Avatar of Titan22
Flag for United States of America asked on

Some web pages don't display properly using Cisco ASA as the firewall.

We had been using a Cisco PIX 515E and upgraded to a Cisco ASA 5520 which was supposed to be better however when accessing MSN/Hotmail or yahoo mail users cannnot send mail, reply, forward, or delete mail.  The only mail service that works is gmail.  Also Windows Update does not work.  When I connect them through the PIX everything works fine.  I'm currently allowing in ports 80, 20, 21, 443, 110, 143, and 25.  Is there another port I should be allowing.  I also set the ASA not to filter Activex or Java.

Here is my current config:
DEATA-ASA-01# sho config
: Saved
: Written by enable_15 at 12:25:51.432 EDT Thu Sep 14 2006
ASA Version 7.0(4)12
hostname DEATA-ASA-01
domain-name deata.com
enable password IkaImrCJG/t6iUQE encrypted
interface GigabitEthernet0/0
 description ASA connection to LEVEL 3 Router
 nameif outside
 security-level 0
 ip address
interface GigabitEthernet0/1
 description ASA connection to internal 3550 switch
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list inside_out extended permit ip any any
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended permit tcp any any eq smtp
access-list outside_in extended permit tcp any any eq ftp
access-list outside_in extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging host inside
mtu outside 1500
mtu inside 1500
mtu management 1500
ip audit name IDS attack action alarm reset
ip audit interface outside IDS
ip audit interface inside IDS
no failover
failover polltime unit 15 holdtime 45
icmp permit any echo inside
asdm image disk0:/asdm-504.bin
asdm location inside
no asdm history enable
arp timeout 14400
global (outside) 1 netmask
nat (inside) 1
access-group outside_in in interface outside
access-group inside_out out interface inside
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server tacacs protocol tacacs+
aaa-server tacacs host
 key y3K_S(@(@T
username admin-rea password DlSjanG3ZOaM6RGx encrypted privilege 15
filter java except
filter activex except
http server enable
http inside
http inside
http inside
http inside
http inside
http management
snmp-server host inside community readwind
no snmp-server location
no snmp-server contact
snmp-server community readwind
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet inside
telnet inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd lease 80000
dhcpd ping_timeout 50
dhcpd enable management
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect h323 ras
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ftp
  inspect h323 h225
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect icmp
service-policy global_policy global
Software Firewalls

Avatar of undefined
Last Comment

8/22/2022 - Mon

Figured it out.  Removed the http and esmtp from class inspections fixed the issue.
Les Moore

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Thanks for your help, I took those access groups out of the config.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy