Add below access lists with - Page 2

Navaz Wattoo · ‎11-05-2014

Here are i want o access internet of my lan users having subnet 172.16.20.0/24

and inside firewall ip is 192.168.11.249/24

outside ip is 125.209.70.88/24
and i also attached a diagram with the ip,s

Navaz

Prashant Joshi · ‎11-06-2014

Add below access lists with whatever source and destination you need to restrict

access-list 102 extended permit tcp <source> <destination> eq 995

access-list 102 extended permit tcp <source> <destination> eq 465

Navaz Wattoo · ‎11-06-2014

access-list 102 extended permit tcp 172.16.20.0 117.102.8.90 eq 995

access-list 102 extended permit tcp 172.16.20.0 117.102.8.90 eq 465

i need to run outlook of lan users having subnet 172.16.20.0/24 and after that is apply

access-group 102 in interface inside ?

Navaz

Prashant Joshi · ‎11-06-2014

access-list 102 extended permit tcp 172.16.20.0 255.255.255.0 117.102.8.90 eq 995

access-list 102 extended permit tcp 172.16.20.0 255.255.255.0 117.102.8.90 eq 465

access-group 102 in interface inside

Navaz Wattoo · ‎11-06-2014

Thanks Joshi

I applied this but outlook is not working.

i attached outlook setting.

Navaz

Prashant Joshi · ‎11-08-2014

I can only see the ports in your configuration ,what is the incoming and outgoing mailserver name/IP configured in your outlook, If its name and not an IP then how the name resolution will happen, do you have an inside DNS server ?

Thanks,

Prashant Joshi

Navaz Wattoo · ‎11-10-2014

Thanks Joshi

i have Incoming server 174.142.165.146 Outgoing Server 174.142.165.146.

And these are outside over the internet anywhere but not in our LAN network and there is no DNS server.

Navaz

Prashant Joshi · ‎11-10-2014

Hi,

kindly provide me below output :

packet-tracer input inside tcp 172.16.20.10 5656 174.142.165.146 995 det

packet-tracer input inside tcp 172.16.20.10 5656 174.142.165.146 465 det

Prashant Joshi

Navaz Wattoo · ‎11-10-2014

Please find the attached the required file

Navaz

Prashant Joshi · ‎11-10-2014

you need to remove below NAT exempt ( it means for all inside users ASA will not perform a NAT)

nat (inside) 0 0.0.0.0 0.0.0.0

If you need to perform NAT exempt, you need to be specific like

access-list nonat permit 10.10.10.0 255.255.255.0 11.11.11.0 255.255.255.0

nat (inside) 0 access-list nonat

Thanks,

Prashant Joshi

Navaz Wattoo · ‎11-11-2014

These are the nat commands that i configured

nat-control
global (Outside) 1 interface
nat (DMZ) 1 10.1.1.0 255.255.255.0
nat (inside) 0 access-list no-nat
static (DMZ,Outside) tcp interface www 10.1.1.254 www netmask 255.255.255.255
static (DMZ,Outside) tcp interface https 10.1.1.254 https netmask 255.255.255.255
static (DMZ,Outside) tcp interface 8888 10.1.1.245 8888 netmask 255.255.255.255
static (DMZ,Outside) tcp interface pop3 10.1.1.254 pop3 netmask 255.255.255.255
static (inside,DMZ) 10.1.1.0 192.168.11.0 netmask 255.255.255.0

Navaz

Prashant Joshi · ‎11-11-2014

Add below NAT policy for inside users

nat (inside) 1 172.16.20.0 255.255.255.0

and if it doesn't work provide packet tracer output again.

Prashant Joshi

Internet access for LAN user through inside to outside