Question

Configuring a Cisco ASA 5510

Asked by: MKSKCS

I am completely frustrated with this setup.  I've configured an ASA5510 (I've attached the running config below) to take the place of a Netscreen 25 that's currently in place.  They are running consecutively now.  When I unplug the Netscreen and change the outside and inside interface of the ASA to have the IP addresses that the Netscreen has, I lose all connectivity to the internet.  I've tried flushing the DNS, powering the Cisco 1700 and Motorola off and powering everything back on.  I'm also attaching the log of events that takes place after the switch is done.  The log is from the ASA.  Just to be clear, when the ASA is plugged in, I lose all connection to the internet and no computers on the LAN / WAN can communicate with the mail server.  Help!

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(1)
!
hostname MB01ASA01
domain-name corp.xxxxxxxxxxxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 172.18.24.0 02_LAN
name 172.18.31.0 11_LAN
name 172.18.29.0 08_LAN
name 172.18.65.0 04_LAN
name 172.18.25.003_LAN
name 172.18.32.0 12_LAN
name 172.18.26.0 06_LAN
name 10.10.1.48 CHECK_2
name 172.18.100.0 CHECK_1
name 172.18.27.0 05_LAN
name 172.18.23.0 01_LAN
name 172.18.28.0 07_LAN
name 172.18.23.222 MAIL description Exchange 2003 Server
name 172.18.33.0 13_LAN
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 74.231.xxx.70 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 nameif Inside
 security-level 0
 ip address 172.18.23.241 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 nameif Inside2
 security-level 0
 no ip address
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name corp.xxxxxxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service BB tcp
 port-object range 2360 2363
object-group service 53 tcp
 port-object range 1996 1996
object-group service TerminalServices tcp
 port-object range 3388 3389
object-group network MB_WAN
 network-object 01_LAN 255.255.255.0
 network-object 02_LAN 255.255.255.0
 network-object 03_LAN 255.255.255.0
 network-object 06_LAN 255.255.255.0
 network-object 05_LAN 255.255.255.0
 network-object 07_LAN 255.255.255.0
 network-object 08_LAN 255.255.255.0
 network-object 11_LAN 255.255.255.0
 network-object 12_LAN 255.255.255.0
 network-object 04_LAN 255.255.255.0
 network-object 13_LAN 255.255.255.0
 network-object host MAIL
object-group network CHECK_LAN
 network-object CHECK_1 255.255.255.0
 network-object CHECK_2 255.255.255.240
object-group network FDLN
 description FDLN - 4 Addresses
 network-object host 12.129.xxx.103
 network-object host 206.16.xxx.211
 network-object host 63.240.xxx.101
 network-object host 63.241.xxx.213
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group BB any object-group BB
access-list Outside_access_out extended permit tcp object-group MB_WAN eq www any eq www
access-list Outside_access_out extended permit tcp object-group MB_WAN eq https any eq https
access-list Outside_access_out extended permit ip object-group MB_WAN any
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group FDLN
access-list Outside_access_out extended permit tcp object-group MB_WAN eq smtp any eq smtp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group TerminalServices any object-group TerminalServices
access-list Outside_access_out extended permit icmp object-group MB_WAN any traceroute
access-list Outside_access_out extended permit udp object-group MB_WAN eq syslog any eq syslog
access-list Outside_access_out extended permit udp object-group MB_WAN eq tftp any eq tftp
access-list Outside_access_out extended permit udp object-group MB_WAN eq dnsix any eq dnsix
access-list Outside_access_out extended permit tcp object-group MB_WAN eq telnet any eq telnet
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ssh any eq ssh
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group 53 any object-group 53
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ftp any eq ftp
access-list Outside_access_in extended permit tcp any eq smtp host MAIL eq smtp log
access-list Outside_access_in extended permit tcp any eq www host MAIL eq www log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host MAIL object-group TerminalServices log
access-list Outside_access_in extended permit udp any eq www host MAIL eq www log
access-list Outside_access_in extended permit tcp object-group FDLN object-group MB_WAN log
access-list Outside_access_in extended permit tcp any object-group BB object-group MB_WAN object-group BB log
access-list Outside_access_in extended permit tcp any eq https host MAIL eq https log
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.77 eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq smtp log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.77 object-group TerminalServices log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq https log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq www log
access-list ACL_IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Inside2 1500
mtu management 1500
icmp deny any Outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
nat (management) 0 0.0.0.0 0.0.0.0
static (Outside,Inside) MAIL 74.231.xxx.77 netmask 255.255.255.255 dns
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route Inside 02_LAN 255.255.255.0 172.18.23.240 1
route Inside 03_LAN 255.255.255.0 172.18.23.240 1
route Inside 06_LAN 255.255.255.0 172.18.23.240 1
route Inside 05_LAN 255.255.255.0 172.18.23.240 1
route Inside 07_LAN 255.255.255.0 172.18.23.240 1
route Inside 08_LAN 255.255.255.0 172.18.23.240 1
route Inside 11_LAN 255.255.255.0 172.18.23.240 1
route Inside 12_LAN 255.255.255.0 172.18.23.240 1
route Inside 04_LAN 255.255.255.0 172.18.23.240 1
route Inside CHECK_1 255.255.255.0 172.18.23.240 1
route Inside CHECK_2 255.255.255.240 172.18.23.240 1
route Inside13_LAN 255.255.255.0 172.18.23.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 01_LAN 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:0c2ef9e0e604a02608a4433bf046eef2
: end



Here's PART of the log...it was lengthy so I'm just posting a few lines...

4|Nov 25 2006|17:36:26|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4367 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:25|302020|172.18.24.10|10.55.56.100|Built ICMP connection for faddr 172.18.24.10/59212 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
4|Nov 25 2006|17:36:25|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4366 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:25|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags PSH ACK  on interface Inside
6|Nov 25 2006|17:36:25|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags ACK  on interface Inside
6|Nov 25 2006|17:36:24|302015|172.18.29.251|10.55.56.103|Built inbound UDP connection 12356 for Inside:172.18.29.251/4075 (172.18.29.251/4075) to Outside:10.55.56.103/53 (10.55.56.103/53)
6|Nov 25 2006|17:36:23|302021|172.18.24.4|10.55.56.100|Teardown ICMP connection for faddr 172.18.24.4/37256 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
4|Nov 25 2006|17:36:23|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4367 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
4|Nov 25 2006|17:36:22|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4366 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:22|302016|172.18.23.200|193.0.14.129|Teardown UDP connection 12248 for Inside:172.18.23.200/1092 to Outside:193.0.14.129/53 duration 0:02:02 bytes 45
6|Nov 25 2006|17:36:21|302020|172.18.24.4|10.55.56.100|Built ICMP connection for faddr 172.18.24.4/37256 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:20|302021|172.18.24.3|10.55.56.100|Teardown ICMP connection for faddr 172.18.24.3/40537 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:20|302021|172.18.23.200|74.231.xxx.77|Teardown ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512
6|Nov 25 2006|17:36:19|302021|172.18.23.186|12.129.203.103|Teardown ICMP connection for faddr 172.18.23.186/7476 gaddr 12.129.203.103/0 laddr 12.129.203.103/0
6|Nov 25 2006|17:36:19|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags PSH ACK  on interface Inside
6|Nov 25 2006|17:36:18|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags ACK  on interface Inside
6|Nov 25 2006|17:36:18|302020|172.18.24.3|10.55.56.100|Built ICMP connection for faddr 172.18.24.3/40537 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:18|302020|172.18.23.200|74.231.xxx.77|Built ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512
6|Nov 25 2006|17:36:18|302021|172.18.23.200|74.231.xxx.77|Teardown ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512



Circuit--Cisco1700--Switch1--------------Switch2-------------------Switch3----------------Hub
                                |   |                           |                                |                           | |
                 NS Untrust   Outside ASA          Inside ASA         Exchange           NS Trust         Web Filter Machine

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2006-11-27 at 08:53:33ID22073521
Tags

asa

,

cisco

,

5510

Topics

Network Software Firewalls

,

Enterprise Firewalls

Participating Experts
7
Points
500
Comments
80

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. PIX and xlate problems
    I administer a PIX IOS 6.2(2), and I have problems connecting to an external FTP/Telnet server, the error is as follows: %PIX-3-305006: portmap translation creation failed for tcp src inside:11.254.20.43/1589 dst outside:204.153.24.233/21 the problem is solved after I run ...
  2. No ssh or telnet access to Cisco ASA 5505 on inside po…
    Everything else seems to be working on the ASA. First time working with the ASA, have a couple of years experience with PIX's. Config: ASA Version 7.2(2) ! hostname xxxxx enable password dhMoxw89cQeiXJFe encrypted names ! interface Vlan1 nameif inside security-level 100 ...
  3. ASA 5510 and problems with SIP
    After upgrading to ASA version 8.0(3) im having problems with sip traffic. I can recive calls but i can not call out anymore meaning the people can hear me but i cant hear them. ASA Version 8.0(3) ! hostname ciscoasa domain-name nordicsol enable password TPElrzuRXEajseWy...
  4. ASA 5520 xlate
    I'm replacing an old 2651 with a ASA 5520 with 8.0(3). I'm new at this, but have pieced it together so that it seems to work and test out OK; however, once I place it on my network most users experience symptoms of congestion. If I do a clear xlate it will clear up for a minu...
  5. Sip
    I am trying too open for sip port udp 5060 to 192.168.58.40 But it is not working what I am missing
  6. Allow SIP through Cisco ASA 8.x
    Hi, I have an asterisk server and would like to register a SIP trunk. I need to allow SIP through the ASA. I setup a port forward for TCP/UDP 5060 but it doesnt seem to work. Would anyone know how to config this. Thanks, Joe

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: rsivanandanPosted on 2006-11-27 at 09:48:41ID: 18021009

You don't seem to have the nat statements?

nat(inside) 1 0.0.0.0 0.0.0.0
global(outside) 1 interface

Add these 2 lines and see if it helps.

Cheers,
Rajesh

 

by: MKSKCSPosted on 2006-11-27 at 10:38:15ID: 18021413

can you tell me what the actual commands are for the CLI?

 

by: rsivanandanPosted on 2006-11-27 at 18:15:31ID: 18024684

The above mentioned 2 lines are the exact cli commands that you could enter on the device console/telnet

Cheers,
Rajesh

 

by: batry_boyPosted on 2006-11-27 at 19:45:43ID: 18025218

Make sure you put a space between the "nat" command and the "(inside)" parameter.  Same goes for the "global" command and the "(outside)" parameter.

 

by: MKSKCSPosted on 2006-11-28 at 11:51:55ID: 18030830

Ok, that didn't work.  Still takes the internet down instantaneously

 

by: batry_boyPosted on 2006-11-28 at 12:08:23ID: 18030963

When you swap out the firewalls and perform the connectivity test, have you tried clearing the ARP cache on both the edge device and the ASA? The command "clear arp" will do it on each.

 

by: MKSKCSPosted on 2006-11-28 at 12:45:01ID: 18031246

yes, I've tried that as well as powering the NS off completely and restarting the 2 routers.  I've also tried clearing the CACHE  on the DNS server.  It's obviously very frustrating.  

 

by: batry_boyPosted on 2006-11-28 at 13:11:26ID: 18031444

When you have the ASA in place, can you ping a public IP address?  Say 4.2.2.2 or whatever.  Does that work?  I'm trying to determine if the disconnect is between the PIX and outside someplace or if the disconnect is traffic through the PIX itself...

 

by: MKSKCSPosted on 2006-11-28 at 13:42:56ID: 18031802

I'd have to try it again now that I made the NAT change, but yesterday, no, I couldn't ping anything outside.  I think, based on the log, the disconnect is in the ASA.  But that's just my thoughts.

 

by: batry_boyPosted on 2006-11-28 at 14:01:03ID: 18032077

I'm sorry, I meant to specify that you ping FROM the ASA to a public IP address...have you tried that?  We need to see if outside connectivity is there or not purely from the perspective of the ASA...from the command line interface of the ASA, perform a ping to a public IP address and see if you get a reply.

 

by: MKSKCSPosted on 2006-11-29 at 06:42:09ID: 18037040

I seem to have it up and running, sort of.  Somethings still aren't working correct though.  Mail doesn't seem to be working from the outside.  Please help.  Here's a copy of a few lines from the log....

6|Nov 29 2006|09:37:02|302021|172.18.23.186|12.129.203.103|Teardown ICMP connection for faddr 172.18.23.186/1949 gaddr 12.129.203.103/0 laddr 12.129.203.103/0
6|Nov 29 2006|09:37:01|302014|172.18.31.55|66.150.208.9|Teardown TCP connection 1504 for Inside:172.18.31.55/2125 to Outside:66.150.208.9/80 duration 0:00:12 bytes 6290 TCP Reset-O
4|Nov 29 2006|09:37:01|106023|209.200.63.68|74.231.xxx.70|Deny tcp src Outside:209.200.63.68/80 dst Inside:74.231.xxx.70/1691 by access-group "Outside_access_in" [0x0, 0x0]
6|Nov 29 2006|09:37:01|305012|172.18.23.103|74.231.xxx.70|Teardown dynamic ICMP translation from Inside:172.18.23.103/51469 to Outside:74.231.xxx.70/179 duration 0:00:30
6|Nov 29 2006|09:37:01|302016|172.18.23.53|10.55.56.103|Teardown UDP connection 1169 for Inside:172.18.23.53/2669 to Outside:10.55.56.103/53 duration 0:02:01 bytes 33
6|Nov 29 2006|09:37:01|106015|172.18.27.14|209.200.63.68|Deny TCP (no connection) from 172.18.27.14/4240 to 209.200.63.68/80 flags ACK  on interface Inside
6|Nov 29 2006|09:37:01|302014|172.18.27.14|209.200.63.68|Teardown TCP connection 1563 for Inside:172.18.27.14/4240 to Outside:209.200.63.68/80 duration 0:00:00 bytes 477 TCP Reset-O
4|Nov 29 2006|09:37:01|106023|209.200.63.68|74.231.xxx.70|Deny tcp src Outside:209.200.63.68/80 dst Inside:74.231.xxx.70/1690 by access-group "Outside_access_in" [0x0, 0x0]
4|Nov 29 2006|09:37:01|106023|209.200.63.68|74.231.xxx.70|Deny tcp src Outside:209.200.63.68/80 dst Inside:74.231.xxx.70/1689 by access-group "Outside_access_in" [0x0, 0x0]
6|Nov 29 2006|09:37:01|106015|172.18.27.14|209.200.63.68|Deny TCP (no connection) from 172.18.27.14/4239 to 209.200.63.68/80 flags ACK  on interface Inside
6|Nov 29 2006|09:37:01|302014|172.18.27.14|209.200.63.68|Teardown TCP connection 1560 for Inside:172.18.27.14/4239 to Outside:209.200.63.68/80 duration 0:00:00 bytes 477 TCP Reset-O
6|Nov 29 2006|09:37:01|302013|172.18.27.14|209.200.63.68|Built inbound TCP connection 1563 for Inside:172.18.27.14/4240 (74.231.xxx.70/1691) to Outside:209.200.63.68/80 (209.200.63.68/80)
6|Nov 29 2006|09:37:01|305011|172.18.27.14|74.231.xxx.70|Built dynamic TCP translation from Inside:172.18.27.14/4240 to Outside:74.231.xxx.70/1691
6|Nov 29 2006|09:37:01|106015|172.18.27.14|209.200.63.68|Deny TCP (no connection) from 172.18.27.14/4238 to 209.200.63.68/80 flags FIN ACK  on interface Inside
6|Nov 29 2006|09:37:01|106015|172.18.27.14|209.200.63.68|Deny TCP (no connection) from 172.18.27.14/4238 to 209.200.63.68/80 flags ACK  on interface Inside


HELP!

 

by: MKSKCSPosted on 2006-11-29 at 06:50:02ID: 18037115

3      Nov 29 2006      09:46:16      305006      172.18.31.200             portmap translation creation failed for tcp src Inside:172.18.23.134/61695 dst Inside:172.18.31.200/3053

What does that mean?

 

by: rsivanandanPosted on 2006-11-29 at 08:00:32ID: 18037824

Can you post your configuration again, the current one ?

Cheers,
Rajesh

 

by: batry_boyPosted on 2006-11-29 at 09:58:06ID: 18038977

Yes, I would be interested to see a list of your "static" statements...

 

by: prueconsultingPosted on 2006-11-29 at 20:01:21ID: 18042833

Didn't we look at this before and have some issues regarding OSPF as well ?


Please post current configuration. I actually just finished a netscreen to ASA conversion .. now building NS to ASA VPN is a nother fun time (lol)

 

by: MKSKCSPosted on 2006-12-01 at 05:49:35ID: 18053446

Yes, you helped me before.  You were able to get my internal users access (remember everyone was having network issues?) so I tested and thought I was ready for conversion.  Turns out I'm not.  When plugged in, the ASA doesn't allow any outside access in and mail isn't being delivered.  I'll post the running config momentarily.  

 

