[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 622
  • Last Modified:

How to Open Ports to allow certain traffic through to certain servers

I have a Cisco ASA5510. I am trying to open the needed ports to allow my users to connect to the Exchange server 2007. I am able to send receive inside the network but not from the outside. I need to be able to set this up so my users can connect from anywhere without have to VPN into the network. I want to be able to POP3, SMTP, IMAP4, OWA. I have the internal to external working but not the external to internal. I would like to be able to use the ASDM to set this up and I have the ASDM working and accessable.
Thanks,
0
bdoleman
Asked:
bdoleman
  • 7
  • 6
1 Solution
 
grbladesCommented:
I never use the GUI myself. If you could post your configuration I could give you the additional commands you need to enter to do what you want.
0
 
bdolemanAuthor Commented:
sh run

: Saved

:

ASA Version 7.0(4)

!

hostname Exchange-ASA

domain-name radocs.com

enable password ip7OF2lLLwdI4m7E encrypted


interface Ethernet0/0

 nameif External          
 security-level 0

 ip address 209.99.xxx.xxx 255.255.255.192

!

interface Ethernet0/1

 nameif Internal

 security-level 100

 ip address 192.168.11.1 255.255.255.0

!

interface Ethernet0/2

 shutdown

 nameif it-management

 security-level 50

 ip address 192.168.56.254 255.255.255.0

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 shutdown

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

passwd Fed.wB6dQ31F61CA encrypted

banner exec Welcome to the Radocs.com Exchange Network.

banner login Welcome to the Radocs.com Exchange Network.

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup Internal

dns name-server radocs-dc1

dns name-server 209.99.xxx.xxx
dns name-server 209.99.xxx.xxx
object-group network RA_IT_GROUP

 description These users will be able to access hosts on the point to point VPN tunnels.

 network-object ra-xp-admin 255.255.255.255

 network-object bob-laptop 255.255.255.255

 network-object angel 255.255.255.255

 network-object Brad-Laptop 255.255.255.255

 network-object ra-xp-bsmith 255.255.255.255

 network-object server3t 255.255.255.255

 network-object podo 255.255.255.255

 network-object kodo 255.255.255.255

 network-object ra-xp-hrassist 255.255.255.255

 network-object bzindler-laptop 255.255.255.255

 network-object pds-roving 255.255.255.255

object-group network Radocs-Exchange

 network-object 192.168.11.1 255.255.255.255

 network-object radocs-exch-001 255.255.255.255

 network-object radocs-dc1 255.255.255.255

object-group service radocs-exch-001 tcp-udp

 port-object range 995 995

 port-object range 443 443

 port-object eq www

 port-object range 25 25

 port-object range 110 110

access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192

access-list ra_vpn_splitTunnelAcl standard permit any

access-list External_cryptomap_dyn_120 extended permit ip any 10.0.57.0 255.255.255.192

access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list External_cryptomap_dyn_140 extended permit ip any 10.0.57.0 255.255.255.192

access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any

access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0

access-list external-entry extended permit tcp any host 192.168.11.3 eq https

access-list external-entry extended permit tcp any host 192.168.11.3 eq smtp

access-list external-entry extended permit tcp any host 209.99.xxx.xxx eq pop3

access-list external-entry extended permit tcp any host 209.99.xxx.xxx eq https

access-list external-entry extended permit tcp any host 209.99.xxx.xxx eq smtp

pager lines 24

mtu External 1500

mtu Internal 1500

mtu it-management 1500

mtu management 1500

ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0

ip local pool MyPool 10.0.55.1-10.0.55.100

ip verify reverse-path interface External

ip verify reverse-path interface Internal

no failover

asdm image disk0:/asdm504.bin

no asdm history enable

arp timeout 14400

global (External) 10 interface

nat (Internal) 0 access-list 113

nat (Internal) 10 192.168.11.0 255.255.255.0

route External 0.0.0.0 0.0.0.0 209.99.86.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

