Link to home
Start Free TrialLog in
Avatar of Titan22
Titan22Flag for United States of America

asked on

Some web pages don't display properly using Cisco ASA as the firewall.

We had been using a Cisco PIX 515E and upgraded to a Cisco ASA 5520 which was supposed to be better however when accessing MSN/Hotmail or yahoo mail users cannnot send mail, reply, forward, or delete mail.  The only mail service that works is gmail.  Also Windows Update does not work.  When I connect them through the PIX everything works fine.  I'm currently allowing in ports 80, 20, 21, 443, 110, 143, and 25.  Is there another port I should be allowing.  I also set the ASA not to filter Activex or Java.

Here is my current config:
DEATA-ASA-01# sho config
: Saved
: Written by enable_15 at 12:25:51.432 EDT Thu Sep 14 2006
ASA Version 7.0(4)12
hostname DEATA-ASA-01
enable password IkaImrCJG/t6iUQE encrypted
interface GigabitEthernet0/0
 description ASA connection to LEVEL 3 Router
 nameif outside
 security-level 0
 ip address
interface GigabitEthernet0/1
 description ASA connection to internal 3550 switch
 nameif inside
 security-level 100
 ip address
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list inside_out extended permit ip any any
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended permit tcp any any eq smtp
access-list outside_in extended permit tcp any any eq ftp
access-list outside_in extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging host inside
mtu outside 1500
mtu inside 1500
mtu management 1500
ip audit name IDS attack action alarm reset
ip audit interface outside IDS
ip audit interface inside IDS
no failover
failover polltime unit 15 holdtime 45
icmp permit any echo inside
asdm image disk0:/asdm-504.bin
asdm location inside
no asdm history enable
arp timeout 14400
global (outside) 1 netmask
nat (inside) 1
access-group outside_in in interface outside
access-group inside_out out interface inside
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server tacacs protocol tacacs+
aaa-server tacacs host
 key y3K_S(@(@T
username admin-rea password DlSjanG3ZOaM6RGx encrypted privilege 15
filter java except
filter activex except
http server enable
http inside
http inside
http inside
http inside
http inside
http management
snmp-server host inside community readwind
no snmp-server location
no snmp-server contact
snmp-server community readwind
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet inside
telnet inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd lease 80000
dhcpd ping_timeout 50
dhcpd enable management
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect h323 ras
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ftp
  inspect h323 h225
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect icmp
service-policy global_policy global
Avatar of Titan22
Flag of United States of America image


Figured it out.  Removed the http and esmtp from class inspections fixed the issue.
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Titan22


Thanks for your help, I took those access groups out of the config.