by: MKSKCSPosted on 2006-12-04 at 05:54:21ID: 18068480

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(1)
!
hostname MB01ASA01
domain-name corp.xxxxxxxxxxxxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 172.18.24.0 02_LAN
name 172.18.31.0 11_LAN
name 172.18.29.0 09_LAN
name 172.18.65.0 04_LAN
name 172.18.25.0 ISL_LAN
name 172.18.32.0 CH_LAN
name 172.18.26.0 DK_LAN
name 10.10.1.48 CHECK_2
name 172.18.100.0 CHECK_1
name 172.18.27.0 MID_LAN
name 172.18.23.0 MAIN_LAN
name 172.18.28.0 KW_LAN
name 172.18.23.222 MAIL description Exchange 2003 Server
name 172.18.33.0 PG_LAN
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 74.231.xxx.70 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 nameif Inside
 security-level 0
 ip address 172.18.23.241 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 nameif Inside2
 security-level 0
 no ip address
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name corp.xxxxxxxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service BB tcp
 port-object range 2360 2363
object-group service 53 tcp
 port-object range 1996 1996
object-group service TerminalServices tcp
 port-object range 3388 3389
object-group network MB_WAN
 network-object MAIN_LAN 255.255.255.0
 network-object 02_LAN 255.255.255.0
 network-object ISL_LAN 255.255.255.0
 network-object DK_LAN 255.255.255.0
 network-object MID_LAN 255.255.255.0
 network-object KW_LAN 255.255.255.0
 network-object 09_LAN 255.255.255.0
 network-object 11_LAN 255.255.255.0
 network-object CH_LAN 255.255.255.0
 network-object 04_LAN 255.255.255.0
 network-object PG_LAN 255.255.255.0
 network-object host MAIL
object-group network CHECK_LAN
 network-object CHECK_1 255.255.255.0
 network-object CHECK_2 255.255.255.240
object-group network FDPN
 description FDVPN - 4 Addresses
 network-object host 12.129.xxx.103
 network-object host 206.16.xxx.211
 network-object host 63.240.xxx.101
 network-object host 63.241.xxx.213
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group BB any object-group BB
access-list Outside_access_out extended permit tcp object-group MB_WAN eq www any eq www
access-list Outside_access_out extended permit tcp object-group MB_WAN eq https any eq https
access-list Outside_access_out extended permit ip object-group MB_WAN any
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group FEDVPN
access-list Outside_access_out remark Implicit rule
access-list Outside_access_out extended permit ip any any
access-list Outside_access_out extended permit tcp object-group MB_WAN eq smtp any eq smtp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group TerminalServices any object-group TerminalServices
access-list Outside_access_out extended permit icmp object-group MB_WAN any traceroute
access-list Outside_access_out extended permit udp object-group MB_WAN eq syslog any eq syslog
access-list Outside_access_out extended permit udp object-group MB_WAN eq tftp any eq tftp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group ERAS_LAN
access-list Outside_access_out extended permit udp object-group MB_WAN eq dnsix any eq dnsix
access-list Outside_access_out extended permit tcp object-group MB_WAN eq telnet any eq telnet
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ssh any eq ssh
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group 53 any object-group 53
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ftp any eq ftp
access-list Outside_access_in extended permit tcp any eq smtp host MAILeq smtp log
access-list Outside_access_in extended permit tcp any eq www host MAILeq www log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host MAILobject-group TerminalServices log
access-list Outside_access_in extended permit icmp any host 74.231.xxx.70 log
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.70 eq www log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.70 object-group TerminalServices log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq smtp log
access-list Outside_access_in extended permit tcp object-group FDVPN object-group MB_WAN log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq https log
access-list Outside_access_in extended permit tcp any object-group BB object-group MB_WAN object-group BB log
access-list Outside_access_in extended permit tcp any eq https host MAILeq https log
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.66 eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.66 object-group TerminalServices log
access-list Outside_access_in extended permit udp any eq www host MAILeq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq https log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq www log
access-list ACL_IN extended permit ip any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit ip any any
access-list Inside2_access_in remark Implicit rule
access-list Inside2_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu Inside 1500
mtu Inside2 1500
mtu management 1500
icmp deny any Outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (Outside,Inside) MAIL74.231.xxx.66 netmask 255.255.255.255 dns
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
access-group Inside2_access_in in interface Inside2
route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route Inside 02_LAN 255.255.255.0 172.18.23.240 1
route Inside ISL_LAN 255.255.255.0 172.18.23.240 1
route Inside DK_LAN 255.255.255.0 172.18.23.240 1
route Inside MID_LAN 255.255.255.0 172.18.23.240 1
route Inside KW_LAN 255.255.255.0 172.18.23.240 1
route Inside 09_LAN 255.255.255.0 172.18.23.240 1
route Inside 11_LAN 255.255.255.0 172.18.23.240 1
route Inside CH_LAN 255.255.255.0 172.18.23.240 1
route Inside 04_LAN 255.255.255.0 172.18.23.240 1
route Inside CHECK_1 255.255.255.0 172.18.23.240 1
route Inside CHECK_2 255.255.255.240 172.18.23.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http MAIN_LAN 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:69c2e9d93c21ea8d688159f864f9a076
: end

 

by: prueconsultingPosted on 2006-12-04 at 07:26:25ID: 18069101


static (Outside,Inside) MAIL74.231.xxx.66 netmask 255.255.255.255 dns <-- Assuming this is the external IP of the mail server
.66 and .70 is the ASA outside interface.


Here is another problem

access-list Outside_access_in extended permit tcp any eq smtp host MAIL eq smtp log
access-list Outside_access_in extended permit tcp any eq www host MAIL eq www log


These are addressed to the name MAIL which is an internal address as well as having source and destination as 25 ( not likely to ever happen) , same iwth the next.

your acl would have to be like this

access-list Outside_access_in permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq www log



Then your translate will take care of re-routing it to internally.


I am not sure on the ASA if you can apply acls in 2 directions.. If the above doesnt fix your issue
try removing this one
"access-group Outside_access_out out interface Outside" and see what happens.

 

by: MKSKCSPosted on 2006-12-05 at 18:33:11ID: 18081906

I thought I also had what you suggested already in the policy.  I started adding a big bunch of stuff because nothing would work.  

Isn't this the same?

access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq smtp log

No?

 

by: prueconsultingPosted on 2006-12-05 at 20:42:32ID: 18082584

Yes sorry it is , i missed that..

However ..

Lets simplify
I think the dual acls inbound and outbound might be causing issue


remove both access-groups on the outside interface

create new access-list

access-list Outside_access permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access extended permit tcp any host 74.231.xxx.66 eq www log

access-group outside_access in interface outside


Then try to send email or telnet to port 25 of the external ip address associated with email server from externally

post log entries from during this time


 

by: MKSKCSPosted on 2006-12-06 at 06:05:44ID: 18084831

Ok, another quick question before I do that.  I've noticed that email that we send OUT when the ASA is in place is being blocked by Spam "catchers" because there is no reverse DNS for the .70.  But why would .70 be what's showing as the mail?

