Advertisement

02.22.2008 at 12:04PM PST, ID: 23185673
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.2

Cisco ASA 5505: Problem blocking SMTP connections from inside machines.

Asked by pwambach in Enterprise Firewalls

Tags: , ,

I am trying to block local machines others than my exchange server from being able to create SMTP connections to email servers outside my network.  I think the problem has to do with the ACL's or the access-group settings.  Do most people use both inbound and outbound rules for each interface or do they use just the inbound ACL's only?  

I have attached my running config below with the sensitive info commented out, Please let me know what I need to change:
: Saved
:
ASA Version 8.0(2)
!
hostname asa5505
domain-name XXXXXX.com
enable password LdC8dfx4ddJjwO0AHcm encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.128.1 255.255.255.0
!
interface Vlan2
 mac-address 0016.b64d.9b2f
 nameif outside
 security-level 0
 ip address XX.YY.93.26 255.255.255.0
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd LdCddr8fx4JjwOddf0AHcm encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone MST -7
dns server-group DefaultDNS
 domain-name XXXXX.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service SmallBizServer tcp
 port-object eq ftp
 port-object eq pop3
 port-object eq smtp
 port-object eq www
 port-object eq https
 port-object eq pptp
object-group network XXXXXPhoenix
 network-object 192.168.128.0 255.255.255.0
object-group network Internet
 network-object 0.0.0.0 0.0.0.0
object-group network OutsideICI
 network-object 10.0.2.0 255.255.255.0
 network-object 192.168.0.0 255.255.255.0
object-group service XXXXXServer tcp
 group-object SmallBizServer
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.112.0 255.255.255.0
 network-object XX.YY.93.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 192.168.112.0 255.255.255.0
 network-object XX.YY.93.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 192.168.112.0 255.255.255.0
 network-object 192.168.128.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
 network-object 192.168.112.0 255.255.255.0
 network-object 192.168.128.0 255.255.255.0
access-list inside_access_in extended permit tcp any host 192.168.128.4 object-group SmallBizServer
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit icmp any any
access-list outside_access_out extended permit tcp any any
access-list outside_access_out extended permit icmp any any
access-list outside_access_out extended permit udp any any
access-list outside_access_out extended permit gre any any
access-list outside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any
access-list inside_access_out extended permit tcp host 192.168.128.31 any eq smtp
access-list inside_access_out extended permit tcp host 192.168.128.4 any eq smtp
access-list inside_access_out extended deny tcp any any eq smtp
access-list inside_access_out extended permit esp any any
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit gre any any
access-list outside_access_in extended permit tcp any host XX.YY.93.26 object-group SmallBizServer
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp host Patrick_Wambach host XX.YY.93.26 echo
access-list outside_access_in extended permit icmp any any
access-list outside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_2 192.168.128.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.128.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip XX.YY.93.0 255.255.255.0 object-group DM_INLINE_NETWORK_4
access-list inside_nat0_outbound extended permit ip 192.168.112.0 255.255.255.0 192.168.128.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_3 XX.YY.93.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.128.0 255.255.255.0 192.168.112.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip any 192.168.128.64 255.255.255.192
access-list inside_nat0_outbound_1 extended permit ip 192.168.128.0 255.255.255.0 192.168.128.64 255.255.255.192
access-list outside_cryptomap extended permit ip 192.168.128.0 255.255.255.0 192.168.112.0 255.255.255.0
access-list outside_cryptomap extended permit icmp 192.168.128.0 255.255.255.0 192.168.112.0 255.255.255.0
access-list XXXXXvpn_splitTunnelAcl standard permit any
access-list XXXXXYYYYYY_splitTunnelAcl standard permit 192.168.128.0 255.255.255.0
pager lines 24
logging enable
logging asdm-buffer-size 200
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool XXXXX 192.168.128.95-192.168.128.100 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0 dns
nat (outside) 0 access-list outside_nat0_outbound
nat (outside) 0 access-list outside_nat0_outbound_1 outside
static (inside,outside) interface 192.168.128.4 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 XX.YY.93.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server XXXXX protocol nt
aaa-server XXXXX host 192.168.128.4
 timeout 5
 nt-auth-domain-controller XXXXX1
http server enable 65000
http 192.168.128.5 255.255.255.255 inside
http 192.168.128.4 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set pfs group1
crypto map outside_map2 1 set peer 75.58.168.201
crypto map outside_map2 1 set transform-set ESP-DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
crypto map outside_map2 1 set nat-t-disable
crypto map outside_map2 interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
group-policy XXXXXYYYYYY internal
group-policy XXXXXYYYYYY attributes
 wins-server value 192.168.128.4
 dns-server value 192.168.128.4
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value XXXXXYYYYYY_splitTunnelAcl
 default-domain value XXXXXp.local
group-policy XXXXXvpn internal
group-policy XXXXXvpn attributes
 wins-server value 192.168.128.4
 dns-server value 192.168.128.4
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value XXXXXvpn_splitTunnelAcl
 default-domain value XXXXXp.local
username admin password kVT4EyerfDUp2PeeUS03r encrypted privilege 15
username pwambach password UkMasLCJJnfvdewn9mfdwQ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 dhcp-server 192.168.128.4
tunnel-group 75.58.168.201 type ipsec-l2l
tunnel-group 75.58.168.201 ipsec-attributes
 pre-shared-key *
tunnel-group XXXXXvpn type remote-access
tunnel-group XXXXXvpn general-attributes
 address-pool XXXXX
 authentication-server-group XXXXX
 default-group-policy XXXXXvpn
 dhcp-server 192.168.128.4
tunnel-group XXXXXvpn ipsec-attributes
 pre-shared-key *
tunnel-group XXXXXvpn2 type remote-access
tunnel-group XXXXXvpn2 general-attributes
 address-pool XXXXX
 authentication-server-group XXXXX
 authentication-server-group (inside) XXXXX
 default-group-policy XXXXXvpn
 dhcp-server 192.168.128.4
tunnel-group XXXXXvpn2 ipsec-attributes
 pre-shared-key *
tunnel-group XXXXXYYYYYY type remote-access
tunnel-group XXXXXYYYYYY general-attributes
 address-pool XXXXX
 authentication-server-group XXXXX
 default-group-policy XXXXXYYYYYY
tunnel-group XXXXXYYYYYY ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:47323740a02964e70dd8a00f21269365
: end
asdm image disk0:/asdm-602.bin
asdm history enable

Start Free Trial
[+][-]02.22.2008 at 12:38PM PST, ID: 20961178

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zone: Enterprise Firewalls
Tags: Cisco, ASA, 5505
Sign Up Now!
Solution Provided By: Aarondbv
Participating Experts: 1
Solution Grade: A
 
 
[+][-]02.22.2008 at 12:52PM PST, ID: 20961318

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080924-EE-VQP-38 / EE_QW_2_20070628