Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
4
Replies

Inbound traffice problem

energyservices
Level 1
Level 1

‎01-30-2009 02:06 AM - edited ‎03-11-2019 07:44 AM

Hi all,

I have a problem with inbound traffic. I have setup my firewall to allow traffic on http, imap4 and smtp ports. But I can't get through. Am I missing anything? Or did I do something wrong? My SSL VPN works no problem. Any help will be appreciated.

Thank you in advance.

Here is a part of config.

name 192.168.2.101 Server

name 192.168.2.103 Mail

name 192.168.2.102 Spam

!

interface Ethernet0/0

description Internet

nameif Outside

security-level 0

ip address *.*.*.* 255.255.255.248

ospf cost 10

!

interface Ethernet0/1

description Intranet

nameif Inside

security-level 100

ip address 192.168.2.104 255.255.255.0

ospf cost 10

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name *****************

access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any

access-list outside_access_in extended permit tcp any interface Outside eq imap4

access-list outside_access_in extended permit tcp any interface Outside eq smtp

access-list outside_access_in extended permit tcp any interface Outside eq www

access-list inside_outbound_nat0_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list VPN-Split-Tunnel standard permit 192.168.2.0 255.255.255.0

pager lines 24

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool AnyConnect 192.168.15.100-192.168.15.150 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 0 access-list inside_outbound_nat0_acl

nat (Inside) 1 192.168.2.0 255.255.255.0

static (Inside,Outside) tcp interface smtp Spam smtp netmask 255.255.255.255

static (Inside,Outside) tcp interface imap4 Mail imap4 netmask 255.255.255.255

static (Inside,Outside) tcp interface www Server www netmask 255.255.255.255

access-group outside_access_in in interface Outside

access-group inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 *.*.*.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server AnyConnect protocol radius

aaa-server AnyConnect (Inside) host Server

key ************************

radius-common-pw **********************

http server enable

http 192.168.2.0 255.255.255.0 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

Labels:
0 Helpful
4 Replies 4

Jithesh K Joy
Level 1
Level 1

‎01-30-2009 02:32 AM

Hi

Could you please rewrite your outside_access_in in the following way.

access-list outside_access_in extended permit tcp any host eq imap4

access-list outside_access_in extended permit tcp any host eq smtp

access-list outside_access_in extended permit tcp any host eq www

Please replace with your outside IP address

Hope this will solve the issue.

Regards

Jithesh

0 Helpful

Mo'ath Al Rawashdeh
Level 1
Level 1

‎01-30-2009 03:47 AM

Hi,

access-list outside_access_in extended permit tcp any interface Outside eq imap4

access-list outside_access_in extended permit tcp any interface Outside eq smtp

access-list outside_access_in extended permit tcp any interface Outside eq www

These access rules are allowing imap4, SMTP and HTTP access to the outside interface of the firewall. Why do you want to do this?

"interface Outside" needs to be replaced with the public IP addresses of the corresponding servers. For example, for assuming your webserver has 1.1.1.1 as its public IP, repalce "interface Outside" with "host 1.1.1.1"

And please do not forget to do the same for the other servers as well.

Cheers,

Muath

0 Helpful

energyservices
Level 1
Level 1

‎01-30-2009 09:03 AM

Thanks for help guys.

My web server doesn't have a public IP. I'm using NAT. This is the reason I'm using interface Outside as it is a public IP address.

I think what I'm missing is the statement when it says all http traffic should go to web server. Is that right?

0 Helpful

eddie.mitchell
Level 3
Level 3

‎01-30-2009 11:05 AM

Your posted configuration looks correct to me. Are you sure that 192.168.2.101 is the correct IP for your web server and it is listening on port 80?

I would try enabling the logging buffer and see if there are any messages being generated during inbound connection attempts.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card