?
Solved

Port forwording asa 5505 PIX 501

Posted on 2007-10-17
15
Medium Priority
?
341 Views
Last Modified: 2010-04-09
Hi! i have a problem that needs to be solved. and it seems to me that this is the place to get help

anyhow, i have a CISCO PIX 501 ASA 5505 firewall and on the inside there is a local network with a few servers. One server is a mailserver/ftp. so i need to forward the ftp port to that mailserver (192.168.1.4) from the outside (internet) and alsow the smtp port, but im just focusing on the ftp port from now on cuz its the easiest way to se if the forwording works.
but i cant get it to work, i have no idea whats wrong. i have been using the cisco ASDM 5.2 software cuz im not that good of using cisco comands. Hmm im typing in my cisco configs so that maybe you gurus can tell me whats wrong.


!
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 222.66.x.x 255.255.255.252
 ospf cost 10
!
interface Vlan12
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan22
 nameif partner-dmz
 security-level 25
 ip address 10.1.1.1 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 22
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST 8
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Computers
 network-object host 192.168.1.4
object-group network Mailserver
 description SMTP
 network-object host 192.168.1.4
access-list outside_access_in extended permit tcp interface outside eq ftp host
192.168.1.4 eq ftp
access-list outside_authorization extended permit tcp any host 192.168.1.4 eq sm
tp
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu partner-dmz 1500
ip local pool luna 192.168.1.150-192.168.1.180 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface partner-dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (outside,inside) tcp 192.168.1.4 ftp 222.66.236.200 ftp netmask 255.255.2
55.252
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 222.66.236.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TAC_SERVER protocol tacacs+
aaa-server TAC_SERVER host 192.168.1.4
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol l2tp-ipsec
group-policy test internal
group-policy test attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol IPSec
 default-domain value test
group-policy luna internal
group-policy luna attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol IPSec
username test password /FzQ9W6s1KjC0YQ7 encrypted privilege 15
username test attributes
 vpn-group-policy test
username user1 nopassword
username user2 password phwyxvpYThxBgNaW encrypted privilege 15
username lunatest password qLvfYK/6yljkW/T1 encrypted
username lunatest attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
aaa authorization match outside_authorization outside TAC_SERVER
http server enable
http 218.82.170.96 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 81.230.170.66 255.255.255.255 outside
http 84.19.134.9 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map inside_dyn_map 40 set pfs
crypto dynamic-map inside_dyn_map 40 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map inside_dyn_map 60 set pfs
crypto dynamic-map inside_dyn_map 60 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map inside_dyn_map 80 set pfs
crypto dynamic-map inside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 default-group-policy DefaultRAGroup_2
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group luna type ipsec-ra
tunnel-group luna general-attributes
 address-pool luna
 default-group-policy luna
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
 address-pool luna
 default-group-policy test
tunnel-group test ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
 isakmp ikev1-user-authentication none
telnet 192.168.1.4 255.255.255.255 inside
telnet 193.181.237.1 255.255.255.255 outside
telnet 194.237.179.38 255.255.255.255 outside
telnet timeout 5
ssh 194.237.179.38 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.181-192.168.1.254 inside
dhcpd dns 202.96.209.5 202.96.209.133 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
  inspect http
!
service-policy global_policy global
tftp-server inside 192.168.1.201 E:\downloads\tools\cisco_tftp_server
prompt hostname context
Cryptochecksum:33ea0d58ed38c4ccb165d35318cf293c
ciscoasa#
0
Comment
Question by:Neksot
  • 7
  • 5
  • 3
15 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 20092920
Firstly your static command is the wrong way around. I would also not do NAT on an individual port basis ans with ftp and email the server is likely to be sending out traffic to the internet so you want it to send the traffic from the same IP address. so:-

no static (outside,inside) tcp 192.168.1.4 ftp 222.66.236.200 ftp netmask 255.255.255.252
static (inside,outside) 222.66.236.200  192.168.1.4 netmask 255.255.255.252
0
 
LVL 36

Expert Comment

by:grblades
ID: 20092951
Your access-lists need fixing aswell :-

no access-list outside_access_in
access-list outside_access_in extended permit tcp any host  222.66.236.200 eq ftp
no access-list outside_authorization
access-group outside_access_in in interface outside
0
 

