Avatar of Titan22
Titan22
Flag for United States of America asked on

Some web pages don't display properly using Cisco ASA as the firewall.

We had been using a Cisco PIX 515E and upgraded to a Cisco ASA 5520 which was supposed to be better however when accessing MSN/Hotmail or yahoo mail users cannnot send mail, reply, forward, or delete mail.  The only mail service that works is gmail.  Also Windows Update does not work.  When I connect them through the PIX everything works fine.  I'm currently allowing in ports 80, 20, 21, 443, 110, 143, and 25.  Is there another port I should be allowing.  I also set the ASA not to filter Activex or Java.

Here is my current config:
DEATA-ASA-01# sho config
: Saved
: Written by enable_15 at 12:25:51.432 EDT Thu Sep 14 2006
!
ASA Version 7.0(4)12
!
hostname DEATA-ASA-01
domain-name deata.com
enable password IkaImrCJG/t6iUQE encrypted
names
!
interface GigabitEthernet0/0
 description ASA connection to LEVEL 3 Router
 nameif outside
 security-level 0
 ip address 4.21.122.14 255.255.255.248
!
interface GigabitEthernet0/1
 description ASA connection to internal 3550 switch
 nameif inside
 security-level 100
 ip address 192.168.1.4 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.1.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list inside_out extended permit ip any any
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended permit tcp any any eq smtp
access-list outside_in extended permit tcp any any eq ftp
access-list outside_in extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging host inside 172.16.10.1
mtu outside 1500
mtu inside 1500
mtu management 1500
ip audit name IDS attack action alarm reset
ip audit interface outside IDS
ip audit interface inside IDS
no failover
failover polltime unit 15 holdtime 45
icmp permit any echo inside
asdm image disk0:/asdm-504.bin
asdm location 172.16.0.0 255.255.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 4.21.122.13 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
access-group inside_out out interface inside
route outside 0.0.0.0 0.0.0.0 4.21.122.9 1
route inside 172.16.0.0 255.255.0.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server tacacs protocol tacacs+
aaa-server tacacs host 172.16.10.2
 key y3K_S(@(@T
username admin-rea password DlSjanG3ZOaM6RGx encrypted privilege 15
filter java except 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex except 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 172.16.2.2 255.255.255.255 inside
http 172.16.10.1 255.255.255.255 inside
http 172.16.10.2 255.255.255.255 inside
http 172.16.41.9 255.255.255.255 inside
http 192.168.1.1 255.255.255.255 inside
http 10.1.1.0 255.255.255.0 management
snmp-server host inside 172.16.10.1 community readwind
no snmp-server location
no snmp-server contact
snmp-server community readwind
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet 172.16.10.1 255.255.255.255 inside
telnet 172.16.10.2 255.255.255.255 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.2-10.1.1.40 management
dhcpd lease 80000
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect h323 ras
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ftp
  inspect h323 h225
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:765334e15d42fa85b6bb95bde0c2d07c
DEATA-ASA-01#
Software Firewalls

Avatar of undefined
Last Comment
Titan22

8/22/2022 - Mon
Titan22

ASKER
Figured it out.  Removed the http and esmtp from class inspections fixed the issue.
ASKER CERTIFIED SOLUTION
Les Moore

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Titan22

ASKER
Thanks for your help, I took those access groups out of the config.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy