Solved

Configuring a Cisco ASA 5510

Posted on 2006-11-27
80
28,739 Views
Last Modified: 2013-11-16
I am completely frustrated with this setup.  I've configured an ASA5510 (I've attached the running config below) to take the place of a Netscreen 25 that's currently in place.  They are running consecutively now.  When I unplug the Netscreen and change the outside and inside interface of the ASA to have the IP addresses that the Netscreen has, I lose all connectivity to the internet.  I've tried flushing the DNS, powering the Cisco 1700 and Motorola off and powering everything back on.  I'm also attaching the log of events that takes place after the switch is done.  The log is from the ASA.  Just to be clear, when the ASA is plugged in, I lose all connection to the internet and no computers on the LAN / WAN can communicate with the mail server.  Help!

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(1)
!
hostname MB01ASA01
domain-name corp.xxxxxxxxxxxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 172.18.24.0 02_LAN
name 172.18.31.0 11_LAN
name 172.18.29.0 08_LAN
name 172.18.65.0 04_LAN
name 172.18.25.003_LAN
name 172.18.32.0 12_LAN
name 172.18.26.0 06_LAN
name 10.10.1.48 CHECK_2
name 172.18.100.0 CHECK_1
name 172.18.27.0 05_LAN
name 172.18.23.0 01_LAN
name 172.18.28.0 07_LAN
name 172.18.23.222 MAIL description Exchange 2003 Server
name 172.18.33.0 13_LAN
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 74.231.xxx.70 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 nameif Inside
 security-level 0
 ip address 172.18.23.241 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 nameif Inside2
 security-level 0
 no ip address
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name corp.xxxxxxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service BB tcp
 port-object range 2360 2363
object-group service 53 tcp
 port-object range 1996 1996
object-group service TerminalServices tcp
 port-object range 3388 3389
object-group network MB_WAN
 network-object 01_LAN 255.255.255.0
 network-object 02_LAN 255.255.255.0
 network-object 03_LAN 255.255.255.0
 network-object 06_LAN 255.255.255.0
 network-object 05_LAN 255.255.255.0
 network-object 07_LAN 255.255.255.0
 network-object 08_LAN 255.255.255.0
 network-object 11_LAN 255.255.255.0
 network-object 12_LAN 255.255.255.0
 network-object 04_LAN 255.255.255.0
 network-object 13_LAN 255.255.255.0
 network-object host MAIL
object-group network CHECK_LAN
 network-object CHECK_1 255.255.255.0
 network-object CHECK_2 255.255.255.240
object-group network FDLN
 description FDLN - 4 Addresses
 network-object host 12.129.xxx.103
 network-object host 206.16.xxx.211
 network-object host 63.240.xxx.101
 network-object host 63.241.xxx.213
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group BB any object-group BB
access-list Outside_access_out extended permit tcp object-group MB_WAN eq www any eq www
access-list Outside_access_out extended permit tcp object-group MB_WAN eq https any eq https
access-list Outside_access_out extended permit ip object-group MB_WAN any
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group FDLN
access-list Outside_access_out extended permit tcp object-group MB_WAN eq smtp any eq smtp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group TerminalServices any object-group TerminalServices
access-list Outside_access_out extended permit icmp object-group MB_WAN any traceroute
access-list Outside_access_out extended permit udp object-group MB_WAN eq syslog any eq syslog
access-list Outside_access_out extended permit udp object-group MB_WAN eq tftp any eq tftp
access-list Outside_access_out extended permit udp object-group MB_WAN eq dnsix any eq dnsix
access-list Outside_access_out extended permit tcp object-group MB_WAN eq telnet any eq telnet
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ssh any eq ssh
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group 53 any object-group 53
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ftp any eq ftp
access-list Outside_access_in extended permit tcp any eq smtp host MAIL eq smtp log
access-list Outside_access_in extended permit tcp any eq www host MAIL eq www log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host MAIL object-group TerminalServices log
access-list Outside_access_in extended permit udp any eq www host MAIL eq www log
access-list Outside_access_in extended permit tcp object-group FDLN object-group MB_WAN log
access-list Outside_access_in extended permit tcp any object-group BB object-group MB_WAN object-group BB log
access-list Outside_access_in extended permit tcp any eq https host MAIL eq https log
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.77 eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq smtp log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.77 object-group TerminalServices log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq https log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq www log
access-list ACL_IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Inside2 1500
mtu management 1500
icmp deny any Outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
nat (management) 0 0.0.0.0 0.0.0.0
static (Outside,Inside) MAIL 74.231.xxx.77 netmask 255.255.255.255 dns
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route Inside 02_LAN 255.255.255.0 172.18.23.240 1
route Inside 03_LAN 255.255.255.0 172.18.23.240 1
route Inside 06_LAN 255.255.255.0 172.18.23.240 1
route Inside 05_LAN 255.255.255.0 172.18.23.240 1
route Inside 07_LAN 255.255.255.0 172.18.23.240 1
route Inside 08_LAN 255.255.255.0 172.18.23.240 1
route Inside 11_LAN 255.255.255.0 172.18.23.240 1
route Inside 12_LAN 255.255.255.0 172.18.23.240 1
route Inside 04_LAN 255.255.255.0 172.18.23.240 1
route Inside CHECK_1 255.255.255.0 172.18.23.240 1
route Inside CHECK_2 255.255.255.240 172.18.23.240 1
route Inside13_LAN 255.255.255.0 172.18.23.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 01_LAN 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:0c2ef9e0e604a02608a4433bf046eef2
: end



Here's PART of the log...it was lengthy so I'm just posting a few lines...

