04-15-2008 09:15 AM - edited 03-11-2019 05:31 AM
Hi, I am new to Cisco devices in general. I decided to pick up an ASA 5505. Well, I have been pretty stumped for weeks by it's setup. The configuration should be easy. I intend to place it as a firewall between our inside network and our outside network. The outside interface IP will be 64.200.x.x, whereas the inside IPs will be 10.1.1.0. I got it working to the point that I can browse the Internet from behind it fine, but I cannot seem to get mail messages into my mail server at IP 10.1.1.15 (actually a security appliance that forwards to the server). I would like to NAT all my inside connections to appear as the outside interface on the internet, and would like incoming mail redirected to 10.1.1.15. I also have heard about a command, "no inspect protocol smtp 25", but cannot seem to get this command to work properly. Here is what I have tried with results:
Result of the command: "no fixup protocol smtp 25"
WARNING: 'no fixup ...' command not processed because no global policy-map is enabled
It says I don't have a global policy map. Have I messed something up there?
I am going to post my config as a reply. Also, I plan to later set up some VPNs and some of the settings are still in the config. Tell me if that's a problem. Please tell me some of the things I am doing wrong here. Maybe I should wipe it and start fresh using what I know now?
Solved! Go to Solution.
04-15-2008 10:01 AM
Chris,
The address is reversed in the static and your ACL needs to permit smtp traffic to the global address of the mail server. Can you make the following changes to the config, do a 'clear xlate' and test.
no access-list outside_access_in extended permit tcp any host 10.1.1.15 eq smtp
access-list outside_access_in extended permit tcp any host 64.200.x.x eq smtp
static (inside,outside) tcp 10.1.1.15 smtp 64.200.x.x smtp netmask 255.255.255.255
static (inside,outside) tcp 64.200.x.x smtp 10.1.1.15 smtp netmask 255.255.255.255
If the 64.200.x.x address you are using for the mail server is the outside interface address of the ASA substitute the IP address with the command 'interface outside' in both ACL and static configuration.
HTH
Sundar
04-15-2008 09:20 AM
Result of the command: "show running-config"
ASA Version 7.2(3)
hostname ciscoasa
domain-name default.domain.invalid
enable password w9.E89J6LPOGR3zI encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address 64.200.x.x 255.255.255.248
ospf cost 10
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
!
passwd 2KFQencrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.1.1.15 eq smtp
access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_5_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 10.1.1.15 smtp 64.200.x.x smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.200.223.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 74.8.140.xxx 64.209.221.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 74.212.201.xxx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 64.60.171.xxx
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs
crypto map outside_map 5 set peer 64.209.221.xxx
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.2-10.1.1.100 inside
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
prompt hostname context
Cryptochecksum:3a296
04-15-2008 10:01 AM
Chris,
The address is reversed in the static and your ACL needs to permit smtp traffic to the global address of the mail server. Can you make the following changes to the config, do a 'clear xlate' and test.
no access-list outside_access_in extended permit tcp any host 10.1.1.15 eq smtp
access-list outside_access_in extended permit tcp any host 64.200.x.x eq smtp
static (inside,outside) tcp 10.1.1.15 smtp 64.200.x.x smtp netmask 255.255.255.255
static (inside,outside) tcp 64.200.x.x smtp 10.1.1.15 smtp netmask 255.255.255.255
If the 64.200.x.x address you are using for the mail server is the outside interface address of the ASA substitute the IP address with the command 'interface outside' in both ACL and static configuration.
HTH
Sundar
04-15-2008 10:07 AM
Thanks for the quick reply. I am actually wiping it to factory config because as I posted I realized how messy it had become. So then I will set it up as you indicated. I will post my cleaned up config on here shortly for you guys to double check then test tonight and tell you first thing in the morning how it went. Maybe I will be able to run the no fixup command after I restore it to factory defaults.
04-15-2008 10:23 AM
I don't see the global policy map in your configuration and it appears you may have removed it. Moreover, I believe 'no fixup protocol smtp 25' is on by default in ASA and if you enter the 'fixup' ASA would convert that to the equivalent policy map configuration. Anyway, you would see all that stuff since you are resetting it to factory default. Let us know how it goes.
HTH
Sundar
04-15-2008 10:37 AM
Thanks, Here's the (much) cleaned up config, can you tell me anything else?:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name companionhospice.pri
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.200.xxx.xxx 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name companionhospice.pri
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host 64.200.xxx.xxx eq smtp
access-list outside_access_in extended permit icmp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 64.200.xxx.xxx smtp 10.1.1.15 smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.200.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.1.2-10.1.1.254 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
04-15-2008 10:49 AM
Looks good to me. As I said before if you are using the outside interface IP as mail server's global address then use the word 'interface outside' in ACL and static command in place of the IP address.
HTH
Sundar
04-15-2008 10:56 AM
Yes, my mistake. Like this?:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name companionhospice.pri
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 64.200.xxx.xxx 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name companionhospice.pri
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit icmp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.1.1.15 smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.200.223.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.1.1.2-10.1.1.254 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
04-15-2008 11:17 AM
Yep.
04-15-2008 11:27 AM
Alright I will test tonight and tell you how it goes right away. Thanks for your help.
04-16-2008 07:52 AM
Works great. Thanks a lot for your help.
04-16-2008 07:59 AM
No problem. Glad I could help.
Thanks for the rating :-)
12-21-2008 11:48 AM
Hi, Thanks for all your help. I am a little farther on in the configuration of the site to site VPN. I am working on it, but in the meantime, I posted a new post for any feedback:
If you could help with that one it would be a life saver. I can't really test without going into the office after hours, so any feedback is great.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: