PDA

View Full Version : ASA 5505 incoming traffic issue



Exclusive
06-19-08, 06:48 PM
have an issue getting emailthrough the Cisco ASA to our email server
is 10.100.50.172 255.255.0.0
Everything else is working. We have internet. All outgoin traffic is
OK. Is anybody see what's wrong. Thanks,

ASA Version 8.0(2)
!
hostname RedRiverASA

names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.86.1 255.255.0.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.yyy.15.10 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd Vcn8uAzrKx1tjbpj encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name redriverfoods.com
object-group service VideoFlow
service-object tcp range 3230 3253
service-object tcp eq h323
service-object udp range 3230 3235
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.100.0.0 255.255.0.0
static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask
255.255.255.255
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.100.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 10.100.0.0 255.255.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30
dhcpd auto_config outside
!

no threat-detection basic-threat
no threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bd3505f41995b9dba0c49b19e79760f5

swk
06-20-08, 02:37 PM
On Jun 19, 6:48 pm, Exclusive <kamen.ras...@gmail.com> wrote:
> have an issue getting emailthrough the Cisco ASA to our email server
> is 10.100.50.172 255.255.0.0
> Everything else is working. We have internet. All outgoin traffic is
> OK. Is anybody see what's wrong. Thanks,
>
> ASA Version 8.0(2)
> !
> hostname RedRiverASA
>
> names
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 10.100.86.1 255.255.0.0
> ospf cost 10
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address xxx.yyy.15.10 255.255.255.248
> ospf cost 10
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> interface Ethernet0/2
> !
> interface Ethernet0/3
> !
> interface Ethernet0/4
> !
> interface Ethernet0/5
> !
> interface Ethernet0/6
> !
> interface Ethernet0/7
> !
> passwd Vcn8uAzrKx1tjbpj encrypted
> boot system disk0:/asa802-k8.bin
> ftp mode passive
> clock timezone EST -5
> clock summer-time EDT recurring
> dns server-group DefaultDNS
> domain-name redriverfoods.com
> object-group service VideoFlow
> service-object tcp range 3230 3253
> service-object tcp eq h323
> service-object udp range 3230 3235
> access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
> access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https
> access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
> pager lines 24
> logging asdm informational
> mtu inside 1500
> mtu outside 1500
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> icmp permit any inside
> icmp permit any outside
> asdm image disk0:/asdm-602.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 10.100.0.0 255.255.0.0
> static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask
> 255.255.255.255
> access-group out_in in interface outside
> route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
> disconnect 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> http server enable
> http 10.100.0.0 255.255.0.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> no crypto isakmp nat-traversal
> telnet 10.100.0.0 255.255.0.0 inside
> telnet timeout 30
> ssh timeout 5
> console timeout 30
> dhcpd auto_config outside
> !
>
> no threat-detection basic-threat
> no threat-detection statistics access-list
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map global_policy
> class inspection_default
> !
> service-policy global_policy global
> prompt hostname context
> Cryptochecksum:bd3505f41995b9dba0c49b19e79760f5


static (inside,outside) tcp interface smtp 10.100.50.172 smtp
netmask 255.255.255.255

Exclusive
06-20-08, 04:30 PM
This works in this case, but I also need to open tcp 3230-3238, udp
3230-3258 for video conferencing. . How I can resolve this? Thanks for
the help!

swk
06-23-08, 09:24 AM
On Jun 20, 4:30*pm, Exclusive <kamen.ras...@gmail.com> wrote:
> This works in this case, but I also need to open tcp 3230-3238, udp
> 3230-3258 for video conferencing. . How I can resolve this? Thanks for
> the help!

it should be similar

static (inside,outside) tcp interface 3230 10.100.50.172 3230 netmask
255.255.255.255

I am not sure you are able to port map by port range, the best way to
do this is to assign a global ip address and use static and access-
list to control the traffic flow

Gary
06-23-08, 05:39 PM
swk wrote:
> I am not sure you are able to port map by port range, the best way to
> do this is to assign a global ip address and use static and access-
> list to control the traffic flow

object-group service polycom udp
port-object range 3230 3253
object-group service filemaker tcp
port-object range 5003 5003
object-group service jabber tcp-udp
port-object range 5222 5223

access-list outside_access_in extended permit tcp any host 12.110.110.204 object-group jabber
access-list outside_access_in extended permit udp any host 144.51.68.4 object-group jabber
access-list outside_access_in extended permit tcp any host 198.81.129.148 object-group filemaker
access-list outside_access_in extended permit udp host 12.110.110.204 host 198.81.129.148 object-group polycom

Exclusive
06-24-08, 12:28 AM
Is anybody now can figure out why the port mapped traffic like
(smtp,www,RDP) is not going to the server Zeus. I guess is something
wrong with the AAA access-list.
Thanks, for the help!

hostname ASA

names
name 10.100.50.172 Zeus
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.86.1 255.255.0.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.yyy.15.10 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name foods.com
object-group service VDC
description Video Conferencing
service-object tcp source range 3230 3238 range 3230 3238
service-object tcp eq h323
service-object udp source range 3230 3258 range 3230 3258
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq 3389
access-list out_in extended permit object-group VDC any host xxx.yyy.
15.10
access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq
3389
access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq
smtp
access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq
www
access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq
pptp
access-list AAA extended permit object-group VDC host xxx.yyy.15.10
host 10.100
86.5
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.100.0.0 255.255.0.0
static (inside,outside) interface access-list AAA
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.100.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 10.100.0.0 255.255.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
!
service-policy global_policy global