 

by: prueconsultingPosted on 2006-12-06 at 07:37:56ID: 18085616

Because that is the outbound address of the ASA

However it should not be reporting that.. the static should be taking care of it

Try this as your static statement (reversing it )

static (inside,outside) tcp 74.231.xxx.66 MAIL netmask 255.255.255.255 dns

 

by: prueconsultingPosted on 2006-12-06 at 07:46:13ID: 18085718

Oops sorry typo
static (inside,outside) 74.231.xxx.66 MAIL netmask 255.255.255.255 dns

Otherwise it wants a port # if you include the tcp

 

by: MKSKCSPosted on 2006-12-06 at 09:53:33ID: 18086862

I think I did the static routing portion you mentioned correctly, however how do I do the rest?

Yes sorry it is , i missed that..

However ..

Lets simplify
I think the dual acls inbound and outbound might be causing issue


remove both access-groups on the outside interface

create new access-list

access-list Outside_access permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access extended permit tcp any host 74.231.xxx.66 eq www log

access-group outside_access in interface outside


Then try to send email or telnet to port 25 of the external ip address associated with email server from externally

post log entries from during this time

 

by: MKSKCSPosted on 2006-12-06 at 09:59:04ID: 18086910

I currently have

Type - Static
Source - 74.231.xxx.66
Destination - Any
Interface - Inside
Address - MAIL

Is that backwards?

 

by: MKSKCSPosted on 2006-12-06 at 10:00:49ID: 18086924

Did you mean that I should remove all policies on the outside (outgoing) and outside (incoming)? Then I'm just left with the one implicit deny rule of any/any/ip/deny.  

 

by: prueconsultingPosted on 2006-12-06 at 11:15:57ID: 18087557

You are doing this through the SDM ..

Let me take a look and see here looking at SDM.

In SDM it should show as  as

Source Network Inside
internal ip address

Translate on Outside
Translate to
Static  74.231.xxx.66


If you remove the outgoing outside one the ASA model kicks in ( traffic from High to Low is allowed by default)

Then apply the inbound acls one at a time making sure they work


access-list Outside_access permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access extended permit tcp any host 74.231.xxx.66 eq www log

access-group outside_access in interface outside


This will apply an inbound acl on the outside which allows smtp and web to go to your mail server.
Then if this works add your other inbound acls.

Most likely your outbound acls are not required unless you are specifically only trying to allow those protocols and block anything else but for purposes of troubleshooting only have your inbounds in place. Traffic will still flow outbound without any issue.


 

by: MKSKCSPosted on 2006-12-06 at 11:51:08ID: 18087832

Sorry if I'm making this more difficult than it needs to be.  Just to be sure.  

I'm deleting the outgoing outside.

Then, on the outside access in, I'm deleting (unapplying) all the rules and just applying the two above to see how things work.  Then adding the other rules back one by one to see where it causes problems?

 

by: prueconsultingPosted on 2006-12-06 at 11:54:05ID: 18087860

exactly..

I am sure with the static in place properly and those 2 rules in place email and web to that machine should work as planned.

 

by: MKSKCSPosted on 2006-12-06 at 12:23:37ID: 18088112

And everyone will still be able to access the web out too?

My DSM doesn't look like what you're describing on the static route but I think I can figure it out.  

 

by: prueconsultingPosted on 2006-12-06 at 12:54:50ID: 18088338

Are you using the SDM application or the Java interface ?
That was via the SDM application downloaded from the ASA .  We have a ASA 5510 deployed in Brazil so i had connected to it to look

Yes the ASA security model works same as a pix

High to low traffic is allowed automatically without any rules in place.

only requirements are
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0


and you have those in place.

 

by: MKSKCSPosted on 2006-12-06 at 12:56:11ID: 18088348

Cisco ASDM Laucher.  It's a program I run on the desktop.  I'm so little help...I know. Sorry.  

 

by: prueconsultingPosted on 2006-12-06 at 13:06:56ID: 18088422

Thats strange because i am used the same thing to show that.

Its under Configuration - NAT

 

by: MKSKCSPosted on 2006-12-06 at 13:34:44ID: 18088627

Yes....me too.  No big deal.  I'm going to try it in a sec anyway.  

 

by: MKSKCSPosted on 2006-12-06 at 14:00:04ID: 18088843

1. When I disable all Outside access Out, I can't get to the internet at all.  

2.  I'm getting this in the log....3      Dec 06 2006      16:54:20      305006      172.18.25.24             portmap translation creation failed for tcp src Inside:MAIL/1337 dst Inside:172.18.25.24/2739

3.  And this...4      Dec 06 2006      16:55:16      106023      12.129.203.103      74.231.xxx.70       Deny icmp src Outside:12.129.203.103 dst Inside:74.231.xxx.70 (type 0, code 0) by access-group "Outside_access_in" [0x0, 0x0]

Still no mail in that I can see....

 

by: MKSKCSPosted on 2006-12-06 at 14:00:57ID: 18088852

3      Dec 06 2006      16:56:48      313001      205.152.144.38             Denied ICMP type=11, code=0 from 205.152.144.38 on interface Outside

 

by: MKSKCSPosted on 2006-12-06 at 14:14:12ID: 18088976

Got mail in from hotmail...cool.

Checking about sending mail out...

I spoke too soon.  :-( No mail in.  

 

by: prueconsultingPosted on 2006-12-06 at 14:37:36ID: 18089155

log message # 3 is notthing bad..

I don't understand why you couldnt get out because default is to allow high to low ..


Doh i see the problem here.. your security levels are screwed

!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 74.231.xxx.70 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 nameif Inside
 security-level 0
 ip address 172.18.23.241 255.255.255.0
 ospf cost 10

set the inside security level to 99 and life will get alot better

 

by: MKSKCSPosted on 2006-12-06 at 17:32:33ID: 18089940

WOW.  I'm embarrassed I missed that.  I'll try that tomorrow and I'm sure things will clear up a bit.  

 

by: MKSKCSPosted on 2006-12-12 at 12:50:27ID: 18125794

Ok, I finally made the changes to the security level.  I did have to re-enable the outside/outgoing rules in order to be able to get on the internet.  I still don't get that.  

I still can't get mail from outside AND from outside, can't get to webmail.  

:-(  

I have lots of these....

3      Dec 12 2006      15:45:32      710003      172.18.23.77      192.168.1.1       TCP access denied by ACL from 172.18.23.77/1210 to Inside:192.168.1.1/80

I don't have any idea what the 192.168.1.1 is though.  

 

by: MKSKCSPosted on 2006-12-12 at 12:51:55ID: 18125806

4      Dec 12 2006      15:46:20      106023      204.90.1.63      74.231.xxx.70       Deny tcp src Outside:204.90.1.63/443 dst Inside:74.231.xxx.70/1255 by access-group "Outside_access_in" [0x0, 0x0]

4      Dec 12 2006      15:46:11      106023      143.166.83.168      74.231.xxx.70       Deny tcp src Outside:143.166.83.168/80 dst Inside:74.231.xxx.70/1290 by access-group "Outside_access_in" [0x0, 0x0]

 

by: MKSKCSPosted on 2006-12-12 at 13:12:12ID: 18125987

I feel like I should just start over at this point.  This is so frustrating.  

 

by: prueconsultingPosted on 2006-12-13 at 06:29:08ID: 18130639

ACLS are denying your traffic.

Let me take your configuration and see what i can do..

I will modify a working ASA configuraiton with your ip addresses and repost here.

We'll start simple and just add to it.

 

by: prueconsultingPosted on 2006-12-13 at 06:31:50ID: 18130658

192.168.1.1 is from your management interface.

 

by: prueconsultingPosted on 2006-12-13 at 06:46:58ID: 18130782

Try this

its a working configuration adjusted slightly to your configuration.

Backup your configuration and wipe it and try to apply this if you can


hostname MB01ASA01
domain-name corp.xxxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 192.168.102.11 ERP
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 74.231.xxx.70 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 99
 ip address 172.18.23.241 255.255.255.0
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 10.50.45.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone BRST -3
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

pager lines 24
logging enable
logging list VPN-Events level debugging class vpn
logging buffered debugging
logging asdm VPN-Events
mtu outside 1500
mtu inside 1500
mtu management 1500

icmp deny any outside
icmp permit any inside

no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) 74.231.xxx.66 172.18.23.222 netmask 255.255.255.255 dns

access-list outside_in permit tcp any host 74.231.xxx.66 eq smtp log
access-list outside_in permit tcp any host 74.231.xxx.66 eq https log
access-group outside_in in interface outside


route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route inside 172.18.0.0 255.255.0.0 172.18.23.240 1
route inside 10.10.1.48 255.255.255.240 172.18.23.240 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
ssh version 2
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50

 

by: MKSKCSPosted on 2006-12-13 at 12:02:12ID: 18133505

This is what's in the logs now...

4      Dec 13 2006      16:51:07      106023      12.129.203.103      74.231.xxx.70       Deny icmp src Outside:12.129.203.103 dst Inside:74.231.xxx.70 (type 0, code 0) by access-group "outside_in" [0x0, 0x0]

4      Dec 13 2006      16:51:59      106023      170.146.230.94      74.231.xxx.70       Deny tcp src Outside:170.146.230.94/443 dst Inside:74.231.xxx.70/1563 by access-group "outside_in" [0x0, 0x0]

4      Dec 13 2006      16:52:07      106023      12.129.203.103      74.231.xxx.70       Deny icmp src Outside:12.129.203.103 dst Inside:74.231.xxx.70 (type 0, code 0) by access-group "outside_in" [0x0, 0x0]

 

by: prueconsultingPosted on 2006-12-13 at 12:18:04ID: 18133631

that looks normal

Icmp is being denied by the deny icmp outside line

.70 is the external ip of the ASA which currently doesnt have a way inside

Where should that 443 be landing ? Because its facing the ASA external interface

access-list outside_in permit tcp any interface eq 443

static(inside,outside) tcp interface 443 insideip 443 netmask 255.255.255.255 dns

 

by: MKSKCSPosted on 2006-12-13 at 12:42:21ID: 18133824

But webmail folks still can't access webmail.  We use https if that matters.  

Should I make that change you just mentioned?

 

by: prueconsultingPosted on 2006-12-13 at 12:46:25ID: 18133854

THey are pointing to the Outside interface IP not .66 which is what the first rules i made were for.

If you want to proxy them through via the ASA outside interface do the above noted rules

 

by: MKSKCSPosted on 2006-12-14 at 07:17:57ID: 18139301

So, I should just add this...

access-list outside_in permit tcp any interface eq 443

static(inside,outside) tcp interface 443 insideip 443 netmask 255.255.255.255 dns

And the rest is ok?

 

by: MKSKCSPosted on 2006-12-14 at 07:25:13ID: 18139349

Result of the command: "access-list outside_in permit tcp any interface eq 443"

access-list outside_in permit tcp any interface eq 443
                                               
ERROR: % Invalid Hostname

 

by: MKSKCSPosted on 2006-12-14 at 07:35:11ID: 18139430

Ok, I've tried to opening TCP / ANY / ANY and ICMP / ANY / ANY on the outside (incoming) rules to rule out that as being the issue.  When both are wide open, my outside users still can't get to webmail.  

 

by: MKSKCSPosted on 2006-12-14 at 07:35:49ID: 18139440

3      Dec 14 2006      12:28:38      305006      172.18.28.20             portmap translation creation failed for tcp src Inside:MAIL/1337 dst Inside:172.18.28.20/3471

 

by: prueconsultingPosted on 2006-12-14 at 07:38:48ID: 18139471

Invalid hostname.. Hmm that doesnt make sense


access-list outside_in permit tcp any any eq 443

Try that and see what happens.

Your statics take care of the control then.

 

by: prueconsultingPosted on 2006-12-14 at 07:42:01ID: 18139497

Is email working inbound now tho?

That error message seems kind of odd.

Its basically saying it can't create a translation from Mail to 28.20


Can you post the current configuration now

 

by: MKSKCSPosted on 2006-12-14 at 07:42:39ID: 18139504

It took that command, but still no mail from outside and no webmail.  

 

by: prueconsultingPosted on 2006-12-14 at 07:43:00ID: 18139508

By chance are your users trying acess webamil from inside the firewall to the external address?