Author Comment

by:Neksot
ID: 20108300
Hi thx for the help

Okej lets skipp the ftp forwording cuz the smtp is the mailproblem that needs to be solwed

i did made the changes that you told me to do but insteed of ftp i choose smtp. is that right??
and what did u mean by       grblades:"I would also not do NAT on an individual port basis ans with ftp and email the server is likely to be sending out traffic to the internet so you want it to send the traffic from the same IP address. so:-" the mailserver has to recive and send mail so i have do i have to do?

can you se any errors in the config? i

ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 222.66.236.202 255.255.255.252
 ospf cost 10
!
interface Vlan12
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan22
 nameif partner-dmz
 security-level 25
 ip address 10.1.1.1 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 22
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST 8
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Computers
 network-object host 192.168.1.4
object-group network Mailserver
 description SMTP
 network-object host 192.168.1.4
access-list outside_access_in extended permit tcp any host 222.66.236.200 eq smt
p
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu partner-dmz 1500
ip local pool luna 192.168.1.150-192.168.1.180 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 222.66.236.200 192.168.1.4 netmask 255.255.255.252
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 222.66.236.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TAC_SERVER protocol tacacs+
aaa-server TAC_SERVER host 192.168.1.4
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol l2tp-ipsec
group-policy test internal
group-policy test attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol IPSec
 default-domain value test
group-policy luna internal
group-policy luna attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol IPSec
username test password /FzQ9W6s1KjC0YQ7 encrypted privilege 15
username test attributes
 vpn-group-policy test
username user1 nopassword
username user2 password phwyxvpYThxBgNaW encrypted privilege 15
username lunatest password qLvfYK/6yljkW/T1 encrypted
username lunatest attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
http server enable
http 218.82.170.96 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 81.230.170.66 255.255.255.255 outside
http 84.19.134.9 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map inside_dyn_map 40 set pfs
crypto dynamic-map inside_dyn_map 40 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map inside_dyn_map 60 set pfs
crypto dynamic-map inside_dyn_map 60 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map inside_dyn_map 80 set pfs
crypto dynamic-map inside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 default-group-policy DefaultRAGroup_2
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group luna type ipsec-ra
tunnel-group luna general-attributes
 address-pool luna
 default-group-policy luna
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
 address-pool luna
 default-group-policy test
tunnel-group test ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
 isakmp ikev1-user-authentication none
telnet 192.168.1.4 255.255.255.255 inside
telnet 193.181.237.1 255.255.255.255 outside
telnet 194.237.179.38 255.255.255.255 outside
telnet 81.230.170.66 255.255.255.255 outside
telnet timeout 5
ssh 194.237.179.38 255.255.255.255 outside
ssh 81.230.170.66 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.181-192.168.1.254 inside
dhcpd dns 202.96.209.5 202.96.209.133 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
  inspect http
!
service-policy global_policy global
tftp-server inside 192.168.1.201 E:\downloads\tools\cisco_tftp_server
prompt hostname context
Cryptochecksum:f6b3b441f354ad15cce42aeea66624b8
ciscoasa#
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 

Author Comment

by:Neksot
ID: 20108343
so my question is, is this the right config to make the smt traffic to work? the smtp port should be open in and out from the mailserver 192.168.1.4.? when i run ciscos packet trace software from the public address to the mailserver on port 25 i get accesslist error implicit rule error. what to do?
im greatful for all your help
0
 
LVL 36

Expert Comment

by:grblades
ID: 20108942
The only error I can see is that the access-list hasn't been applied to the outside interface.
Add the following config line and it should work :-

access-group outside_access_in in interface outside
0
 

Author Comment

by:Neksot
ID: 20175329
Hi again
i did type in that command, and now the server cant access to the internet. any ideas?




ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 222.66.236.202 255.255.255.252
 ospf cost 10
!
interface Vlan12
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan22
 nameif partner-dmz
 security-level 25
 ip address 10.1.1.1 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 22
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST 8
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Computers
 network-object host 192.168.1.4
object-group network Mailserver
 description SMTP
 network-object host 192.168.1.4
access-list outside_access_in extended permit tcp any host 222.66.236.200 eq smtp
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu partner-dmz 1500
ip local pool luna 192.168.1.150-192.168.1.180 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface partner-dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 222.66.236.200 192.168.1.4 netmask 255.255.255.252
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 222.66.236.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TAC_SERVER protocol tacacs+
aaa-server TAC_SERVER host 192.168.1.4
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol l2tp-ipsec
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol l2tp-ipsec
group-policy test internal
group-policy test attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol IPSec
 default-domain value test
group-policy luna internal
group-policy luna attributes
 dns-server value 202.96.209.5
 vpn-tunnel-protocol IPSec
username test password /FzQ9W6s1KjC0YQ7 encrypted privilege 15
username test attributes
 vpn-group-policy test
username user1 nopassword
username user2 password phwyxvpYThxBgNaW encrypted privilege 15
username lunatest password qLvfYK/6yljkW/T1 encrypted
username lunatest attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
http server enable
http 84.19.134.9 255.255.255.255 outside
http 81.230.170.66 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
http 218.82.170.96 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map inside_dyn_map 40 set pfs
crypto dynamic-map inside_dyn_map 40 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map inside_dyn_map 60 set pfs
crypto dynamic-map inside_dyn_map 60 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map inside_dyn_map 80 set pfs
crypto dynamic-map inside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group DefaultRAGroup general-attributes
 default-group-policy DefaultRAGroup_2
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group luna type ipsec-ra
tunnel-group luna general-attributes
 address-pool luna
 default-group-policy luna
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
 address-pool luna
 default-group-policy test
tunnel-group test ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
 isakmp ikev1-user-authentication none
telnet 192.168.1.4 255.255.255.255 inside
telnet 193.181.237.1 255.255.255.255 outside
telnet 194.237.179.38 255.255.255.255 outside
telnet 81.230.170.66 255.255.255.255 outside
telnet timeout 5
ssh 194.237.179.38 255.255.255.255 outside
ssh 81.230.170.66 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.181-192.168.1.254 inside
dhcpd dns 202.96.209.5 202.96.209.133 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
  inspect http
!
0
 
LVL 36

Expert Comment

by:grblades
ID: 20175548
The static command is wrong :-

no static (inside,outside) 222.66.236.200 192.168.1.4 netmask 255.255.255.252
static (inside,outside) 222.66.236.200 192.168.1.4 netmask 255.255.255.255
clear xlate

0
 

Author Comment

by:Neksot
ID: 20470632
Hi again!

This is my new confguration, i have had a chinese "cisco guy" make the right settings for the firewall, but somehow i dont feel that this is right, could u take a look and c if the smtp forwordning is right now from outside "internet" to inside "mailserver"  address 192.168.1.4.

ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 222.66.236.202 255.255.255.252
 ospf cost 10
!
interface Vlan12
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan22
 nameif partner-dmz
 security-level 25
 ip address 10.1.1.1 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 22
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Computers
 network-object host 192.168.1.4
object-group network Mailserver
 description SMTP
 network-object host 192.168.1.4
access-list 120 extended permit tcp any host 222.66.236.202 eq smtp
access-list 120 extended permit tcp any host 222.66.236.202 eq pop3
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 222.66.236.202 eq smtp
access-list outside_access_in extended permit tcp any host 222.66.236.202 eq pop3
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu partner-dmz 1500
ip local pool remote 192.168.10.1-192.168.10.254
ip local pool test 10.0.0.1-10.0.0.50
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.4 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.4 pop3 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 222.66.236.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
 dns-server value 202.102.224.68 202.102.227.68
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitTunnelAcl
group-policy username internal
group-policy username attributes
 dns-server value 202.96.209.5 202.96.209.133
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitTunnelAcl
group-policy vpn1 internal
group-policy vpn1 attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 101
username jerry password 6sFd7ZeYevKgd0jZ encrypted
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-DES-MD5
crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map_1 interface outside
crypto map Outside_map_1 20 ipsec-isakmp dynamic outside_dyn_map_1
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
 address-pool remote
 default-group-policy test
tunnel-group test ipsec-attributes
 pre-shared-key *
tunnel-group username type ipsec-ra
tunnel-group username general-attributes
 address-pool remote
 default-group-policy username
tunnel-group username ipsec-attributes
 pre-shared-key *
tunnel-group vpn1 type ipsec-ra
tunnel-group vpn1 general-attributes
 default-group-policy vpn1
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.4 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.255 inside
telnet 193.181.237.1 255.255.255.255 outside
telnet 194.237.179.38 255.255.255.255 outside
telnet 81.230.170.66 255.255.255.255 outside
telnet timeout 5
ssh 194.237.179.38 255.255.255.255 outside
ssh 81.230.170.66 255.255.255.255 outside
ssh 125.0.0.0 255.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.181-192.168.1.254 inside
dhcpd dns 202.96.209.5 202.96.209.133 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:84efa785cdbe9c893cec8955fc7014d8
0
 
LVL 36

Expert Comment

by:grblades
ID: 20470654
It looks fine to me. If you are having problems you could run the 'clear xlate' command.

You also have esmtp packet inspection trned on. This can cause the odd problem with some mail servers. I would turn it off by adding the following configuration :-

policy-map global_policy
 class inspection_default
  no inspect esmtp
0
 

Author Comment

by:Neksot
ID: 20471011
WHat is "clear xlate" command? what does it do?
0
 
LVL 36

Expert Comment

by:grblades
ID: 20471049
It resets the internal translation table in memory. Sometimes when you change a transmation using a static command it still has the old values in memory which can cause problems. This command clears them and it is recomended after modifying any static entries. It does have the downside that it will drop any active connections when the command is run which is why the PIX does not do it automatically.
0
 

Expert Comment

by:pierreandreasson
ID: 20616681
Hi grblades, it me Neksot. ive just have a new account. i have one question. now when ive changed the mx record and tried to send an email the firewall gives me this error

4      Jan 09 2008      09:17:58      106023      202.108.37.33      222.66.236.202       Deny tcp src outside:202.108.37.33/25 dst inside:222.66.236.202/55834 by access-group "outside_access_in" [0x0, 0x0]


And im using that configuration that ive pasted last time, but i havent done the "clear xlate" command, can maybe that solve the problem?
0
 

Expert Comment

by:pierreandreasson
ID: 20616699
here is the configuration again


ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 222.66.236.202 255.255.255.252
 ospf cost 10
!
interface Vlan12
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan22
 nameif partner-dmz
 security-level 25
 ip address 10.1.1.1 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 22
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Computers
 network-object host 192.168.1.4
object-group network Mailserver
 description SMTP
 network-object host 192.168.1.4
access-list 120 extended permit tcp any host 222.66.236.202 eq smtp
access-list 120 extended permit tcp any host 222.66.236.202 eq pop3
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 222.66.236.202 eq smtp
access-list outside_access_in extended permit tcp any host 222.66.236.202 eq pop3
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu partner-dmz 1500
ip local pool remote 192.168.10.1-192.168.10.254
ip local pool test 10.0.0.1-10.0.0.50
no failover
monitor-interface inside
monitor-interface outside
monitor-interface dmz
monitor-interface partner-dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.4 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.4 pop3 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 222.66.236.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
 dns-server value 202.102.224.68 202.102.227.68
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitTunnelAcl
group-policy username internal
group-policy username attributes
 dns-server value 202.96.209.5 202.96.209.133
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitTunnelAcl
group-policy vpn1 internal
group-policy vpn1 attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 101
username jimmyshanghai password H6/tm6Taa6D7Co12 encrypted
username tomaszshanghai password LLjW.9OE.utvl/nz encrypted
username jerry password 6sFd7ZeYevKgd0jZ encrypted
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-DES-MD5
crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map_1 interface outside
crypto map Outside_map_1 20 ipsec-isakmp dynamic outside_dyn_map_1
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
 address-pool remote
 default-group-policy test
tunnel-group test ipsec-attributes
 pre-shared-key *
tunnel-group username type ipsec-ra
tunnel-group username general-attributes
 address-pool remote
 default-group-policy username
tunnel-group username ipsec-attributes
 pre-shared-key *
tunnel-group vpn1 type ipsec-ra
tunnel-group vpn1 general-attributes
 default-group-policy vpn1
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.4 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.255 inside
telnet 193.181.237.1 255.255.255.255 outside
telnet 194.237.179.38 255.255.255.255 outside
telnet 81.230.170.66 255.255.255.255 outside
telnet timeout 5
ssh 194.237.179.38 255.255.255.255 outside
ssh 81.230.170.66 255.255.255.255 outside
ssh 125.0.0.0 255.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.181-192.168.1.254 inside
dhcpd dns 202.96.209.5 202.96.209.133 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:84efa785cdbe9c893cec8955fc7014d8
: end
0
 