4|Nov 25 2006|17:36:26|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4367 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:25|302020|172.18.24.10|10.55.56.100|Built ICMP connection for faddr 172.18.24.10/59212 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
4|Nov 25 2006|17:36:25|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4366 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:25|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags PSH ACK  on interface Inside
6|Nov 25 2006|17:36:25|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags ACK  on interface Inside
6|Nov 25 2006|17:36:24|302015|172.18.29.251|10.55.56.103|Built inbound UDP connection 12356 for Inside:172.18.29.251/4075 (172.18.29.251/4075) to Outside:10.55.56.103/53 (10.55.56.103/53)
6|Nov 25 2006|17:36:23|302021|172.18.24.4|10.55.56.100|Teardown ICMP connection for faddr 172.18.24.4/37256 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
4|Nov 25 2006|17:36:23|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4367 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
4|Nov 25 2006|17:36:22|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4366 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:22|302016|172.18.23.200|193.0.14.129|Teardown UDP connection 12248 for Inside:172.18.23.200/1092 to Outside:193.0.14.129/53 duration 0:02:02 bytes 45
6|Nov 25 2006|17:36:21|302020|172.18.24.4|10.55.56.100|Built ICMP connection for faddr 172.18.24.4/37256 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:20|302021|172.18.24.3|10.55.56.100|Teardown ICMP connection for faddr 172.18.24.3/40537 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:20|302021|172.18.23.200|74.231.xxx.77|Teardown ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512
6|Nov 25 2006|17:36:19|302021|172.18.23.186|12.129.203.103|Teardown ICMP connection for faddr 172.18.23.186/7476 gaddr 12.129.203.103/0 laddr 12.129.203.103/0
6|Nov 25 2006|17:36:19|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags PSH ACK  on interface Inside
6|Nov 25 2006|17:36:18|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags ACK  on interface Inside
6|Nov 25 2006|17:36:18|302020|172.18.24.3|10.55.56.100|Built ICMP connection for faddr 172.18.24.3/40537 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:18|302020|172.18.23.200|74.231.xxx.77|Built ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512
6|Nov 25 2006|17:36:18|302021|172.18.23.200|74.231.xxx.77|Teardown ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512



Circuit--Cisco1700--Switch1--------------Switch2-------------------Switch3----------------Hub
                                |   |                           |                                |                           | |
                 NS Untrust   Outside ASA          Inside ASA         Exchange           NS Trust         Web Filter Machine
0
Comment
Question by:MKSKCS
  • 43
  • 24
  • 5
  • +5
80 Comments
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
You don't seem to have the nat statements?

nat(inside) 1 0.0.0.0 0.0.0.0
global(outside) 1 interface

Add these 2 lines and see if it helps.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
can you tell me what the actual commands are for the CLI?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
The above mentioned 2 lines are the exact cli commands that you could enter on the device console/telnet

Cheers,
Rajesh
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Make sure you put a space between the "nat" command and the "(inside)" parameter.  Same goes for the "global" command and the "(outside)" parameter.

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Ok, that didn't work.  Still takes the internet down instantaneously
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
When you swap out the firewalls and perform the connectivity test, have you tried clearing the ARP cache on both the edge device and the ASA? The command "clear arp" will do it on each.
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
yes, I've tried that as well as powering the NS off completely and restarting the 2 routers.  I've also tried clearing the CACHE  on the DNS server.  It's obviously very frustrating.  
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
When you have the ASA in place, can you ping a public IP address?  Say 4.2.2.2 or whatever.  Does that work?  I'm trying to determine if the disconnect is between the PIX and outside someplace or if the disconnect is traffic through the PIX itself...
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
I'd have to try it again now that I made the NAT change, but yesterday, no, I couldn't ping anything outside.  I think, based on the log, the disconnect is in the ASA.  But that's just my thoughts.
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
I'm sorry, I meant to specify that you ping FROM the ASA to a public IP address...have you tried that?  We need to see if outside connectivity is there or not purely from the perspective of the ASA...from the command line interface of the ASA, perform a ping to a public IP address and see if you get a reply.
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
I seem to have it up and running, sort of.  Somethings still aren't working correct though.  Mail doesn't seem to be working from the outside.  Please help.  Here's a copy of a few lines from the log....

6|Nov 29 2006|09:37:02|302021|172.18.23.186|12.129.203.103|Teardown ICMP connection for faddr 172.18.23.186/1949 gaddr 12.129.203.103/0 laddr 12.129.203.103/0
6|Nov 29 2006|09:37:01|302014|172.18.31.55|66.150.208.9|Teardown TCP connection 1504 for Inside:172.18.31.55/2125 to Outside:66.150.208.9/80 duration 0:00:12 bytes 6290 TCP Reset-O
4|Nov 29 2006|09:37:01|106023|209.200.63.68|74.231.xxx.70|Deny tcp src Outside:209.200.63.68/80 dst Inside:74.231.xxx.70/1691 by access-group "Outside_access_in" [0x0, 0x0]
6|Nov 29 2006|09:37:01|305012|172.18.23.103|74.231.xxx.70|Teardown dynamic ICMP translation from Inside:172.18.23.103/51469 to Outside:74.231.xxx.70/179 duration 0:00:30
6|Nov 29 2006|09:37:01|302016|172.18.23.53|10.55.56.103|Teardown UDP connection 1169 for Inside:172.18.23.53/2669 to Outside:10.55.56.103/53 duration 0:02:01 bytes 33
6|Nov 29 2006|09:37:01|106015|172.18.27.14|209.200.63.68|Deny TCP (no connection) from 172.18.27.14/4240 to 209.200.63.68/80 flags ACK  on interface Inside
6|Nov 29 2006|09:37:01|302014|172.18.27.14|209.200.63.68|Teardown TCP connection 1563 for Inside:172.18.27.14/4240 to Outside:209.200.63.68/80 duration 0:00:00 bytes 477 TCP Reset-O
4|Nov 29 2006|09:37:01|106023|209.200.63.68|74.231.xxx.70|Deny tcp src Outside:209.200.63.68/80 dst Inside:74.231.xxx.70/1690 by access-group "Outside_access_in" [0x0, 0x0]
4|Nov 29 2006|09:37:01|106023|209.200.63.68|74.231.xxx.70|Deny tcp src Outside:209.200.63.68/80 dst Inside:74.231.xxx.70/1689 by access-group "Outside_access_in" [0x0, 0x0]
6|Nov 29 2006|09:37:01|106015|172.18.27.14|209.200.63.68|Deny TCP (no connection) from 172.18.27.14/4239 to 209.200.63.68/80 flags ACK  on interface Inside
6|Nov 29 2006|09:37:01|302014|172.18.27.14|209.200.63.68|Teardown TCP connection 1560 for Inside:172.18.27.14/4239 to Outside:209.200.63.68/80 duration 0:00:00 bytes 477 TCP Reset-O
6|Nov 29 2006|09:37:01|302013|172.18.27.14|209.200.63.68|Built inbound TCP connection 1563 for Inside:172.18.27.14/4240 (74.231.xxx.70/1691) to Outside:209.200.63.68/80 (209.200.63.68/80)
6|Nov 29 2006|09:37:01|305011|172.18.27.14|74.231.xxx.70|Built dynamic TCP translation from Inside:172.18.27.14/4240 to Outside:74.231.xxx.70/1691
6|Nov 29 2006|09:37:01|106015|172.18.27.14|209.200.63.68|Deny TCP (no connection) from 172.18.27.14/4238 to 209.200.63.68/80 flags FIN ACK  on interface Inside
6|Nov 29 2006|09:37:01|106015|172.18.27.14|209.200.63.68|Deny TCP (no connection) from 172.18.27.14/4238 to 209.200.63.68/80 flags ACK  on interface Inside


HELP!
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
3      Nov 29 2006      09:46:16      305006      172.18.31.200             portmap translation creation failed for tcp src Inside:172.18.23.134/61695 dst Inside:172.18.31.200/3053

What does that mean?

0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Can you post your configuration again, the current one ?

Cheers,
Rajesh
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
Yes, I would be interested to see a list of your "static" statements...
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Didn't we look at this before and have some issues regarding OSPF as well ?


