Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

help needed Cisco asa 5505

I get the message trying to access owa on a Small Business server 2011:

TCP access denied by ACL from 86.xx.xx.xx/28860 to outside 62.xx.xx.xx/443

I am not (yet) an experienced user. Can somebody give me a hint?

Below the config

Thanks!

: Saved

:

ASA Version 8.3(1)

!

hostname asa2

enable password i9.yhWTfK7AnxZ5r encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.131.8 sbs

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.131.152 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.5 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.131.128_25

subnet 192.168.131.128 255.255.255.128

object network exchange

host 192.168.131.8

object service https

service tcp source eq https destination eq https

object-group service owa tcp

port-object eq https

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit object https any interface outside

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in remark Allow SMTP traffic

access-list outside_access_in remark Allow SSL-OWA-RWA Traffic

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in remark Allow SharePoint traffic

access-list outside_access_in extended permit tcp any interface outside eq 987

access-list inside_access_out extended permit ip any any

access-list global_access extended permit ip any any inactive

access-list inside_access_in extended permit ip any any

access-list outside_access_out extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool mediostpool 192.168.131.180-192.168.131.199 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network exchange

nat (inside,outside) static interface service tcp https https

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.131.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto  dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5  ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA  ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.131.156-192.168.131.187 inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy mediostvpn internal

group-policy mediostvpn attributes

vpn-tunnel-protocol IPSec

username Anton password jRVOT3qxuT/xdrp5 encrypted privilege 0

username Anton attributes

vpn-group-policy vpn

tunnel-group vpn type remote-access

tunnel-group vpn general-attributes

address-pool pool

default-group-policy vpn

tunnel-group vpn ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:6f543b73d5b1a3c82e794f228364edd0

: end

asdm location sbs 255.255.255.255 inside

no asdm history enable

1 ACCEPTED SOLUTION

Accepted Solutions

help needed Cisco asa 5505

Hi there,

If your SBS's default-gateway address is: 192.168.131.8, then any internet traffic coming in to SBS server will be sent to its default-gateway, i.e. 192.168.131.8, therefore you must change its default-gateway to ASA2's

If ASA2's outside interface is connected to Cisco878 router (I assume Cisco878 is routing), then you must create a static nat on your Cisco878 router as well, otherwise change your Cisco878 router and replace with Zyxel-modem instead, which will ease up your administration.

thanks

Rizwan Rafeek

11 REPLIES

Re: help needed Cisco asa 5505

Please remove these highlighted lines, because ASA version 8.3 does not use public address on the acl, but rather real-ip for static nat.

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit object https any interface outside

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq 987

Now please copy this instead.

access-list outside_access_in extended permit tcp any host 192.168.131.8 eq https

access-list outside_access_in extended permit tcp any host 192.168.131.8 eq smtp

access-list outside_access_in extended permit tcp any host 192.168.131.8 eq 987

object network exchange

nat (inside,outside) static interface service tcp https https

And you do same static-nat for other services you want to static nat to, for their respective ports.

Hope that helps.

thanks

Rizwan Rafeek

Community Member

help needed Cisco asa 5505

Hi, I followed your instructions but it does not make a difference. Still get

TCP access denied by ACL from 86.xx.xx.xx/25434 to outside 62.xx.xx.xx/443

Any suggestions left? Below the config which is active now (to make sure that i did not make a mistake following your instructions)

Thanks!

: Saved

:

ASA Version 8.3(1)

!

hostname asa2

enable password i9.yhWTfK7AnxZ5r encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.131.8 sbs

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.131.152 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.5 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.131.128_25

subnet 192.168.131.128 255.255.255.128

object network exchange

host 192.168.131.8

object service https

service tcp source eq https destination eq https

object-group service owa tcp

port-object eq https

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any host 192.168.131.8 eq https

access-list outside_access_in extended permit tcp any host 192.168.131.8 eq smtp

access-list outside_access_in extended permit tcp any host 192.168.131.8 eq 987

access-list inside_access_out extended permit ip any any

access-list global_access extended permit ip any any inactive

access-list inside_access_in extended permit ip any any

access-list outside_access_out extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool mediostpool 192.168.131.180-192.168.131.199 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network exchange

nat (inside,outside) static interface service tcp https https

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.131.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.131.156-192.168.131.187 inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy vpn internal

group-policy vpn attributes

vpn-tunnel-protocol IPSec

username Anton password jRVOT3qxuT/xdrp5 encrypted privilege 0

username Anton attributes

vpn-group-policy vpn

tunnel-group vpn type remote-access

tunnel-group vpn general-attributes

address-pool pool

default-group-policy vpn

tunnel-group vpn ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:53e129163a76121621f3ecb761a94331

: end

asdm location sbs 255.255.255.255 inside

no asdm history enable

Community Member

help needed Cisco asa 5505

Sorry i found what was wrong the NAT sequence (i think an beginner mistake ).

