How to Open Ports to allow certain traffic through to certain servers
I have a Cisco ASA5510. I am trying to open the needed ports to allow my users to connect to the Exchange server 2007. I am able to send receive inside the network but not from the outside. I need to be able to set this up so my users can connect from anywhere without have to VPN into the network. I want to be able to POP3, SMTP, IMAP4, OWA. I have the internal to external working but not the external to internal. I would like to be able to use the ASDM to set this up and I have the ASDM working and accessable.
Thanks,
Thanks,
grblades
I never use the GUI myself. If you could post your configuration I could give you the additional commands you need to enter to do what you want.
ASKER
sh run
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted
interface Ethernet0/0
nameif External
security-level 0
ip address 209.99.xxx.xxx 255.255.255.192
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif it-management
security-level 50
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.xxx.xxx
dns name-server 209.99.xxx.xxx
object-group network RA_IT_GROUP
description These users will be able to access hosts on the point to point VPN tunnels.
network-object ra-xp-admin 255.255.255.255
network-object bob-laptop 255.255.255.255
network-object angel 255.255.255.255
network-object Brad-Laptop 255.255.255.255
network-object ra-xp-bsmith 255.255.255.255
network-object server3t 255.255.255.255
network-object podo 255.255.255.255
network-object kodo 255.255.255.255
network-object ra-xp-hrassist 255.255.255.255
network-object bzindler-laptop 255.255.255.255
network-object pds-roving 255.255.255.255
object-group network Radocs-Exchange
network-object 192.168.11.1 255.255.255.255
network-object radocs-exch-001 255.255.255.255
network-object radocs-dc1 255.255.255.255
object-group service radocs-exch-001 tcp-udp
port-object range 995 995
port-object range 443 443
port-object eq www
port-object range 25 25
port-object range 110 110
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host 192.168.11.3 eq https
access-list external-entry extended permit tcp any host 192.168.11.3 eq smtp
access-list external-entry extended permit tcp any host 209.99.xxx.xxx eq pop3
access-list external-entry extended permit tcp any host 209.99.xxx.xxx eq https
access-list external-entry extended permit tcp any host 209.99.xxx.xxx eq smtp
pager lines 24
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
ip verify reverse-path interface External
ip verify reverse-path interface Internal
no failover
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list Exchange "Robertson and Anschutz Exchange 2007" https://owa.radocs.com/owa
port-forward Exchange https 192.168.11.14 https OWA
group-policy ra_vpn internal
group-policy ra_vpn attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
split-dns value houston.radocs.com randa.local
webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
webvpn
http server enable
http 209.113.40.198 255.255.255.255 External
http 75.54.xxx.xxx 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
sunrpc-server External radocs-exch-001 255.255.255.255 service 1 protocol TCP port 443 timeout 0:01:00
sunrpc-server External radocs-exch-001 255.255.255.255 service 1 protocol TCP port 443 timeout 0:01:00
imap4s
server 192.168.11.3
default-group-policy DfltGrpPolicy
pop3s
port 110
server 192.168.11.3
default-group-policy DfltGrpPolicy
smtps
port 25
server 192.168.11.3
default-group-policy DfltGrpPolicy
au
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted
interface Ethernet0/0
nameif External
security-level 0
ip address 209.99.xxx.xxx 255.255.255.192
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif it-management
security-level 50
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.xxx.xxx
dns name-server 209.99.xxx.xxx
object-group network RA_IT_GROUP
description These users will be able to access hosts on the point to point VPN tunnels.