url-list Exchange "Robertson and Anschutz Exchange 2007" https://owa.radocs.com/owa

port-forward Exchange https 192.168.11.14 https OWA

group-policy ra_vpn internal

group-policy ra_vpn attributes

 dns-server value 192.168.55.240 192.168.55.241

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value dod-split-tunnel-acl

 default-domain value randa.local

 split-dns value houston.radocs.com randa.local

 webvpn

group-policy ra_vpn_1 internal

group-policy ra_vpn_1 attributes

 dns-server value 192.168.55.240 192.168.55.241

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value dod-split-tunnel-acl

 default-domain value randa.local

 webvpn

http server enable

http 209.113.40.198 255.255.255.255 External

http 75.54.xxx.xxx 255.255.255.255 External

http 192.168.55.0 255.255.255.0 Internal

http 192.168.11.0 255.255.255.0 Internal

http 192.168.11.1 255.255.255.255 Internal

http 192.168.56.0 255.255.255.0 it-management

http 192.168.1.0 255.255.255.0 management

http 192.168.55.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt accept Welcome to the Radocs.com Exchange Network.

console timeout 0

management-access Internal

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

sunrpc-server External radocs-exch-001 255.255.255.255 service 1 protocol TCP port 443 timeout 0:01:00

sunrpc-server External radocs-exch-001 255.255.255.255 service 1 protocol TCP port 443 timeout 0:01:00

imap4s

 server 192.168.11.3

 default-group-policy DfltGrpPolicy

pop3s

 port 110

 server 192.168.11.3

 default-group-policy DfltGrpPolicy

smtps

 port 25

 server 192.168.11.3

 default-group-policy DfltGrpPolicy

 au
0
 
grbladesCommented:
Here you go :-
Replace 'EXTMAIL' with the IP address of the mail server that you want it to be on the internet. Dont use External interface IP address.
Replace INTMAIL with the servers internal IP address.

object-group service Inbound_Mail tcp
  description Ports permitted to mail server from Internet
  port-object eq www
  port-object eq https
  port-object eq smtp
  port-object eq imap4
  port-object eq pop3
access-list outside-in permit tcp any host EXTMAIL object-group Inbound_Mail
access-group outside-in in interface External
static (Internal,External) EXTMAIL INTMAIL netmask 255.255.255.255 0 0
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
bdolemanAuthor Commented:
I have run the commands and when I try to connect to the server via pop3 or smtp or owa nothing. The asa syslog show "deny tcp src External:75.54.XXX.XXX/3128 dst Internal:209.99.XXX.XXX/25 by access-group "outside-in" "  Just not sure what is wrong, I entered as you posted.
Thanks for your help
0
 
grbladesCommented:
Can you repost your configuration with those lines added.
Please if you do obscure your IP addresses leave at least the last octet correct (209.99.xxx.123 for example) otherwise I cant tell what configuration applies to which server and I could miss a mistake.
It would also help if you could avoid the config being double line spaced. Not really important but just makes it easier to read.
0
 
bdolemanAuthor Commented:
Here is the updated Config:

asdm image disk0:/asdm504.bin
asdm location 10.0.57.0 255.255.255.192 External
asdm location radocs-dc1 255.255.255.255 Internal
asdm location radocs-exch-001 255.255.255.255 Internal
asdm location 209.99.XXX.CCC 255.255.255.255 External
asdm group Radocs-Exchange Internal
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted
!
interface Ethernet0/0
 nameif External
 security-level 0
 ip address 209.99.XXX.XXX 255.255.255.192
!
interface Ethernet0/1
 nameif Internal
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 nameif it-management
 security-level 50
 ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!

passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup External
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.XXX.XXX
dns name-server 209.99.XXX.XXX
object-group network Radocs-Exchange
 network-object 192.168.11.1 255.255.255.255
 network-object radocs-exch-001 255.255.255.255
 network-object radocs-dc1 255.255.255.255
object-group service Inbound_Mail tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq imap4
 port-object eq pop3
 port-object eq 995
 port-object eq 993
 port-object eq login
 port-object eq kerberos
 port-object eq ldap
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120 extended permit ip any 10.0.57.0 255.255.255.192
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140 extended permit ip any 10.0.57.0 255.255.255.192
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq https
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq smtp
access-list external-entry extended permit tcp any host 209.99.XXX.XXX eq pop3
access-list external-entry extended permit tcp any host 209.99.XXX.XXX eq https
access-list external-entry extended permit tcp any host 209.99.XXX.XXX eq smtp
access-list outside-in remark This is setup to allow External taffic for certain ports to be able to access the exchange server.
access-list outside-in extended permit tcp any object-group Inbound_Mail host radocs-exch-001 object-group Inbound_Mail
pager lines 24
logging enable
logging trap warnings
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
no failover
monitor-interface External
monitor-interface Internal
monitor-interface it-management
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
access-group outside-in in interface External
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ra_vpn internal
group-policy ra_vpn attributes
 dns-server value 192.168.55.240 192.168.55.241
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value dod-split-tunnel-acl
 default-domain value randa.local
 split-dns value houston.radocs.com randa.local
 webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
 dns-server value 192.168.55.240 192.168.55.241
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value dod-split-tunnel-acl
 default-domain value XXXXXXXX.local
 webvpn
http server enable
http 209.113.XXX.XXX 255.255.255.255 External
http 75.54.XXX.XXX 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set pds-home esp-3des esp-none
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 120 match address External_cryptomap_dyn_120
crypto dynamic-map External_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 140 match address External_cryptomap_dyn_140
crypto dynamic-map External_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map MyDynMap 30 set transform-set MySet
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map ramap 80 ipsec-isakmp dynamic MyDynMap
crypto map ramap interface External
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group ra_vpn type ipsec-ra
tunnel-group ra_vpn general-attributes
 address-pool MyPool
 default-group-policy ra_vpn
tunnel-group ra_vpn ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 Internal
ssh timeout 60
ssh version 2
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
smtps
 default-group-policy DfltGrpPolicy
 authentication mailhost
smtp-server 192.168.11.14
Cryptochecksum:2854739810be6e81dc0d74597db0e044
: end

0
 
bdolemanAuthor Commented:
Sorry Here is the correct one:

asdm image disk0:/asdm504.bin
asdm location 10.0.57.0 255.255.255.192 External
asdm location radocs-dc1 255.255.255.255 Internal
asdm location radocs-exch-001 255.255.255.255 Internal
asdm location 209.99.XXX.176 255.255.255.255 External
asdm group Radocs-Exchange Internal
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted

!
interface Ethernet0/0
 nameif External
 security-level 0
 ip address 209.99.XXX.162 255.255.255.192
!
interface Ethernet0/1
 nameif Internal
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 nameif it-management
 security-level 50
 ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup External
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.86.157
dns name-server 209.99.86.158
object-group network Radocs-Exchange
 network-object 192.168.11.1 255.255.255.255
 network-object radocs-exch-001 255.255.255.255
 network-object radocs-dc1 255.255.255.255
object-group service Inbound_Mail tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq imap4
 port-object eq pop3
 port-object eq 995
 port-object eq 993
 port-object eq login
 port-object eq kerberos
 port-object eq ldap
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120 extended permit ip any 10.0.57.0 255.255.255.192
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140 extended permit ip any 10.0.57.0 255.255.255.192
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq https
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq smtp
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq pop3
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq https
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq smtp
access-list outside-in remark This is setup to allow External taffic for certain ports to be able to access the exchange server.
access-list outside-in extended permit tcp any object-group Inbound_Mail host radocs-exch-001 object-group Inbound_Mail
pager lines 24
logging enable
logging trap warnings
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
no failover
monitor-interface External
monitor-interface Internal
monitor-interface it-management
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
access-group outside-in in interface External
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ra_vpn internal
group-policy ra_vpn attributes
 dns-server value 192.168.55.240 192.168.55.241
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value dod-split-tunnel-acl
 default-domain value randa.local
 split-dns value houston.radocs.com randa.local
 webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
 dns-server value 192.168.55.240 192.168.55.241
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value dod-split-tunnel-acl
 default-domain value randa.local
http server enable
http 209.113.40.198 255.255.255.255 External
http 75.54.185.238 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set pds-home esp-3des esp-none
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 120 match address External_cryptomap_dyn_120
crypto dynamic-map External_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 140 match address External_cryptomap_dyn_140
crypto dynamic-map External_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map MyDynMap 30 set transform-set MySet
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map ramap 80 ipsec-isakmp dynamic MyDynMap
crypto map ramap interface External
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group ra_vpn type ipsec-ra
tunnel-group ra_vpn general-attributes
 address-pool MyPool
 default-group-policy ra_vpn
tunnel-group ra_vpn ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 Internal
ssh timeout 60
ssh version 2
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
smtps
 default-group-policy DfltGrpPolicy
 authentication mailhost
smtp-server 192.168.11.14
Cryptochecksum:2854739810be6e81dc0d74597db0e044
: end

