Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Easy Firewall questions ASA 5505

Hi, I am new to Cisco devices in general. I decided to pick up an ASA 5505. Well, I have been pretty stumped for weeks by it's setup. The configuration should be easy. I intend to place it as a firewall between our inside network and our outside network. The outside interface IP will be 64.200.x.x, whereas the inside IPs will be 10.1.1.0. I got it working to the point that I can browse the Internet from behind it fine, but I cannot seem to get mail messages into my mail server at IP 10.1.1.15 (actually a security appliance that forwards to the server). I would like to NAT all my inside connections to appear as the outside interface on the internet, and would like incoming mail redirected to 10.1.1.15. I also have heard about a command, "no inspect protocol smtp 25", but cannot seem to get this command to work properly. Here is what I have tried with results:

Result of the command: "no fixup protocol smtp 25"

WARNING: 'no fixup ...' command not processed because no global policy-map is enabled

It says I don't have a global policy map. Have I messed something up there?

I am going to post my config as a reply. Also, I plan to later set up some VPNs and some of the settings are still in the config. Tell me if that's a problem. Please tell me some of the things I am doing wrong here. Maybe I should wipe it and start fresh using what I know now?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Easy Firewall questions ASA 5505

Chris,

The address is reversed in the static and your ACL needs to permit smtp traffic to the global address of the mail server. Can you make the following changes to the config, do a 'clear xlate' and test.

no access-list outside_access_in extended permit tcp any host 10.1.1.15 eq smtp

access-list outside_access_in extended permit tcp any host 64.200.x.x eq smtp

static (inside,outside) tcp 10.1.1.15 smtp 64.200.x.x smtp netmask 255.255.255.255

static (inside,outside) tcp 64.200.x.x smtp 10.1.1.15 smtp netmask 255.255.255.255

If the 64.200.x.x address you are using for the mail server is the outside interface address of the ASA substitute the IP address with the command 'interface outside' in both ACL and static configuration.

HTH

Sundar

12 REPLIES
New Member

Re: Easy Firewall questions ASA 5505

Result of the command: "show running-config"

ASA Version 7.2(3)

hostname ciscoasa

domain-name default.domain.invalid

enable password w9.E89J6LPOGR3zI encrypted

names

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

ospf cost 10

interface Vlan2

nameif outside

security-level 0

ip address 64.200.x.x 255.255.255.248

ospf cost 10

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp

ospf cost 10

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

!

passwd 2KFQencrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 10.1.1.15 eq smtp

access-list outside_2_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_4_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list outside_5_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 10.1.1.15 smtp 64.200.x.x smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.200.223.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.1.1.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 74.8.140.xxx 64.209.221.xxx

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer 74.212.201.xxx

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set pfs

crypto map outside_map 4 set peer 64.60.171.xxx

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 5 match address outside_5_cryptomap

crypto map outside_map 5 set pfs

crypto map outside_map 5 set peer 64.209.221.xxx

crypto map outside_map 5 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.1.1.2-10.1.1.100 inside

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

prompt hostname context

Cryptochecksum:3a296

Re: Easy Firewall questions ASA 5505

Chris,

The address is reversed in the static and your ACL needs to permit smtp traffic to the global address of the mail server. Can you make the following changes to the config, do a 'clear xlate' and test.

no access-list outside_access_in extended permit tcp any host 10.1.1.15 eq smtp

access-list outside_access_in extended permit tcp any host 64.200.x.x eq smtp

static (inside,outside) tcp 10.1.1.15 smtp 64.200.x.x smtp netmask 255.255.255.255

static (inside,outside) tcp 64.200.x.x smtp 10.1.1.15 smtp netmask 255.255.255.255

If the 64.200.x.x address you are using for the mail server is the outside interface address of the ASA substitute the IP address with the command 'interface outside' in both ACL and static configuration.

HTH

Sundar

New Member

Re: Easy Firewall questions ASA 5505

Thanks for the quick reply. I am actually wiping it to factory config because as I posted I realized how messy it had become. So then I will set it up as you indicated. I will post my cleaned up config on here shortly for you guys to double check then test tonight and tell you first thing in the morning how it went. Maybe I will be able to run the no fixup command after I restore it to factory defaults.

Re: Easy Firewall questions ASA 5505

I don't see the global policy map in your configuration and it appears you may have removed it. Moreover, I believe 'no fixup protocol smtp 25' is on by default in ASA and if you enter the 'fixup' ASA would convert that to the equivalent policy map configuration. Anyway, you would see all that stuff since you are resetting it to factory default. Let us know how it goes.

HTH

Sundar

New Member

Re: Easy Firewall questions ASA 5505

Thanks, Here's the (much) cleaned up config, can you tell me anything else?:

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name companionhospice.pri

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.200.xxx.xxx 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name companionhospice.pri

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit tcp any host 64.200.xxx.xxx eq smtp

access-list outside_access_in extended permit icmp any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 64.200.xxx.xxx smtp 10.1.1.15 smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.200.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.1.1.2-10.1.1.254 inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Re: Easy Firewall questions ASA 5505

Looks good to me. As I said before if you are using the outside interface IP as mail server's global address then use the word 'interface outside' in ACL and static command in place of the IP address.

HTH

Sundar

New Member

Re: Easy Firewall questions ASA 5505

Yes, my mistake. Like this?:

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name companionhospice.pri

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.200.xxx.xxx 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address dhcp

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name companionhospice.pri

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit icmp any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 10.1.1.15 smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.200.223.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.1.1.2-10.1.1.254 inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Re: Easy Firewall questions ASA 5505

Yep.

New Member

Re: Easy Firewall questions ASA 5505

Alright I will test tonight and tell you how it goes right away. Thanks for your help.

New Member

Re: Easy Firewall questions ASA 5505

Works great. Thanks a lot for your help.

Re: Easy Firewall questions ASA 5505

No problem. Glad I could help.

Thanks for the rating :-)

New Member

Re: Easy Firewall questions ASA 5505

Hi, Thanks for all your help. I am a little farther on in the configuration of the site to site VPN. I am working on it, but in the meantime, I posted a new post for any feedback:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Remote%20Access&topicID=.ee719fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc29ff8

If you could help with that one it would be a life saver. I can't really test without going into the office after hours, so any feedback is great.

301
Views
0
Helpful
12
Replies