network-object ra-xp-admin 255.255.255.255
network-object bob-laptop 255.255.255.255
network-object angel 255.255.255.255
network-object Brad-Laptop 255.255.255.255
network-object ra-xp-bsmith 255.255.255.255
network-object server3t 255.255.255.255
network-object podo 255.255.255.255
network-object kodo 255.255.255.255
network-object ra-xp-hrassist 255.255.255.255
network-object bzindler-laptop 255.255.255.255
network-object pds-roving 255.255.255.255
object-group network Radocs-Exchange
network-object 192.168.11.1 255.255.255.255
network-object radocs-exch-001 255.255.255.255
network-object radocs-dc1 255.255.255.255
object-group service radocs-exch-001 tcp-udp
port-object range 995 995
port-object range 443 443
port-object eq www
port-object range 25 25
port-object range 110 110
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host 192.168.11.3 eq https
access-list external-entry extended permit tcp any host 192.168.11.3 eq smtp
access-list external-entry extended permit tcp any host 209.99.xxx.xxx eq pop3
access-list external-entry extended permit tcp any host 209.99.xxx.xxx eq https
access-list external-entry extended permit tcp any host 209.99.xxx.xxx eq smtp
pager lines 24
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
ip verify reverse-path interface External
ip verify reverse-path interface Internal
no failover
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
url-list Exchange "Robertson and Anschutz Exchange 2007" https://owa.radocs.com/owa
port-forward Exchange https 192.168.11.14 https OWA
group-policy ra_vpn internal
group-policy ra_vpn attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
split-dns value houston.radocs.com randa.local
webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
webvpn
http server enable
http 209.113.40.198 255.255.255.255 External
http 75.54.xxx.xxx 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
sunrpc-server External radocs-exch-001 255.255.255.255 service 1 protocol TCP port 443 timeout 0:01:00
sunrpc-server External radocs-exch-001 255.255.255.255 service 1 protocol TCP port 443 timeout 0:01:00
imap4s
server 192.168.11.3
default-group-policy DfltGrpPolicy
pop3s
port 110
server 192.168.11.3
default-group-policy DfltGrpPolicy
smtps
port 25
server 192.168.11.3
default-group-policy DfltGrpPolicy
au
Here you go :-
Replace 'EXTMAIL' with the IP address of the mail server that you want it to be on the internet. Dont use External interface IP address.
Replace INTMAIL with the servers internal IP address.
object-group service Inbound_Mail tcp
description Ports permitted to mail server from Internet
port-object eq www
port-object eq https
port-object eq smtp
port-object eq imap4
port-object eq pop3
access-list outside-in permit tcp any host EXTMAIL object-group Inbound_Mail
access-group outside-in in interface External
static (Internal,External) EXTMAIL INTMAIL netmask 255.255.255.255 0 0
Replace 'EXTMAIL' with the IP address of the mail server that you want it to be on the internet. Dont use External interface IP address.
Replace INTMAIL with the servers internal IP address.
object-group service Inbound_Mail tcp
description Ports permitted to mail server from Internet
port-object eq www
port-object eq https
port-object eq smtp
port-object eq imap4
port-object eq pop3
access-list outside-in permit tcp any host EXTMAIL object-group Inbound_Mail
access-group outside-in in interface External
static (Internal,External) EXTMAIL INTMAIL netmask 255.255.255.255 0 0
ASKER
I have run the commands and when I try to connect to the server via pop3 or smtp or owa nothing. The asa syslog show "deny tcp src External:75.54.XXX.XXX/312
Thanks for your help
Thanks for your help
Can you repost your configuration with those lines added.
Please if you do obscure your IP addresses leave at least the last octet correct (209.99.xxx.123 for example) otherwise I cant tell what configuration applies to which server and I could miss a mistake.
It would also help if you could avoid the config being double line spaced. Not really important but just makes it easier to read.
Please if you do obscure your IP addresses leave at least the last octet correct (209.99.xxx.123 for example) otherwise I cant tell what configuration applies to which server and I could miss a mistake.
It would also help if you could avoid the config being double line spaced. Not really important but just makes it easier to read.
ASKER
Here is the updated Config:
asdm image disk0:/asdm504.bin
asdm location 10.0.57.0 255.255.255.192 External
asdm location radocs-dc1 255.255.255.255 Internal
asdm location radocs-exch-001 255.255.255.255 Internal
asdm location 209.99.XXX.CCC 255.255.255.255 External
asdm group Radocs-Exchange Internal
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted
!
interface Ethernet0/0
nameif External
security-level 0
ip address 209.99.XXX.XXX 255.255.255.192
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif it-management
security-level 50
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup External
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.XXX.XXX
dns name-server 209.99.XXX.XXX
object-group network Radocs-Exchange
network-object 192.168.11.1 255.255.255.255
network-object radocs-exch-001 255.255.255.255
network-object radocs-dc1 255.255.255.255
object-group service Inbound_Mail tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq imap4
port-object eq pop3
port-object eq 995
port-object eq 993
port-object eq login
port-object eq kerberos
port-object eq ldap
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq https
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq smtp
access-list external-entry extended permit tcp any host 209.99.XXX.XXX eq pop3
access-list external-entry extended permit tcp any host 209.99.XXX.XXX eq https
access-list external-entry extended permit tcp any host 209.99.XXX.XXX eq smtp
access-list outside-in remark This is setup to allow External taffic for certain ports to be able to access the exchange server.
access-list outside-in extended permit tcp any object-group Inbound_Mail host radocs-exch-001 object-group Inbound_Mail
pager lines 24
logging enable
logging trap warnings
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
no failover
monitor-interface External
monitor-interface Internal
monitor-interface it-management
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
access-group outside-in in interface External
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ra_vpn internal
group-policy ra_vpn attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
split-dns value houston.radocs.com randa.local
webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value XXXXXXXX.local
webvpn
http server enable
http 209.113.XXX.XXX 255.255.255.255 External
http 75.54.XXX.XXX 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set pds-home esp-3des esp-none
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 120 match address External_cryptomap_dyn_120
crypto dynamic-map External_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 140 match address External_cryptomap_dyn_140
crypto dynamic-map External_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map MyDynMap 30 set transform-set MySet
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map ramap 80 ipsec-isakmp dynamic MyDynMap
crypto map ramap interface External
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group ra_vpn type ipsec-ra
tunnel-group ra_vpn general-attributes
address-pool MyPool
default-group-policy ra_vpn
tunnel-group ra_vpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 Internal
ssh timeout 60
ssh version 2
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
smtps
default-group-policy DfltGrpPolicy
authentication mailhost
smtp-server 192.168.11.14
Cryptochecksum:2854739810b
: end
asdm image disk0:/asdm504.bin
asdm location 10.0.57.0 255.255.255.192 External
asdm location radocs-dc1 255.255.255.255 Internal
asdm location radocs-exch-001 255.255.255.255 Internal
asdm location 209.99.XXX.CCC 255.255.255.255 External
asdm group Radocs-Exchange Internal
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted
!
interface Ethernet0/0
nameif External
security-level 0
ip address 209.99.XXX.XXX 255.255.255.192
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif it-management
security-level 50
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup External
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.XXX.XXX
dns name-server 209.99.XXX.XXX
object-group network Radocs-Exchange
network-object 192.168.11.1 255.255.255.255
network-object radocs-exch-001 255.255.255.255
network-object radocs-dc1 255.255.255.255
object-group service Inbound_Mail tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq imap4
port-object eq pop3
port-object eq 995
port-object eq 993
port-object eq login
port-object eq kerberos
port-object eq ldap
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq https
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq smtp
access-list external-entry extended permit tcp any host 209.99.XXX.XXX eq pop3
access-list external-entry extended permit tcp any host 209.99.XXX.XXX eq https
access-list external-entry extended permit tcp any host 209.99.XXX.XXX eq smtp
access-list outside-in remark This is setup to allow External taffic for certain ports to be able to access the exchange server.
access-list outside-in extended permit tcp any object-group Inbound_Mail host radocs-exch-001 object-group Inbound_Mail
pager lines 24
logging enable
logging trap warnings
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
no failover
monitor-interface External
monitor-interface Internal
monitor-interface it-management
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
access-group outside-in in interface External
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ra_vpn internal
group-policy ra_vpn attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
split-dns value houston.radocs.com randa.local
webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value XXXXXXXX.local
webvpn
http server enable
http 209.113.XXX.XXX 255.255.255.255 External
http 75.54.XXX.XXX 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set pds-home esp-3des esp-none
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 120 match address External_cryptomap_dyn_120
crypto dynamic-map External_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 140 match address External_cryptomap_dyn_140
crypto dynamic-map External_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map MyDynMap 30 set transform-set MySet
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map ramap 80 ipsec-isakmp dynamic MyDynMap
crypto map ramap interface External
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group ra_vpn type ipsec-ra
tunnel-group ra_vpn general-attributes
address-pool MyPool
default-group-policy ra_vpn
tunnel-group ra_vpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 Internal
ssh timeout 60
ssh version 2
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
smtps
default-group-policy DfltGrpPolicy
authentication mailhost
smtp-server 192.168.11.14
Cryptochecksum:2854739810b
: end
ASKER
Sorry Here is the correct one:
asdm image disk0:/asdm504.bin
asdm location 10.0.57.0 255.255.255.192 External
asdm location radocs-dc1 255.255.255.255 Internal
asdm location radocs-exch-001 255.255.255.255 Internal
asdm location 209.99.XXX.176 255.255.255.255 External
asdm group Radocs-Exchange Internal
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted
!
interface Ethernet0/0
nameif External
security-level 0
ip address 209.99.XXX.162 255.255.255.192
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif it-management
security-level 50
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup External
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.86.157
dns name-server 209.99.86.158
object-group network Radocs-Exchange
network-object 192.168.11.1 255.255.255.255
network-object radocs-exch-001 255.255.255.255
network-object radocs-dc1 255.255.255.255
object-group service Inbound_Mail tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq imap4
port-object eq pop3
port-object eq 995
port-object eq 993
port-object eq login
port-object eq kerberos
port-object eq ldap
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq https
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq smtp
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq pop3
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq https
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq smtp
access-list outside-in remark This is setup to allow External taffic for certain ports to be able to access the exchange server.
access-list outside-in extended permit tcp any object-group Inbound_Mail host radocs-exch-001 object-group Inbound_Mail
pager lines 24
logging enable
logging trap warnings
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
no failover
monitor-interface External
monitor-interface Internal
monitor-interface it-management
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
access-group outside-in in interface External
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ra_vpn internal
group-policy ra_vpn attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
split-dns value houston.radocs.com randa.local
webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
http server enable
http 209.113.40.198 255.255.255.255 External
http 75.54.185.238 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set pds-home esp-3des esp-none
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 120 match address External_cryptomap_dyn_120
crypto dynamic-map External_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 140 match address External_cryptomap_dyn_140
crypto dynamic-map External_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map MyDynMap 30 set transform-set MySet
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map ramap 80 ipsec-isakmp dynamic MyDynMap
crypto map ramap interface External
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group ra_vpn type ipsec-ra
tunnel-group ra_vpn general-attributes
address-pool MyPool
default-group-policy ra_vpn
tunnel-group ra_vpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 Internal
ssh timeout 60
ssh version 2
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
smtps
default-group-policy DfltGrpPolicy
authentication mailhost
smtp-server 192.168.11.14
Cryptochecksum:2854739810b
: end
asdm image disk0:/asdm504.bin
asdm location 10.0.57.0 255.255.255.192 External
asdm location radocs-dc1 255.255.255.255 Internal
asdm location radocs-exch-001 255.255.255.255 Internal
asdm location 209.99.XXX.176 255.255.255.255 External
asdm group Radocs-Exchange Internal
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted
!
