

access-list wan_access_in extended permit tcp host 207.333.33.36 host 65.444.444

.106 eq 3286

access-list wan_access_in extended permit tcp any host 65.444.444.101 eq smtp

pager lines 24

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

nat (Lan) 0 0.0.0.0 0.0.0.0

static (Lan,Wan) 65.444.444.106 10.333.3.32 netmask 255.255.255.255

static (Lan,Wan) 65.444.444.101 10.333.3.47 netmask 255.255.255.255

access-group wan_access_in in interface Wan

route Wan 0.0.0.0 0.0.0.0 65.444.444.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:1

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

Green

Re: Configuring ACL's 5520

Much better thanks :)

This one is still wrong

access-list Wan_access_in extended permit tcp any host 10.333.3.47 eq https

it should be...

access-list Wan_access_in extended permit tcp any host 65.444.444.101 eq https

You have no other translation for other inside hosts to get outside, is that what you want?

Community Member

Re: Configuring ACL's 5520

I have many other i just want to get 1 to work and then i will understand what needs to be done. I have to fix that 1 above still.

My understanding from what we have done leads me to believe that I will need more public addresses since some of mine are not natted on my current firewall...would this be correct.

By the way thank you so much for your help!!!

Community Member

Re: Configuring ACL's 5520

What would be the command to delete an access list

Green

Re: Configuring ACL's 5520

no access-list Wan_access_in extended permit tcp any host 10.333.3.47 eq https

no access-list Wan_access_in extended permit tcp host 205.333.33.36 host 65.333.333

.101 eq smtp

no access-list wan_access_in extended permit tcp host 207.333.33.36 host 65.444.444

.106 eq 3286

no access-list wan_access_in extended permit tcp any host 65.444.444.101 eq smtp

Green

Re: Configuring ACL's 5520

"I have many other i just want to get 1 to work and then i will understand what needs to be done. I have to fix that 1 above still."

-That's ok, I was referring to inside host going out.

"My understanding from what we have done leads me to believe that I will need more public addresses since some of mine are not natted on my current firewall...would this be correct."

-That's hard to answer for you as I'm not sure where you're going in the future or what you need to support now. You don't necessarily have to have 1-to-1 statics either. You could also do port translation so you could take 1 outside address and have different translations for http, https smtp etc all on one outside ip.

"By the way thank you so much for your help!!!"

-No problem, please rate posts if they help.

195
Views
10
Helpful
29
Replies
CreatePlease to create content