 

by: MKSKCSPosted on 2006-12-14 at 07:45:19ID: 18139529

no

I'm actually using my machine at home (different external address and definitely external) to access the webmail...

https://webmail.xxx.com

 

by: MKSKCSPosted on 2006-12-14 at 07:46:59ID: 18139550

Internal webmail works....
https://172.18.23.222/exchange

 

by: MKSKCSPosted on 2006-12-14 at 08:10:44ID: 18139758

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(1)
!
hostname MB01ASA01
domain-name corp.xxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 172.18.24.0 02_LAN
name 172.18.31.0 11_LAN
name 172.18.29.0 09_LAN
name 172.18.65.0 04_LAN
name 172.18.25.0 03_LAN
name 172.18.32.0 12_LAN
name 172.18.26.0 06_LAN
name 10.10.1.48 CHECK_2
name 172.18.100.0 CHECK_1
name 172.18.27.0 05_LAN
name 172.18.23.0 01_LAN
name 172.18.28.0 07_LAN
name 172.18.23.222 MAIL
name 172.18.33.0 13_LAN
name 192.168.102.11 ERP
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 74.231.xxx.70 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 nameif Inside
 security-level 99
 ip address 172.18.23.241 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.2.2 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone BRST -3
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name corp.xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service BB tcp
 port-object range 2360 2363
object-group service 53_Direct tcp
 port-object range 1996 1996
object-group service TerminalServices tcp
 port-object range 3388 3389
object-group network MB_WAN
 network-object 01_LAN 255.255.255.0
 network-object 02_LAN 255.255.255.0
 network-object 03_LAN 255.255.255.0
 network-object 06_LAN 255.255.255.0
 network-object 05_LAN 255.255.255.0
 network-object 07_LAN 255.255.255.0
 network-object 09_LAN 255.255.255.0
 network-object 11_LAN 255.255.255.0
 network-object 12_LAN 255.255.255.0
 network-object 04_LAN 255.255.255.0
 network-object 13_LAN 255.255.255.0
 network-object host MAIL
object-group network CHECK_LAN
 network-object CHECK_1 255.255.255.0
 network-object CHECK_2 255.255.255.240
object-group network FVPN
 description F VPN - 4 Addresses
 network-object host 12.129.xxx.103
 network-object host 206.16.xxx.211
 network-object host 63.240.xxx.101
 network-object host 63.241.xxx.213
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group BB any object-group BB
access-list Outside_access_out extended permit tcp object-group MB_WAN eq www any eq www
access-list Outside_access_out extended permit tcp object-group MB_WAN eq https any eq https
access-list Outside_access_out extended permit ip object-group MB_WAN any
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group FVPN
access-list Outside_access_out remark Implicit rule
access-list Outside_access_out extended permit ip any any
access-list Outside_access_out extended permit tcp object-group MB_WAN eq smtp any eq smtp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group TerminalServices any object-group TerminalServices
access-list Outside_access_out extended permit icmp object-group MB_WAN any traceroute
access-list Outside_access_out extended permit udp object-group MB_WAN eq syslog any eq syslog
access-list Outside_access_out extended permit udp object-group MB_WAN eq tftp any eq tftp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group CHECK_LAN
access-list Outside_access_out extended permit udp object-group MB_WAN eq dnsix any eq dnsix
access-list Outside_access_out extended permit tcp object-group MB_WAN eq telnet any eq telnet
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ssh any eq ssh
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group 53_Direct any object-group 53_Direct
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ftp any eq ftp
access-list Outside_access_in extended permit tcp any eq smtp host MAIL eq smtp log
access-list Outside_access_in extended permit udp any eq www host MAIL eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq smtp log
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.66 eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host MAIL object-group TerminalServices log inactive
access-list Outside_access_in extended permit tcp any eq www host MAIL eq www log inactive
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.70 eq www log
access-list Outside_access_in extended permit icmp any host 74.231.xxx.70 log inactive
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.70 object-group TerminalServices log inactive
access-list Outside_access_in extended permit tcp object-group FVPN object-group MB_WAN log inactive
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq https log
access-list Outside_access_in extended permit tcp any object-group BB object-group MB_WAN object-group BB log inactive
access-list Outside_access_in extended permit tcp any eq https host MAIL eq https log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.66 object-group TerminalServices log inactive
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq https log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq www log inactive
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq www log inactive
access-list ACL_IN extended permit ip any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit ip any any
access-list Inside2_access_in remark Implicit rule
access-list Inside2_access_in extended permit ip any any
access-list Outside_access extended permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access extended permit tcp any host 74.231.xxx.66 eq www log
access-list outside_in extended permit tcp any host 74.231.xxx.66 eq smtp log
access-list outside_in extended permit tcp any eq www host 74.231.xxx.66 eq www log
access-list outside_in extended permit tcp any host 74.231.xxx.66 eq https log
access-list outside_in extended permit icmp any any inactive
access-list outside_in extended permit tcp any any inactive
access-list outside_in extended permit tcp any any eq https
pager lines 24
logging enable
logging list VPN-Events level debugging class vpn
logging buffered debugging
logging asdm notifications
mtu Outside 1500
mtu Inside 1500
mtu management 1500
icmp deny any Outside
icmp permit any Inside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (Inside,Outside) 74.231.xxx.66 MAIL netmask 255.255.255.255
access-group outside_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route Inside 02_LAN 255.255.255.0 172.18.23.240 1
route Inside 03_LAN 255.255.255.0 172.18.23.240 1
route Inside 06_LAN 255.255.255.0 172.18.23.240 1
route Inside 05_LAN 255.255.255.0 172.18.23.240 1
route Inside 07_LAN 255.255.255.0 172.18.23.240 1
route Inside 09_LAN 255.255.255.0 172.18.23.240 1
route Inside 11_LAN 255.255.255.0 172.18.23.240 1
route Inside 12_LAN 255.255.255.0 172.18.23.240 1
route Inside 04_LAN 255.255.255.0 172.18.23.240 1
route Inside CHECK_1 255.255.255.0 172.18.23.240 1
route Inside 172.18.0.0 255.255.0.0 172.18.23.240 1
route Inside CHECK_2 255.255.255.240 172.18.23.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 01_LAN 255.255.255.0 Inside
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 20
console timeout 0
management-access Inside
!
!
prompt hostname context
Cryptochecksum:e402c25e9769205104c98f4e2e5f912a
: end

 

by: prueconsultingPosted on 2006-12-14 at 09:12:33ID: 18140254

What is 172.18.28.20 ?

Change
access-list outside_in extended permit tcp any any eq https
to
access-list outside_in extended permit tcp any any eq https log

Create a static natting on the interface (PAT Based)

static (inside,outside) tcp interface 443 MAIL 443 netmask 255.255.255.255  dns

 

by: MKSKCSPosted on 2006-12-14 at 09:35:30ID: 18140432

172.18.28.20 is a computer on the LAN

 

by: prueconsultingPosted on 2006-12-14 at 10:08:11ID: 18140670

Ok but if its a computer on the LAN than that error message isn't applicable.. That would be more applicable to say if the pc was attempting to access webmail via the external address.
So it was going out and then attempting to come back in .. which is not allowed by the ASA.

 

by: prueconsultingPosted on 2006-12-14 at 10:10:13ID: 18140686

Also have you tried to remove the outbound acls / inside acls after creating a new configuration..?

 

by: MKSKCSPosted on 2006-12-14 at 10:44:48ID: 18140956

Is this the static natting you think should be done?


static (inside,outside) tcp interface 443 MAIL 443 netmask 255.255.255.255  dns

I'll have to email the users about the webmail thing.  I thought for sure they were using the internal IP address.  

I never did create a new configuration.  I just made the changes that you suggested.  

Which are you suggesting I remove?

When I remove the outside / outgoing, users can't get to the internet so I just enabled them again.  

 

by: prueconsultingPosted on 2006-12-14 at 10:54:17ID: 18141019

Yes this will nat the outside ip address on 443 to the mail server on 443

That error message would suggest they weren't

I am just trying to figure out why you need the outgoing acl because it shouldnt be required at all .
Since you are going from a high security interface to a lower security.. its the design of the ASA tor allow that.

try removing the inside rule
because in essence you are subjecting them to rules twice

Once on the way into the ASA (inside) and then on the way out outside

no access-group Inside_access_in in interface Inside

 

by: MKSKCSPosted on 2006-12-14 at 12:38:48ID: 18141848

When you say PAT based...what do you mean? Enable PAT isn't checked.  When I check it, it asks for ports (original ports / translated ports).

 

by: MKSKCSPosted on 2006-12-14 at 12:43:13ID: 18141891

4      Dec 14 2006      17:38:19      106023      207.68.179.219      74.231.xxx.70       Deny tcp src Outside:207.68.179.219/80 dst Inside:74.231.xxx.70/1343 by access-group "outside_in" [0x0, 0x0]

 

by: prueconsultingPosted on 2006-12-14 at 12:45:11ID: 18141916

Thats because its http not https

Create the same static with 80 if you need web as well as https

 

by: MKSKCSPosted on 2006-12-14 at 12:54:51ID: 18141997

Duh!  

But nope, that didn't work either.  

 

by: MKSKCSPosted on 2006-12-14 at 13:03:41ID: 18142063

6      Dec 14 2006      17:58:39      302015      216.34.88.151      172.18.23.200       Built outbound UDP connection 4099 for Outside:216.34.88.151/53 (216.34.88.151/53) to Inside:172.18.23.200/1092 (74.231.xxx.70/1140)

 

by: MKSKCSPosted on 2006-12-14 at 13:06:23ID: 18142091

6      Dec 14 2006      18:01:20      302016      63.208.197.174      172.18.23.164       Teardown UDP connection 4171 for Outside:63.208.197.174/1153 to Inside:172.18.23.164/38965 duration 0:02:01 bytes 24


I'm glad it's not just me that's stumped.  I'm read to throw this thing in the river.  

 

by: MKSKCSPosted on 2006-12-14 at 13:08:16ID: 18142108

Just for kicks, I added these rules to the Outside / Incoming to rule out other stuff....

ANY / ANY / ANY - UDP
ANY / ANY / ANY - IP
ANY / ANY / ANY - TCP
ANY / ANY / ANY - ICMP

 

by: MKSKCSPosted on 2006-12-14 at 13:15:43ID: 18142173

None of the above rules helped so I disabled them.

 

by: prueconsultingPosted on 2006-12-14 at 14:02:47ID: 18142559

email me at my username at gmail

I have a question for you off list.

 

by: anand_mjPosted on 2008-03-11 at 06:15:02ID: 21095359

Hi,
I observed one mistake in your basic configuration. Security level for your outside interface and inside interface are reversed. In normal operation the security level for inside interface is kept as 0 (Trust interface) and outside interface is kept as 100 (Untrust interface). Try changing the security levels and check whether u get the expected results.

 

by: anand_mjPosted on 2008-06-08 at 22:15:26ID: 21741104

Hi,
Run below command on your internet router and firewall, after you unplugged netscreen and connect firewall.

clear arp

 

by: Eden-KevinPosted on 2008-07-31 at 06:38:31ID: 22129540

"I observed one mistake in your basic configuration. Security level for your outside interface and inside interface are reversed. In normal operation the security level for inside interface is kept as 0 (Trust interface) and outside interface is kept as 100 (Untrust interface)."

Actually, that is incorrect.  From the Cisco Adaptive Security Device Online Help:


Security Level boxSets the security level between 0 (lowest) and 100 (highest).The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.  

The outside SHOULD be 0 as this is the interface with the lowest security (least trusted).  With an inside interface set at 100 and outside interface at 0, traffic is allowed to flow from the inside to the outside since the outside has a lower security number.  Conversely, traffic from the outside (0) to the inside (100) is NOT allowed to flow freely because the outside interface is not trusted and needs access rules set up to only allow permitted traffic.

 

by: ZulanPosted on 2009-06-05 at 03:00:49ID: 24554818

I am experiancing the same results. Did this problem ever get resolved, if so, what whas the issue?

 

by: lxtatePosted on 2010-09-14 at 11:26:14ID: 33675297

Im new to this ASA 5510 and i wanna configure it for Internet through an ADSL, Gateway/Router, a DMZ for my mail server and application server.  Ethernet 0/0 for outside, ethernet 0/1 for inside and ethernet 0/2 for DMZ.  I also need Remote & VPN access

Can you help me with this please.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...