interface Ethernet0/0
nameif External
security-level 0
ip address 209.99.XXX.162 255.255.255.192
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif it-management
security-level 50
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup External
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.86.157
dns name-server 209.99.86.158
object-group network Radocs-Exchange
network-object 192.168.11.1 255.255.255.255
network-object radocs-exch-001 255.255.255.255
network-object radocs-dc1 255.255.255.255
object-group service Inbound_Mail tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq imap4
port-object eq pop3
port-object eq 995
port-object eq 993
port-object eq login
port-object eq kerberos
port-object eq ldap
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq https
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq smtp
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq pop3
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq https
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq smtp
access-list outside-in remark This is setup to allow External taffic for certain ports to be able to access the exchange server.
access-list outside-in extended permit tcp any object-group Inbound_Mail host radocs-exch-001 object-group Inbound_Mail
pager lines 24
logging enable
logging trap warnings
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
no failover
monitor-interface External
monitor-interface Internal
monitor-interface it-management
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
access-group outside-in in interface External
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ra_vpn internal
group-policy ra_vpn attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
split-dns value houston.radocs.com randa.local
webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
http server enable
http 209.113.40.198 255.255.255.255 External
http 75.54.185.238 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set pds-home esp-3des esp-none
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 120 match address External_cryptomap_dyn_120
crypto dynamic-map External_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 140 match address External_cryptomap_dyn_140
crypto dynamic-map External_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map MyDynMap 30 set transform-set MySet
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map ramap 80 ipsec-isakmp dynamic MyDynMap
crypto map ramap interface External
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group ra_vpn type ipsec-ra
tunnel-group ra_vpn general-attributes
address-pool MyPool
default-group-policy ra_vpn
tunnel-group ra_vpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 Internal
ssh timeout 60
ssh version 2
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
smtps
default-group-policy DfltGrpPolicy
authentication mailhost
smtp-server 192.168.11.14
Cryptochecksum:2854739810b
: end
> access-list outside-in extended permit tcp any object-group Inbound_Mail host radocs-exch-001 object-group Inbound_Mail
This is incorrect. You are only allowing traffic if the source port AND the destination port are in the Inbound_Mail object group.
It should be :-
access-list outside-in extended permit tcp any host radocs-exch-001 object-group Inbound_Mail
I dont see the 'static' command I gave you earlier in the configuration either.
This is incorrect. You are only allowing traffic if the source port AND the destination port are in the Inbound_Mail object group.
It should be :-
access-list outside-in extended permit tcp any host radocs-exch-001 object-group Inbound_Mail
I dont see the 'static' command I gave you earlier in the configuration either.
ASKER
I have entered the static and have made the change you asaid was wrong. Please take a look and tell me in this correct.
asdm image disk0:/asdm504.bin
asdm location 10.0.57.0 255.255.255.192 External
asdm location radocs-dc1 255.255.255.255 Internal
asdm location radocs-exch-001 255.255.255.255 Internal
asdm location 209.99.XXX.176 255.255.255.255 External
asdm group Radocs-Exchange Internal
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted
!
interface Ethernet0/0
nameif External
security-level 0
ip address 209.99.XXX.162 255.255.255.192
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif it-management
security-level 50
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup External
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.XXX.XXX
dns name-server 209.99.XXX.XXX
object-group network Radocs-Exchange
network-object 192.168.11.1 255.255.255.255
network-object radocs-exch-001 255.255.255.255
network-object radocs-dc1 255.255.255.255
object-group service Inbound_Mail tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq imap4
port-object eq pop3
port-object eq 995
port-object eq 993
port-object eq login
port-object eq kerberos
port-object eq ldap
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq https
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq smtp
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq pop3
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq https
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq smtp
access-list outside-in remark This is setup to allow External taffic for certain ports to be able to access the exchange server.