Please post current configuration. I actually just finished a netscreen to ASA conversion .. now building NS to ASA VPN is a nother fun time (lol)
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Yes, you helped me before.  You were able to get my internal users access (remember everyone was having network issues?) so I tested and thought I was ready for conversion.  Turns out I'm not.  When plugged in, the ASA doesn't allow any outside access in and mail isn't being delivered.  I'll post the running config momentarily.  
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(1)
!
hostname MB01ASA01
domain-name corp.xxxxxxxxxxxxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 172.18.24.0 02_LAN
name 172.18.31.0 11_LAN
name 172.18.29.0 09_LAN
name 172.18.65.0 04_LAN
name 172.18.25.0 ISL_LAN
name 172.18.32.0 CH_LAN
name 172.18.26.0 DK_LAN
name 10.10.1.48 CHECK_2
name 172.18.100.0 CHECK_1
name 172.18.27.0 MID_LAN
name 172.18.23.0 MAIN_LAN
name 172.18.28.0 KW_LAN
name 172.18.23.222 MAIL description Exchange 2003 Server
name 172.18.33.0 PG_LAN
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 74.231.xxx.70 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 nameif Inside
 security-level 0
 ip address 172.18.23.241 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 nameif Inside2
 security-level 0
 no ip address
 ospf cost 10
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name corp.xxxxxxxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service BB tcp
 port-object range 2360 2363
object-group service 53 tcp
 port-object range 1996 1996
object-group service TerminalServices tcp
 port-object range 3388 3389
object-group network MB_WAN
 network-object MAIN_LAN 255.255.255.0
 network-object 02_LAN 255.255.255.0
 network-object ISL_LAN 255.255.255.0
 network-object DK_LAN 255.255.255.0
 network-object MID_LAN 255.255.255.0
 network-object KW_LAN 255.255.255.0
 network-object 09_LAN 255.255.255.0
 network-object 11_LAN 255.255.255.0
 network-object CH_LAN 255.255.255.0
 network-object 04_LAN 255.255.255.0
 network-object PG_LAN 255.255.255.0
 network-object host MAIL
object-group network CHECK_LAN
 network-object CHECK_1 255.255.255.0
 network-object CHECK_2 255.255.255.240
object-group network FDPN
 description FDVPN - 4 Addresses
 network-object host 12.129.xxx.103
 network-object host 206.16.xxx.211
 network-object host 63.240.xxx.101
 network-object host 63.241.xxx.213
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group BB any object-group BB
access-list Outside_access_out extended permit tcp object-group MB_WAN eq www any eq www
access-list Outside_access_out extended permit tcp object-group MB_WAN eq https any eq https
access-list Outside_access_out extended permit ip object-group MB_WAN any
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group FEDVPN
access-list Outside_access_out remark Implicit rule
access-list Outside_access_out extended permit ip any any
access-list Outside_access_out extended permit tcp object-group MB_WAN eq smtp any eq smtp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group TerminalServices any object-group TerminalServices
access-list Outside_access_out extended permit icmp object-group MB_WAN any traceroute
access-list Outside_access_out extended permit udp object-group MB_WAN eq syslog any eq syslog
access-list Outside_access_out extended permit udp object-group MB_WAN eq tftp any eq tftp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group ERAS_LAN
access-list Outside_access_out extended permit udp object-group MB_WAN eq dnsix any eq dnsix
access-list Outside_access_out extended permit tcp object-group MB_WAN eq telnet any eq telnet
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ssh any eq ssh
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group 53 any object-group 53
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ftp any eq ftp
access-list Outside_access_in extended permit tcp any eq smtp host MAILeq smtp log
access-list Outside_access_in extended permit tcp any eq www host MAILeq www log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host MAILobject-group TerminalServices log
access-list Outside_access_in extended permit icmp any host 74.231.xxx.70 log
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.70 eq www log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.70 object-group TerminalServices log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq smtp log
access-list Outside_access_in extended permit tcp object-group FDVPN object-group MB_WAN log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq https log
access-list Outside_access_in extended permit tcp any object-group BB object-group MB_WAN object-group BB log
access-list Outside_access_in extended permit tcp any eq https host MAILeq https log
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.66 eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.66 object-group TerminalServices log
access-list Outside_access_in extended permit udp any eq www host MAILeq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq https log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq www log
access-list ACL_IN extended permit ip any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit ip any any
access-list Inside2_access_in remark Implicit rule
access-list Inside2_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm warnings
mtu Outside 1500
mtu Inside 1500
mtu Inside2 1500
mtu management 1500
icmp deny any Outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (Outside,Inside) MAIL74.231.xxx.66 netmask 255.255.255.255 dns
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
access-group Inside2_access_in in interface Inside2
route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route Inside 02_LAN 255.255.255.0 172.18.23.240 1
route Inside ISL_LAN 255.255.255.0 172.18.23.240 1
route Inside DK_LAN 255.255.255.0 172.18.23.240 1
route Inside MID_LAN 255.255.255.0 172.18.23.240 1
route Inside KW_LAN 255.255.255.0 172.18.23.240 1
route Inside 09_LAN 255.255.255.0 172.18.23.240 1
route Inside 11_LAN 255.255.255.0 172.18.23.240 1
route Inside CH_LAN 255.255.255.0 172.18.23.240 1
route Inside 04_LAN 255.255.255.0 172.18.23.240 1
route Inside CHECK_1 255.255.255.0 172.18.23.240 1
route Inside CHECK_2 255.255.255.240 172.18.23.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http MAIN_LAN 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:69c2e9d93c21ea8d688159f864f9a076
: end
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility

static (Outside,Inside) MAIL74.231.xxx.66 netmask 255.255.255.255 dns <-- Assuming this is the external IP of the mail server
.66 and .70 is the ASA outside interface.


Here is another problem

access-list Outside_access_in extended permit tcp any eq smtp host MAIL eq smtp log
access-list Outside_access_in extended permit tcp any eq www host MAIL eq www log


These are addressed to the name MAIL which is an internal address as well as having source and destination as 25 ( not likely to ever happen) , same iwth the next.

your acl would have to be like this

access-list Outside_access_in permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq www log



Then your translate will take care of re-routing it to internally.


I am not sure on the ASA if you can apply acls in 2 directions.. If the above doesnt fix your issue
try removing this one
"access-group Outside_access_out out interface Outside" and see what happens.

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
I thought I also had what you suggested already in the policy.  I started adding a big bunch of stuff because nothing would work.  

Isn't this the same?

access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq smtp log

No?
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Yes sorry it is , i missed that..

However ..

Lets simplify
I think the dual acls inbound and outbound might be causing issue


remove both access-groups on the outside interface

create new access-list

access-list Outside_access permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access extended permit tcp any host 74.231.xxx.66 eq www log

access-group outside_access in interface outside


Then try to send email or telnet to port 25 of the external ip address associated with email server from externally

post log entries from during this time


0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Ok, another quick question before I do that.  I've noticed that email that we send OUT when the ASA is in place is being blocked by Spam "catchers" because there is no reverse DNS for the .70.  But why would .70 be what's showing as the mail?

0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Because that is the outbound address of the ASA

However it should not be reporting that.. the static should be taking care of it

Try this as your static statement (reversing it )

static (inside,outside) tcp 74.231.xxx.66 MAIL netmask 255.255.255.255 dns
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Oops sorry typo
static (inside,outside) 74.231.xxx.66 MAIL netmask 255.255.255.255 dns

Otherwise it wants a port # if you include the tcp
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
I think I did the static routing portion you mentioned correctly, however how do I do the rest?

Yes sorry it is , i missed that..

However ..

Lets simplify
I think the dual acls inbound and outbound might be causing issue


remove both access-groups on the outside interface

create new access-list

access-list Outside_access permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access extended permit tcp any host 74.231.xxx.66 eq www log

access-group outside_access in interface outside


Then try to send email or telnet to port 25 of the external ip address associated with email server from externally

post log entries from during this time
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
I currently have

Type - Static
Source - 74.231.xxx.66
Destination - Any
Interface - Inside
Address - MAIL

Is that backwards?
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Did you mean that I should remove all policies on the outside (outgoing) and outside (incoming)? Then I'm just left with the one implicit deny rule of any/any/ip/deny.  

0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
You are doing this through the SDM ..

Let me take a look and see here looking at SDM.

In SDM it should show as  as

Source Network Inside
internal ip address

Translate on Outside
Translate to
Static  74.231.xxx.66


If you remove the outgoing outside one the ASA model kicks in ( traffic from High to Low is allowed by default)

Then apply the inbound acls one at a time making sure they work


access-list Outside_access permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access extended permit tcp any host 74.231.xxx.66 eq www log

access-group outside_access in interface outside


This will apply an inbound acl on the outside which allows smtp and web to go to your mail server.
Then if this works add your other inbound acls.

Most likely your outbound acls are not required unless you are specifically only trying to allow those protocols and block anything else but for purposes of troubleshooting only have your inbounds in place. Traffic will still flow outbound without any issue.


0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Sorry if I'm making this more difficult than it needs to be.  Just to be sure.  

I'm deleting the outgoing outside.

Then, on the outside access in, I'm deleting (unapplying) all the rules and just applying the two above to see how things work.  Then adding the other rules back one by one to see where it causes problems?
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
exactly..

I am sure with the static in place properly and those 2 rules in place email and web to that machine should work as planned.
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
And everyone will still be able to access the web out too?

My DSM doesn't look like what you're describing on the static route but I think I can figure it out.  
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Are you using the SDM application or the Java interface ?
That was via the SDM application downloaded from the ASA .  We have a ASA 5510 deployed in Brazil so i had connected to it to look

Yes the ASA security model works same as a pix

High to low traffic is allowed automatically without any rules in place.

only requirements are
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0


and you have those in place.
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Cisco ASDM Laucher.  It's a program I run on the desktop.  I'm so little help...I know. Sorry.  

0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Thats strange because i am used the same thing to show that.

Its under Configuration - NAT
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Yes....me too.  No big deal.  I'm going to try it in a sec anyway.  
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
1. When I disable all Outside access Out, I can't get to the internet at all.  

2.  I'm getting this in the log....3      Dec 06 2006      16:54:20      305006      172.18.25.24             portmap translation creation failed for tcp src Inside:MAIL/1337 dst Inside:172.18.25.24/2739

3.  And this...4      Dec 06 2006      16:55:16      106023      12.129.203.103      74.231.xxx.70       Deny icmp src Outside:12.129.203.103 dst Inside:74.231.xxx.70 (type 0, code 0) by access-group "Outside_access_in" [0x0, 0x0]

Still no mail in that I can see....

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
3      Dec 06 2006      16:56:48      313001      205.152.144.38             Denied ICMP type=11, code=0 from 205.152.144.38 on interface Outside
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Got mail in from hotmail...cool.

Checking about sending mail out...

I spoke too soon.  :-( No mail in.  
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
log message # 3 is notthing bad..

I don't understand why you couldnt get out because default is to allow high to low ..


Doh i see the problem here.. your security levels are screwed

!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 74.231.xxx.70 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 nameif Inside
 security-level 0
 ip address 172.18.23.241 255.255.255.0
 ospf cost 10

set the inside security level to 99 and life will get alot better

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
WOW.  I'm embarrassed I missed that.  I'll try that tomorrow and I'm sure things will clear up a bit.  
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Ok, I finally made the changes to the security level.  I did have to re-enable the outside/outgoing rules in order to be able to get on the internet.  I still don't get that.  

I still can't get mail from outside AND from outside, can't get to webmail.  

:-(  

I have lots of these....

3      Dec 12 2006      15:45:32      710003      172.18.23.77      192.168.1.1       TCP access denied by ACL from 172.18.23.77/1210 to Inside:192.168.1.1/80

I don't have any idea what the 192.168.1.1 is though.  
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
4      Dec 12 2006      15:46:20      106023      204.90.1.63      74.231.xxx.70       Deny tcp src Outside:204.90.1.63/443 dst Inside:74.231.xxx.70/1255 by access-group "Outside_access_in" [0x0, 0x0]

4      Dec 12 2006      15:46:11      106023      143.166.83.168      74.231.xxx.70       Deny tcp src Outside:143.166.83.168/80 dst Inside:74.231.xxx.70/1290 by access-group "Outside_access_in" [0x0, 0x0]
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
I feel like I should just start over at this point.  This is so frustrating.  
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
ACLS are denying your traffic.

Let me take your configuration and see what i can do..

I will modify a working ASA configuraiton with your ip addresses and repost here.

We'll start simple and just add to it.

0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
192.168.1.1 is from your management interface.
0
 
LVL 11

Accepted Solution

by:
prueconsulting earned 500 total points
Comment Utility
Try this

its a working configuration adjusted slightly to your configuration.

Backup your configuration and wipe it and try to apply this if you can


hostname MB01ASA01
domain-name corp.xxxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 192.168.102.11 ERP
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 74.231.xxx.70 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 99
 ip address 172.18.23.241 255.255.255.0
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 10.50.45.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone BRST -3
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

pager lines 24
logging enable
logging list VPN-Events level debugging class vpn
logging buffered debugging
logging asdm VPN-Events
mtu outside 1500
mtu inside 1500
mtu management 1500

icmp deny any outside
icmp permit any inside

no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) 74.231.xxx.66 172.18.23.222 netmask 255.255.255.255 dns

access-list outside_in permit tcp any host 74.231.xxx.66 eq smtp log
access-list outside_in permit tcp any host 74.231.xxx.66 eq https log
access-group outside_in in interface outside


route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route inside 172.18.0.0 255.255.0.0 172.18.23.240 1
route inside 10.10.1.48 255.255.255.240 172.18.23.240 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
ssh version 2
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
This is what's in the logs now...

4      Dec 13 2006      16:51:07      106023      12.129.203.103      74.231.xxx.70       Deny icmp src Outside:12.129.203.103 dst Inside:74.231.xxx.70 (type 0, code 0) by access-group "outside_in" [0x0, 0x0]

4      Dec 13 2006      16:51:59      106023      170.146.230.94      74.231.xxx.70       Deny tcp src Outside:170.146.230.94/443 dst Inside:74.231.xxx.70/1563 by access-group "outside_in" [0x0, 0x0]

4      Dec 13 2006      16:52:07      106023      12.129.203.103      74.231.xxx.70       Deny icmp src Outside:12.129.203.103 dst Inside:74.231.xxx.70 (type 0, code 0) by access-group "outside_in" [0x0, 0x0]

0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
that looks normal

Icmp is being denied by the deny icmp outside line

.70 is the external ip of the ASA which currently doesnt have a way inside

Where should that 443 be landing ? Because its facing the ASA external interface

access-list outside_in permit tcp any interface eq 443

static(inside,outside) tcp interface 443 insideip 443 netmask 255.255.255.255 dns

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
But webmail folks still can't access webmail.  We use https if that matters.  

Should I make that change you just mentioned?
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
THey are pointing to the Outside interface IP not .66 which is what the first rules i made were for.

If you want to proxy them through via the ASA outside interface do the above noted rules

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
So, I should just add this...

access-list outside_in permit tcp any interface eq 443

static(inside,outside) tcp interface 443 insideip 443 netmask 255.255.255.255 dns

And the rest is ok?
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Result of the command: "access-list outside_in permit tcp any interface eq 443"

access-list outside_in permit tcp any interface eq 443
                                               
ERROR: % Invalid Hostname
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Ok, I've tried to opening TCP / ANY / ANY and ICMP / ANY / ANY on the outside (incoming) rules to rule out that as being the issue.  When both are wide open, my outside users still can't get to webmail.  
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
3      Dec 14 2006      12:28:38      305006      172.18.28.20             portmap translation creation failed for tcp src Inside:MAIL/1337 dst Inside:172.18.28.20/3471
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Invalid hostname.. Hmm that doesnt make sense


access-list outside_in permit tcp any any eq 443

Try that and see what happens.

Your statics take care of the control then.
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Is email working inbound now tho?

That error message seems kind of odd.

Its basically saying it can't create a translation from Mail to 28.20


Can you post the current configuration now
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
It took that command, but still no mail from outside and no webmail.  
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
By chance are your users trying acess webamil from inside the firewall to the external address?
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
no

I'm actually using my machine at home (different external address and definitely external) to access the webmail...

https://webmail.xxx.com

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Internal webmail works....
https://172.18.23.222/exchange