Expert Comment

by:pierreandreasson
ID: 20617764
here again i did put in those commands that u told me, " policy-map global_policy
                                                                                        class inspection_default
                                                                                        no inspect esmtp
and i did the clear xlate command

after the "clear xlate" command this error is cleared 4      Jan 09 2008      09:17:58      106023      202.108.37.33      222.66.236.202       Deny tcp src outside:202.108.37.33/25 dst inside:222.66.236.202/55834 by access-group "outside_access_in" [0x0, 0x0]

but now it says

6      Jan 09 2008      12:54:43      302014      65.54.246.157      192.168.1.4       Teardown TCP connection 642222 for outside:65.54.246.157/54439 to inside:192.168.1.4/25 duration 0:00:00 bytes 0 TCP Reset-I

and

6      Jan 09 2008      12:54:43      302013      65.54.246.162      192.168.1.4       Built inbound TCP connection 642223 for outside:65.54.246.162/9969 (65.54.246.162/9969) to inside:192.168.1.4/25 (222.66.236.202/25)


this is the configuration now
                                   

Result of the command: "show configuration"

: Saved
: Written by enable_15 at 12:41:00.017 UTC Wed Jan 9 2008
!
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.2 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 222.66.236.202 255.255.255.252
 ospf cost 10
!
interface Vlan12
 nameif dmz
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan22
 nameif partner-dmz
 security-level 25
 ip address 10.1.1.1 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 22
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Computers
 network-object host 192.168.1.4
object-group network Mailserver
 description SMTP
 network-object host 192.168.1.4
access-list 120 extended permit tcp any host 222.66.236.202 eq smtp
access-list 120 extended permit tcp any host 222.66.236.202 eq pop3
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.10.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 222.66.236.202 eq smtp
access-list outside_access_in extended permit tcp any host 222.66.236.202 eq pop3
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu partner-dmz 1500
ip local pool remote 192.168.10.1-192.168.10.254
ip local pool test 10.0.0.1-10.0.0.50
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.4 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.4 pop3 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 222.66.236.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
 dns-server value 202.102.224.68 202.102.227.68
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitTunnelAcl
group-policy username internal
group-policy username attributes
 dns-server value 202.96.209.5 202.96.209.133
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splitTunnelAcl
group-policy vpn1 internal
group-policy vpn1 attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 101
username jimmyshanghai password H6/tm6Taa6D7Co12 encrypted
username tomaszshanghai password LLjW.9OE.utvl/nz encrypted
username jerry password 6sFd7ZeYevKgd0jZ encrypted
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map_1 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-DES-MD5
crypto map outside_map_1 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map_1 interface outside
crypto map Outside_map_1 20 ipsec-isakmp dynamic outside_dyn_map_1
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
 address-pool remote
 default-group-policy test
tunnel-group test ipsec-attributes
 pre-shared-key *
tunnel-group username type ipsec-ra
tunnel-group username general-attributes
 address-pool remote
 default-group-policy username
tunnel-group username ipsec-attributes
 pre-shared-key *
tunnel-group vpn1 type ipsec-ra
tunnel-group vpn1 general-attributes
 default-group-policy vpn1
telnet 0.0.0.0 0.0.0.0 inside
telnet 192.168.1.4 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.255 inside
telnet 193.181.237.1 255.255.255.255 outside
telnet 194.237.179.38 255.255.255.255 outside
telnet 81.230.170.66 255.255.255.255 outside
telnet timeout 5
ssh 194.237.179.38 255.255.255.255 outside
ssh 81.230.170.66 255.255.255.255 outside
ssh 125.0.0.0 255.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.181-192.168.1.254 inside
dhcpd dns 202.96.209.5 202.96.209.133 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bc7b2873f6f639e407f03a97df1d301a
0
 
LVL 36

Accepted Solution

by:
grblades earned 1500 total points
ID: 20626348
6      Jan 09 2008      12:54:43      302014      65.54.246.157      192.168.1.4       Teardown TCP connection 642222 for outside:65.54.246.157/54439 to inside:192.168.1.4/25 duration 0:00:00 bytes 0 TCP Reset-I

Not sure about this one. Was it just after the 'clear xlate' command was issued as that would cause any existing connections to be dropped.


6      Jan 09 2008      12:54:43      302013      65.54.246.162      192.168.1.4       Built inbound TCP connection 642223 for outside:65.54.246.162/9969 (65.54.246.162/9969) to inside:192.168.1.4/25 (222.66.236.202/25)

That looks perfectly normal and is what I would expect.
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 15 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question