access-list outside-in extended permit tcp any host radocs-exch-001 object-group Inbound_Mail
pager lines 24
logging enable
logging trap warnings
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
no failover
monitor-interface External
monitor-interface Internal
monitor-interface it-management
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
static (Internal,External) 209.99.XXX.176 radocs-exch-001 netmask 255.255.255.255
access-group outside-in in interface External
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ra_vpn internal
group-policy ra_vpn attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
split-dns value houston.radocs.com randa.local
webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
http server enable
http 209.113.XXX.XXX 255.255.255.255 External
http 75.54.XXX.XXX 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set pds-home esp-3des esp-none
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 120 match address External_cryptomap_dyn_120
crypto dynamic-map External_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 140 match address External_cryptomap_dyn_140
crypto dynamic-map External_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map MyDynMap 30 set transform-set MySet
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map ramap 80 ipsec-isakmp dynamic MyDynMap
crypto map ramap interface External
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group ra_vpn type ipsec-ra
tunnel-group ra_vpn general-attributes
address-pool MyPool
default-group-policy ra_vpn
tunnel-group ra_vpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 Internal
ssh timeout 60
ssh version 2
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
smtps
default-group-policy DfltGrpPolicy
authentication mailhost
smtp-server 192.168.11.14
Cryptochecksum:13a5d8363ae
: end
Thanks again.
asdm image disk0:/asdm504.bin
asdm location 10.0.57.0 255.255.255.192 External
asdm location radocs-dc1 255.255.255.255 Internal
asdm location radocs-exch-001 255.255.255.255 Internal
asdm location 209.99.XXX.176 255.255.255.255 External
asdm group Radocs-Exchange Internal
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted
!
interface Ethernet0/0
nameif External
security-level 0
ip address 209.99.XXX.162 255.255.255.192
!
interface Ethernet0/1
nameif Internal
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
shutdown
nameif it-management
security-level 50
ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup External
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.XXX.XXX
dns name-server 209.99.XXX.XXX
object-group network Radocs-Exchange
network-object 192.168.11.1 255.255.255.255
network-object radocs-exch-001 255.255.255.255
network-object radocs-dc1 255.255.255.255
object-group service Inbound_Mail tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq imap4
port-object eq pop3
port-object eq 995
port-object eq 993
port-object eq login
port-object eq kerberos
port-object eq ldap
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq https
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq smtp
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq pop3
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq https
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq smtp
access-list outside-in remark This is setup to allow External taffic for certain ports to be able to access the exchange server.
access-list outside-in extended permit tcp any host radocs-exch-001 object-group Inbound_Mail
pager lines 24
logging enable
logging trap warnings
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
no failover
monitor-interface External
monitor-interface Internal
monitor-interface it-management
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
static (Internal,External) 209.99.XXX.176 radocs-exch-001 netmask 255.255.255.255
access-group outside-in in interface External
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ra_vpn internal
group-policy ra_vpn attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
split-dns value houston.radocs.com randa.local
webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
dns-server value 192.168.55.240 192.168.55.241
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dod-split-tunnel-acl
default-domain value randa.local
http server enable
http 209.113.XXX.XXX 255.255.255.255 External
http 75.54.XXX.XXX 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set pds-home esp-3des esp-none
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 120 match address External_cryptomap_dyn_120
crypto dynamic-map External_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 140 match address External_cryptomap_dyn_140
crypto dynamic-map External_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map MyDynMap 30 set transform-set MySet
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map ramap 80 ipsec-isakmp dynamic MyDynMap
crypto map ramap interface External
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
tunnel-group ra_vpn type ipsec-ra
tunnel-group ra_vpn general-attributes
address-pool MyPool
default-group-policy ra_vpn
tunnel-group ra_vpn ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 Internal
ssh timeout 60
ssh version 2
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
smtps
default-group-policy DfltGrpPolicy
authentication mailhost
smtp-server 192.168.11.14
Cryptochecksum:13a5d8363ae
: end
Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That fixed the POP and OWA, But SMTP is still not working.
You could try running the 'clear xlate' command to reset the translation table.
How is smtp not working?
Have you tried telneting to the IP address on port 25?
How is smtp not working?
Have you tried telneting to the IP address on port 25?
ASKER
smtp now works the 'clear xlate' seems like it fixed it. thanks so much for your help.