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(1)
!
hostname MB01ASA01
domain-name corp.xxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 172.18.24.0 02_LAN
name 172.18.31.0 11_LAN
name 172.18.29.0 09_LAN
name 172.18.65.0 04_LAN
name 172.18.25.0 03_LAN
name 172.18.32.0 12_LAN
name 172.18.26.0 06_LAN
name 10.10.1.48 CHECK_2
name 172.18.100.0 CHECK_1
name 172.18.27.0 05_LAN
name 172.18.23.0 01_LAN
name 172.18.28.0 07_LAN
name 172.18.23.222 MAIL
name 172.18.33.0 13_LAN
name 192.168.102.11 ERP
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 74.231.xxx.70 255.255.255.224
 ospf cost 10
!
interface Ethernet0/1
 nameif Inside
 security-level 99
 ip address 172.18.23.241 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.2.2 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone BRST -3
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name corp.xxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service BB tcp
 port-object range 2360 2363
object-group service 53_Direct tcp
 port-object range 1996 1996
object-group service TerminalServices tcp
 port-object range 3388 3389
object-group network MB_WAN
 network-object 01_LAN 255.255.255.0
 network-object 02_LAN 255.255.255.0
 network-object 03_LAN 255.255.255.0
 network-object 06_LAN 255.255.255.0
 network-object 05_LAN 255.255.255.0
 network-object 07_LAN 255.255.255.0
 network-object 09_LAN 255.255.255.0
 network-object 11_LAN 255.255.255.0
 network-object 12_LAN 255.255.255.0
 network-object 04_LAN 255.255.255.0
 network-object 13_LAN 255.255.255.0
 network-object host MAIL
object-group network CHECK_LAN
 network-object CHECK_1 255.255.255.0
 network-object CHECK_2 255.255.255.240
object-group network FVPN
 description F VPN - 4 Addresses
 network-object host 12.129.xxx.103
 network-object host 206.16.xxx.211
 network-object host 63.240.xxx.101
 network-object host 63.241.xxx.213
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group BB any object-group BB
access-list Outside_access_out extended permit tcp object-group MB_WAN eq www any eq www
access-list Outside_access_out extended permit tcp object-group MB_WAN eq https any eq https
access-list Outside_access_out extended permit ip object-group MB_WAN any
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group FVPN
access-list Outside_access_out remark Implicit rule
access-list Outside_access_out extended permit ip any any
access-list Outside_access_out extended permit tcp object-group MB_WAN eq smtp any eq smtp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group TerminalServices any object-group TerminalServices
access-list Outside_access_out extended permit icmp object-group MB_WAN any traceroute
access-list Outside_access_out extended permit udp object-group MB_WAN eq syslog any eq syslog
access-list Outside_access_out extended permit udp object-group MB_WAN eq tftp any eq tftp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group CHECK_LAN
access-list Outside_access_out extended permit udp object-group MB_WAN eq dnsix any eq dnsix
access-list Outside_access_out extended permit tcp object-group MB_WAN eq telnet any eq telnet
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ssh any eq ssh
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group 53_Direct any object-group 53_Direct
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ftp any eq ftp
access-list Outside_access_in extended permit tcp any eq smtp host MAIL eq smtp log
access-list Outside_access_in extended permit udp any eq www host MAIL eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq smtp log
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.66 eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host MAIL object-group TerminalServices log inactive
access-list Outside_access_in extended permit tcp any eq www host MAIL eq www log inactive
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.70 eq www log
access-list Outside_access_in extended permit icmp any host 74.231.xxx.70 log inactive
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.70 object-group TerminalServices log inactive
access-list Outside_access_in extended permit tcp object-group FVPN object-group MB_WAN log inactive
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq https log
access-list Outside_access_in extended permit tcp any object-group BB object-group MB_WAN object-group BB log inactive
access-list Outside_access_in extended permit tcp any eq https host MAIL eq https log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.66 object-group TerminalServices log inactive
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq https log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.70 eq www log inactive
access-list Outside_access_in extended permit tcp any host 74.231.xxx.66 eq www log inactive
access-list ACL_IN extended permit ip any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit udp any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit tcp any any
access-list Inside_access_in remark Implicit rule
access-list Inside_access_in extended permit ip any any
access-list Inside2_access_in remark Implicit rule
access-list Inside2_access_in extended permit ip any any
access-list Outside_access extended permit tcp any host 74.231.xxx.66 eq smtp log
access-list Outside_access extended permit tcp any host 74.231.xxx.66 eq www log
access-list outside_in extended permit tcp any host 74.231.xxx.66 eq smtp log
access-list outside_in extended permit tcp any eq www host 74.231.xxx.66 eq www log
access-list outside_in extended permit tcp any host 74.231.xxx.66 eq https log
access-list outside_in extended permit icmp any any inactive
access-list outside_in extended permit tcp any any inactive
access-list outside_in extended permit tcp any any eq https
pager lines 24
logging enable
logging list VPN-Events level debugging class vpn
logging buffered debugging
logging asdm notifications
mtu Outside 1500
mtu Inside 1500
mtu management 1500
icmp deny any Outside
icmp permit any Inside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (Inside,Outside) 74.231.xxx.66 MAIL netmask 255.255.255.255
access-group outside_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route Inside 02_LAN 255.255.255.0 172.18.23.240 1
route Inside 03_LAN 255.255.255.0 172.18.23.240 1
route Inside 06_LAN 255.255.255.0 172.18.23.240 1
route Inside 05_LAN 255.255.255.0 172.18.23.240 1
route Inside 07_LAN 255.255.255.0 172.18.23.240 1
route Inside 09_LAN 255.255.255.0 172.18.23.240 1
route Inside 11_LAN 255.255.255.0 172.18.23.240 1
route Inside 12_LAN 255.255.255.0 172.18.23.240 1
route Inside 04_LAN 255.255.255.0 172.18.23.240 1
route Inside CHECK_1 255.255.255.0 172.18.23.240 1
route Inside 172.18.0.0 255.255.0.0 172.18.23.240 1
route Inside CHECK_2 255.255.255.240 172.18.23.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 01_LAN 255.255.255.0 Inside
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 20
console timeout 0
management-access Inside
!
!
prompt hostname context
Cryptochecksum:e402c25e9769205104c98f4e2e5f912a
: end
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
What is 172.18.28.20 ?

