[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

CISCO ASA 5510 inside interface mail access

Posted on 2007-10-06
3
Medium Priority
?
2,154 Views
Last Modified: 2013-12-18
We have this Cisco ASA 5510 setup on our network. We have use 4 interfaces on the firewall, outside, inside, DMZ and MLS.

The outside interface is as usual for the connecting to the outside world, internet.
The inside interface is use for the inside user to connect to the internet.
The DMZ interface is where our Lotus Domino Passthru Server which function to do mail routing.
The MLS interface is connected to a Cisco 3560 switch where our internal Lotus Domino Mail Server is located in a separate VLAN with the internal user VLAN.

I would like to enable the inside users who have access to the internet to use Lotus Notes Application to access their mail from the internal mail server.

At the moment, the outside is able to access their mail from the internal mail server using the Lotus Notes application.

What kind of configuration should i configure in the Cisco ASA 5510 firewall.

Here is the running-config:

: Saved
:
ASA Version 8.0(2)
!
hostname firewall
domain-name xyx.com
enable password rgrguhjokkmmfdccd889 encrypted
names
name 192.168.20.140 Tap-Bloomberg
name 192.168.20.72 tap-webdevelopment
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.44.104 255.255.255.128
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 80
 ip address 192.168.20.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 description Connection to MLS Switch
 nameif MLS
 security-level 100
 ip address 192.168.19.2 255.255.255.0
 ospf cost 10
!
interface Ethernet0/3
 description DMZ network segment
 nameif DMZ
 security-level 50
 ip address 192.168.110.253 255.255.255.0
 ospf cost 10
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KMUT encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone BNT 8
dns server-group DefaultDNS
 domain-name tap.gov.bn
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service tap-webservices tcp-udp
 port-object eq 110
 port-object eq 25
 port-object eq 443
 port-object eq domain
 port-object eq 21
 port-object eq www
 port-object eq 23
 port-object eq 1352
object-group service tap-bloomberg tcp-udp
 port-object range 48129 48137
 port-object range 8194 8198
 port-object range 8209 8220
 port-object range 8290 8294
object-group service Domino tcp
 description Ports for Domino Server
 port-object eq lotusnotes
 port-object eq smtp
 port-object eq 1533
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 port-object eq domain
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq lotusnotes
 port-object eq smtp
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_4 tcp
 port-object eq lotusnotes
 port-object eq smtp
access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 host 192.168.110.20
access-list inside_access_in extended permit icmp 192.168.20.0 255.255.255.0 host 192.168.110.20
access-list inside_access_in extended permit tcp 192.168.20.0 255.255.255.0 any object-group tap-webservices
access-list inside_access_in extended permit udp 192.168.20.0 255.255.255.0 any object-group tap-webservices
access-list inside_access_in extended permit tcp host Tap-Bloomberg any object-group tap-bloomberg
access-list inside_access_in extended permit udp host Tap-Bloomberg any object-group tap-bloomberg
access-list csc-acl extended deny ip host 192.168.20.186 any
access-list csc-acl extended deny ip host 192.168.20.168 any
access-list csc-acl extended deny ip host 192.168.20.66 any
access-list csc-acl extended deny ip host 192.168.20.110 any
access-list csc-acl extended deny ip host 192.168.20.99 any
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq ftp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq smtp
access-list dmz extended permit tcp host 192.168.110.20 any eq lotusnotes
access-list dmz extended permit tcp host 192.168.110.20 any eq smtp
access-list dmz extended permit icmp 192.168.110.0 255.255.255.0 any
access-list dmz extended permit object-group DM_INLINE_PROTOCOL_1 host 192.168.110.20 any object-group tap-webservices
access-list mls extended permit ip 192.168.100.0 255.255.255.0 host 192.168.110.20
access-list mls extended permit icmp 192.168.100.0 255.255.255.0 host 192.168.110.20
access-list outside_access_in extended permit tcp any object-group DM_INLINE_TCP_4 interface outside log disable inactive
access-list outside_access_in extended deny icmp any interface outside
access-list outside_access_in remark smtp for passthru
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in remark Domino NPRC
access-list outside_access_in extended permit tcp any interface outside eq lotusnotes
access-list pcap extended permit ip host 192.168.20.78 host 192.168.20.1
access-list pcap extended permit ip host 192.168.20.1 host 192.168.20.78
!
tcp-map CLEAR_TSTAMP
  tcp-options timestamp clear
!
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging class auth asdm emergencies
logging class ip asdm emergencies
logging class session asdm emergencies
mtu outside 1500
mtu inside 1500
mtu MLS 1500
mtu DMZ 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface MLS
ip verify reverse-path interface DMZ
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 33 interface
nat (inside) 33 192.168.20.0 255.255.255.0
nat (DMZ) 33 192.168.110.0 255.255.255.0
static (DMZ,outside) tcp interface smtp 192.168.110.20 smtp netmask 255.255.255.255
static (DMZ,outside) tcp interface lotusnotes 192.168.110.20 lotusnotes netmask 255.255.255.255
static (DMZ,inside) tcp interface smtp 192.168.110.20 smtp netmask 255.255.255.255
static (DMZ,inside) tcp interface lotusnotes 192.168.110.20 lotusnotes netmask 255.255.255.255
static (MLS,DMZ) 192.168.100.10 192.168.100.10 netmask 255.255.255.255
static (inside,DMZ) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group mls in interface MLS
access-group dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 xxx.xxx.44.1 1
route MLS 192.168.100.0 255.255.255.0 192.168.19.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.20.168 255.255.255.255 inside
http 192.168.20.110 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 10
ssh timeout 30
ssh version 2
console timeout 5
management-access inside
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
class-map csc-traffic
 match access-list csc-acl
class-map class-www
!
!
policy-map tap1-inside-policy
 class csc-traffic
  csc fail-close
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
policy-map type inspect im tap-msn
 parameters
 match service chat conference file-transfer games voice-chat webcam
  drop-connection log
policy-map tap-inside-policy
 class csc-traffic
  csc fail-close
!
service-policy global_policy global
service-policy tap1-inside-policy interface inside
tftp-server inside 192.168.20.110 c:\tftp-root
username user234 password xxxyyyxyyxyxyxyx encrypted privilege 15
username user123 password xxxxxxxxyyyyyxyyxyx encrypted
prompt hostname context
Cryptochecksum:389c03d69a6bc66exxrr55667730aa74843
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
0
Comment
Question by:wadooh
2 Comments
 
LVL 63

Accepted Solution

by:
SysExpert earned 2000 total points
ID: 20028975
I would think that all that is needed is the Standard Notes port access for Email clients.

I am surprised that this was not the original setup, since most places give Local access first, adn then later set up external access.

It looks like you are using port-object eq 1352, 1353, and a few others for Domino.

Can you make the change in the VLAN config ?


I hope this helps !

0
 
LVL 1

Expert Comment

by:Computer101
ID: 20370046
Forced accept.

Computer101
EE Admin
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

640 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question