0
 
grbladesCommented:
> access-list outside-in extended permit tcp any object-group Inbound_Mail host radocs-exch-001 object-group Inbound_Mail
This is incorrect. You are only allowing traffic if the source port AND the destination port are in the Inbound_Mail object group.
It should be :-

access-list outside-in extended permit tcp any host radocs-exch-001 object-group Inbound_Mail

I dont see the 'static' command I gave you earlier in the configuration either.
0
 
bdolemanAuthor Commented:
I have entered the static and have made the change you asaid was wrong. Please take a look and tell me in this correct.
asdm image disk0:/asdm504.bin
asdm location 10.0.57.0 255.255.255.192 External
asdm location radocs-dc1 255.255.255.255 Internal
asdm location radocs-exch-001 255.255.255.255 Internal
asdm location 209.99.XXX.176 255.255.255.255 External
asdm group Radocs-Exchange Internal
no asdm history enable
: Saved
:
ASA Version 7.0(4)
!
hostname Exchange-ASA
domain-name radocs.com
enable password ip7OF2lLLwdI4m7E encrypted
!
interface Ethernet0/0
 nameif External
 security-level 0
 ip address 209.99.XXX.162 255.255.255.192
!
interface Ethernet0/1
 nameif Internal
 security-level 100
 ip address 192.168.11.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 nameif it-management
 security-level 50
 ip address 192.168.56.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd Fed.wB6dQ31F61CA encrypted
banner exec Welcome to the Radocs.com Exchange Network.
banner login Welcome to the Radocs.com Exchange Network.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup External
dns domain-lookup Internal
dns name-server radocs-dc1
dns name-server 209.99.XXX.XXX
dns name-server 209.99.XXX.XXX
object-group network Radocs-Exchange
 network-object 192.168.11.1 255.255.255.255
 network-object radocs-exch-001 255.255.255.255
 network-object radocs-dc1 255.255.255.255
object-group service Inbound_Mail tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
 port-object eq imap4
 port-object eq pop3
 port-object eq 995
 port-object eq 993
 port-object eq login
 port-object eq kerberos
 port-object eq ldap
access-list Internal_nat0_outbound extended permit ip any 10.0.57.0 255.255.255.192
access-list ra_vpn_splitTunnelAcl standard permit any
access-list External_cryptomap_dyn_120 extended permit ip any 10.0.57.0 255.255.255.192
access-list 111 extended permit ip 192.168.55.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list External_cryptomap_dyn_140 extended permit ip any 10.0.57.0 255.255.255.192
access-list dod-split-tunnel-acl extended permit ip 192.168.55.0 255.255.255.0 any
access-list 113 extended permit ip 192.168.55.0 255.255.255.0 10.0.55.0 255.255.255.0
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq https
access-list external-entry extended permit tcp any host radocs-exch-001-2 eq smtp
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq pop3
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq https
access-list external-entry extended permit tcp any host 209.99.XXX.162 eq smtp
access-list outside-in remark This is setup to allow External taffic for certain ports to be able to access the exchange server.
access-list outside-in extended permit tcp any host radocs-exch-001 object-group Inbound_Mail
pager lines 24
logging enable
logging trap warnings
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu it-management 1500
mtu management 1500
ip local pool RA_LAWYERS 10.0.57.1-10.0.57.50 mask 255.255.255.0
ip local pool MyPool 10.0.55.1-10.0.55.100
no failover
monitor-interface External
monitor-interface Internal
monitor-interface it-management
monitor-interface management
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (External) 10 interface
nat (Internal) 0 access-list 113
nat (Internal) 10 192.168.11.0 255.255.255.0
static (Internal,External) 209.99.XXX.176 radocs-exch-001 netmask 255.255.255.255
access-group outside-in in interface External
route External 0.0.0.0 0.0.0.0 209.99.86.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ra_vpn internal
group-policy ra_vpn attributes
 dns-server value 192.168.55.240 192.168.55.241
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value dod-split-tunnel-acl
 default-domain value randa.local
 split-dns value houston.radocs.com randa.local
 webvpn
group-policy ra_vpn_1 internal
group-policy ra_vpn_1 attributes
 dns-server value 192.168.55.240 192.168.55.241
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value dod-split-tunnel-acl
 default-domain value randa.local
http server enable
http 209.113.XXX.XXX 255.255.255.255 External
http 75.54.XXX.XXX 255.255.255.255 External
http 192.168.55.0 255.255.255.0 Internal
http 192.168.11.0 255.255.255.0 Internal
http 192.168.11.1 255.255.255.255 Internal
http 192.168.56.0 255.255.255.0 it-management
http 192.168.1.0 255.255.255.0 management
http 192.168.55.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept Welcome to the Radocs.com Exchange Network.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set pds-home esp-3des esp-none
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
crypto dynamic-map External_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 120 match address External_cryptomap_dyn_120
crypto dynamic-map External_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map External_dyn_map 140 match address External_cryptomap_dyn_140
crypto dynamic-map External_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map MyDynMap 30 set transform-set MySet
crypto map External_map 65535 ipsec-isakmp dynamic External_dyn_map
crypto map ramap 80 ipsec-isakmp dynamic MyDynMap
crypto map ramap interface External
isakmp identity address
isakmp enable External
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group ra_vpn type ipsec-ra
tunnel-group ra_vpn general-attributes
 address-pool MyPool
 default-group-policy ra_vpn
tunnel-group ra_vpn ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 Internal
ssh timeout 60
ssh version 2
console timeout 0
management-access Internal
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
smtps
 default-group-policy DfltGrpPolicy
 authentication mailhost
smtp-server 192.168.11.14
Cryptochecksum:13a5d8363aea9204551460dfeaa8e20d
: end

Thanks again.
0
 
grbladesCommented:
No I dont think its correct yet. There is normally 'name' commands in the configuration which I am guessing you have left out. Is radocs-exch-001 the external or internal IP address of the server?

> static (Internal,External) 209.99.XXX.176 radocs-exch-001 netmask 255.255.255.255
I take it from this that 209.99.XXX.176 is the external IP address of the server and radocs-exch-001 is the IP address of the server on the internal lan?

In this case the access-list is incorrect as it should be permitting the traffic into the external IP address so :-
access-list outside-in extended permit tcp any host 209.99.XXX.176 object-group Inbound_Mail
0
 
bdolemanAuthor Commented:
That fixed the POP and OWA, But SMTP is still not working.
0
 
grbladesCommented:
You could try running the 'clear xlate' command to reset the translation table.

How is smtp not working?
Have you tried telneting to the IP address on port 25?
0
 
bdolemanAuthor Commented:
smtp now works the 'clear xlate' seems like it fixed it. thanks so much for your help.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now