i have a strange error on my ASA5515-X and I can not understand what can be.
I natted server-mail with services https:
object network Owa_10.0.1.4
object network Owa_10.0.1.4
nat (INSIDE,OUTSIDE) static interface service tcp https https
access-list INSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-group INSIDE_access_in in interface INSIDE
access-group OUTSIDE_access_in in interface OUTSIDE
ip address 10.0.1.254 255.255.0.0
ip address 217.5x.xxx.xxx 255.255.255.240
If i send a mail from inside to outside mail reaches the receiver, if mail is sent from outside (such as from @gmail.com to internal mailbox) mail does not arrive. Attached there are logs with TCP Reset-O.
what could be the issue? I have something wrong in the configuration?
Your configuration looks all right, I would say "permit ip any any"
is okay on this case for troubleshooting purposes but do not remember later change rules on outside and only allow services you need to. Besides your configuration is fine. Also in log provided connection looks okay from firewall perspective.
Here is meaning of Reset-O and Reset-I according title on this post:
- TCP Reset-I - The client tear down the connection (typical in an SMTP or IMAP exchange -I = inside interface).
- TCP Reset-O - The server was not listening on that protocol at that time (usually seen as coming from SMTP servers -O = Outside interface).
I would suggest you to check if server is listening on ports required (netstat works on this), run some captures on your server maybe using wireshark in order to confirm if server is resetting connection and check out for incoming traffic.
Run some captures on the firewall in order to confirm the reset is comming from Outside.
capture inside interface inside match tcp any host 10.0.1.4 eq 443
capture outside interface outside match tcp any host 217.5x.xxx.xxx eq 443
capture asp type asp all >>> in order to check packets firewall has dropped.
show capture asp | inc 10.0.1.4
show capture asp | inc 217.5x.xxx.xxx.443
show capture inside >>>> check for tcp reset flag (R)
Sure my acl any\any is only for this stage of troubleshhoting :-)
Later i will check on server mail with "netstat" commant for listening ports.
I take this opportunity to ask you: if i nat service https server mail on same ip address of outside interface of firewall, and if i setup a vpn anyconnect it may not work right? (overlaps https anyconnect\server mail)
Yes, the Anyconnect will use port 443 (this is used as it will be open on almost any location) but if you want to forward traffc to a internal webserver while having this configuration then you are in troubles.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...