Now i get:

Teardown TCP connection 75321 for outside:xx.xx.xx.218/25990 to inside:sbs/443 duration 0:00:30 bytes 0 SYN Timeout

and i am not getting the OWA inlogscreen.... Any suggestions left.

Re: help needed Cisco asa 5505

Hi

Please remove this highlighted line, as it overlaps.

nat (inside,outside) source dynamic any interface

the above overlaps with below.

object network obj_any

   subnet 0.0.0.0 0.0.0.0

   nat (inside,outside) dynamic interface

Please remove this highlighted line below, as it defeats the purpose of the firewall.

access-list outside_access_in extended permit ip any any

Please copy the static nat below for smtp traffic and http, https 

object network exchange

nat (inside,outside) static interface service tcp https https

object network exchange

nat (inside,outside) static interface service tcp http http

object network exchange

nat (inside,outside) static interface service tcp smtp smtp

FYI...

You do not need these lines at all.

access-group outside_access_out out interface outside

access-group inside_access_out out interface inside

Please follow the link below, if you like to reference Cisco doc.

https://supportforums.cisco.com/docs/DOC-9129

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

Let me know, if this helps.

thakns

Community Member

help needed Cisco asa 5505

Hi Rizwan,

I added this NAT rule

object network server2

host 192.168.131.8

nat (inside,outside) static interface service tcp 443 443

and try to cleanup the code.

But i still get the

Teardown TCP connection 81475 for outside:xx.xx.x.xx5/38666 to inside:192.168.131.8/443 duration 0:00:30 bytes 0 SYN Timeout

Could it be the reason that i have 2 asa's in the network and that the small business server not have this asa as standard gateway?

Thanks!

For your info the code below

: Saved
:
ASA Version 8.3(1)
!
hostname asa2
enable password i9.yhWTfK7AnxZ5r encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.131.152 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.5 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.131.128_25
subnet 192.168.131.128 255.255.255.128
object service https
service tcp source eq https destination eq https
object network server
host 192.168.181.8
object network server2
host 192.168.131.8
object-group service owa tcp
port-object eq https
access-list outside_access_in extended permit tcp any object server2 eq https
access-list outside_access_in extended permit tcp any object server2 eq smtp
access-list outside_access_in extended permit tcp any object server2 eq 987
access-list inside_access_out extended permit ip any any
access-list global_access extended permit ip any any inactive
access-list inside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool 192.168.131.180-192.168.131.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network server2
nat (inside,outside) static interface service tcp https https
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.131.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.131.156-192.168.131.187 inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
username Anton password jRVOT3qxuT/xdrp5 encrypted privilege 0
username Anton attributes
vpn-group-policy vpn
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:490c669c4f87ad54edd0c4da0170d052
: end
no asdm history enable

object network server
host 192.168.181.8
nat (inside,outside) static interface service tcp 443 443

Re: help needed Cisco asa 5505

"Could  it be the reason that i have 2 asa's in the network and that the  small  business server not have this asa as standard gateway?"

In a large enterprise environment, no devices (i.e. servers) use firewall as a default-gateway address, as long as inter-vlan traffic is routed by a layer3 switch or router.

Please post a diagram of your physical connection and the devices in between and device type (i.e. layer2 or layer3) and default gateway pointed on devices (switches) and servers.

For third time I am telling you do not need these lines at all.

access-group outside_access_out out interface outside

access-group inside_access_out out interface inside

thanks.

Community Member

help needed Cisco asa 5505

Hi Rizwan,

It is just for a small company having currently 2 internetlines. The second asa (asa2) is added to the network and that is the one i am trying to configure. When all items working smootly the asa1 will be deleted from the network. See the network schema attached.

help needed Cisco asa 5505

Hi there,

If your SBS's default-gateway address is: 192.168.131.8, then any internet traffic coming in to SBS server will be sent to its default-gateway, i.e. 192.168.131.8, therefore you must change its default-gateway to ASA2's

If ASA2's outside interface is connected to Cisco878 router (I assume Cisco878 is routing), then you must create a static nat on your Cisco878 router as well, otherwise change your Cisco878 router and replace with Zyxel-modem instead, which will ease up your administration.

thanks

Rizwan Rafeek

Community Member

help needed Cisco asa 5505

Thank you Rizwan. I will change the default gateway tommorrow and let you know if it worked out.

Regards,


Arnold

Re: help needed Cisco asa 5505

Hi Arnold,

Please update the thread, in any case if this issue has been resolved please rate helpful post.

thanks

Rizwan Rafeek

Community Member

Re: help needed Cisco asa 5505

Hi Rizwan,

I checked it yesterday evening and changing the default gateway solved the problem. Thanks for your help and patience!

regards,

2651
Views
0
Helpful
11
Replies
CreatePlease to create content