Change
access-list outside_in extended permit tcp any any eq https
to
access-list outside_in extended permit tcp any any eq https log

Create a static natting on the interface (PAT Based)

static (inside,outside) tcp interface 443 MAIL 443 netmask 255.255.255.255  dns
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
172.18.28.20 is a computer on the LAN
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Ok but if its a computer on the LAN than that error message isn't applicable.. That would be more applicable to say if the pc was attempting to access webmail via the external address.
So it was going out and then attempting to come back in .. which is not allowed by the ASA.
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Also have you tried to remove the outbound acls / inside acls after creating a new configuration..?
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Is this the static natting you think should be done?


static (inside,outside) tcp interface 443 MAIL 443 netmask 255.255.255.255  dns

I'll have to email the users about the webmail thing.  I thought for sure they were using the internal IP address.  

I never did create a new configuration.  I just made the changes that you suggested.  

Which are you suggesting I remove?

When I remove the outside / outgoing, users can't get to the internet so I just enabled them again.  
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Yes this will nat the outside ip address on 443 to the mail server on 443

That error message would suggest they weren't

I am just trying to figure out why you need the outgoing acl because it shouldnt be required at all .
Since you are going from a high security interface to a lower security.. its the design of the ASA tor allow that.

try removing the inside rule
because in essence you are subjecting them to rules twice

Once on the way into the ASA (inside) and then on the way out outside

no access-group Inside_access_in in interface Inside

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
When you say PAT based...what do you mean? Enable PAT isn't checked.  When I check it, it asks for ports (original ports / translated ports).

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
4      Dec 14 2006      17:38:19      106023      207.68.179.219      74.231.xxx.70       Deny tcp src Outside:207.68.179.219/80 dst Inside:74.231.xxx.70/1343 by access-group "outside_in" [0x0, 0x0]
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
Thats because its http not https

Create the same static with 80 if you need web as well as https
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Duh!  

But nope, that didn't work either.  
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
6      Dec 14 2006      17:58:39      302015      216.34.88.151      172.18.23.200       Built outbound UDP connection 4099 for Outside:216.34.88.151/53 (216.34.88.151/53) to Inside:172.18.23.200/1092 (74.231.xxx.70/1140)
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
6      Dec 14 2006      18:01:20      302016      63.208.197.174      172.18.23.164       Teardown UDP connection 4171 for Outside:63.208.197.174/1153 to Inside:172.18.23.164/38965 duration 0:02:01 bytes 24


I'm glad it's not just me that's stumped.  I'm read to throw this thing in the river.  
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Just for kicks, I added these rules to the Outside / Incoming to rule out other stuff....

ANY / ANY / ANY - UDP
ANY / ANY / ANY - IP
ANY / ANY / ANY - TCP
ANY / ANY / ANY - ICMP

0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
None of the above rules helped so I disabled them.
0
 
LVL 11

Expert Comment

by:prueconsulting
Comment Utility
email me at my username at gmail

I have a question for you off list.
0
 
LVL 1

Expert Comment

by:anand_mj
Comment Utility
Hi,
I observed one mistake in your basic configuration. Security level for your outside interface and inside interface are reversed. In normal operation the security level for inside interface is kept as 0 (Trust interface) and outside interface is kept as 100 (Untrust interface). Try changing the security levels and check whether u get the expected results.
0
 
LVL 1

Expert Comment

by:anand_mj
Comment Utility
Hi,
Run below command on your internet router and firewall, after you unplugged netscreen and connect firewall.

clear arp
0
 

Expert Comment

by:Eden-Kevin
Comment Utility
"I observed one mistake in your basic configuration. Security level for your outside interface and inside interface are reversed. In normal operation the security level for inside interface is kept as 0 (Trust interface) and outside interface is kept as 100 (Untrust interface)."
Actually, that is incorrect.  From the Cisco Adaptive Security Device Online Help:

Security Level boxSets the security level between 0 (lowest) and 100 (highest).The security appliance lets traffic flow freely from an inside network to an outside network (lower security level). Many other security features are affected by the relative security level of two interfaces.  
The outside SHOULD be 0 as this is the interface with the lowest security (least trusted).  With an inside interface set at 100 and outside interface at 0, traffic is allowed to flow from the inside to the outside since the outside has a lower security number.  Conversely, traffic from the outside (0) to the inside (100) is NOT allowed to flow freely because the outside interface is not trusted and needs access rules set up to only allow permitted traffic.
 
0
 

Expert Comment

by:Zulan
Comment Utility
I am experiancing the same results. Did this problem ever get resolved, if so, what whas the issue?
0
 

Expert Comment

by:lxtate
Comment Utility
Im new to this ASA 5510 and i wanna configure it for Internet through an ADSL, Gateway/Router, a DMZ for my mail server and application server.  Ethernet 0/0 for outside, ethernet 0/1 for inside and ethernet 0/2 for DMZ.  I also need Remote & VPN access

Can you help me with this please.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now