troubleshooting Question

Some web pages don't display properly using Cisco ASA as the firewall.

Avatar of Titan22
Titan22Flag for United States of America asked on
Software Firewalls
3 Comments1 Solution360 ViewsLast Modified:
We had been using a Cisco PIX 515E and upgraded to a Cisco ASA 5520 which was supposed to be better however when accessing MSN/Hotmail or yahoo mail users cannnot send mail, reply, forward, or delete mail.  The only mail service that works is gmail.  Also Windows Update does not work.  When I connect them through the PIX everything works fine.  I'm currently allowing in ports 80, 20, 21, 443, 110, 143, and 25.  Is there another port I should be allowing.  I also set the ASA not to filter Activex or Java.

Here is my current config:
DEATA-ASA-01# sho config
: Saved
: Written by enable_15 at 12:25:51.432 EDT Thu Sep 14 2006
!
ASA Version 7.0(4)12
!
hostname DEATA-ASA-01
domain-name deata.com
enable password IkaImrCJG/t6iUQE encrypted
names
!
interface GigabitEthernet0/0
 description ASA connection to LEVEL 3 Router
 nameif outside
 security-level 0
 ip address 4.21.122.14 255.255.255.248
!
interface GigabitEthernet0/1
 description ASA connection to internal 3550 switch
 nameif inside
 security-level 100
 ip address 192.168.1.4 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 10.1.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list inside_out extended permit ip any any
access-list outside_in extended permit tcp any any eq www
access-list outside_in extended permit tcp any any eq smtp
access-list outside_in extended permit tcp any any eq ftp
access-list outside_in extended permit tcp any any eq ftp-data
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging host inside 172.16.10.1
mtu outside 1500
mtu inside 1500
mtu management 1500
ip audit name IDS attack action alarm reset
ip audit interface outside IDS
ip audit interface inside IDS
no failover
failover polltime unit 15 holdtime 45
icmp permit any echo inside
asdm image disk0:/asdm-504.bin
asdm location 172.16.0.0 255.255.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 4.21.122.13 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
access-group inside_out out interface inside
route outside 0.0.0.0 0.0.0.0 4.21.122.9 1
route inside 172.16.0.0 255.255.0.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server tacacs protocol tacacs+
aaa-server tacacs host 172.16.10.2
 key y3K_S(@(@T
username admin-rea password DlSjanG3ZOaM6RGx encrypted privilege 15
filter java except 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
filter activex except 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
http server enable
http 172.16.2.2 255.255.255.255 inside
http 172.16.10.1 255.255.255.255 inside
http 172.16.10.2 255.255.255.255 inside
http 172.16.41.9 255.255.255.255 inside
http 192.168.1.1 255.255.255.255 inside
http 10.1.1.0 255.255.255.0 management
snmp-server host inside 172.16.10.1 community readwind
no snmp-server location
no snmp-server contact
snmp-server community readwind
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet 172.16.10.1 255.255.255.255 inside
telnet 172.16.10.2 255.255.255.255 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.2-10.1.1.40 management
dhcpd lease 80000
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect h323 ras
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ftp
  inspect h323 h225
  inspect http
  inspect ils
  inspect rsh
  inspect rtsp
  inspect sip
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:765334e15d42fa85b6bb95bde0c2d07c
DEATA-ASA-01#
ASKER CERTIFIED SOLUTION
Les Moore
Systems Architect
Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros