Cisco ASA 5505 Access list question

I am trying to get smtp, http, and https to pass through my cisco ASA 5505. I have searched through the forums for the answer and thought I have it correct but it still isn't passing traffic.

any help would be appreciated.
and thanks in advance

here is my config

 
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.02.10 22:47:33 =~=~=~=~=~=~=~=~=~=~=~=
sho config
: Saved
: Written by enable_15 at 22:20:34.690 UTC Sun Feb 10 2008
!
ASA Version 7.2(2) 
!
hostname ciscoasa
domain-name ciscoasa.com
enable password bMssAdqEOQG43gUP encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.101.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 68.14.211.50 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
<--- More --->
              
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd bMssAdqEOQG43gUP encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ciscoasa.com
access-list access_outside_in extended permit tcp any host 10.101.1.21 eq smtp 
access-list access_outside_in extended permit tcp any host 10.101.1.21 eq www 
<--- More --->
              
access-list access_outside_in extended permit tcp any host 10.101.1.21 eq https 
access-list access_outside_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 68.14.211.50 10.101.1.21 netmask 255.255.255.255 
access-group access_outside_in in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 68.14.211.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.101.1.0 255.255.255.0 inside
<--- More --->
              
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.101.1.0 255.255.255.255 inside
telnet 10.101.1.0 255.255.255.0 inside
telnet timeout 5
ssh 10.101.1.0 255.255.255.0 inside
ssh 10.101.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
<--- More --->
              
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:0ed319bc1e0c9875832127b1702c309b
 
ciscoasa(config)#   sho run
: Saved
:
ASA Version 7.2(2) 
!
hostname ciscoasa
domain-name ciscoasa.com
enable password bMssAdqEOQG43gUP encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.101.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 68.14.211.50 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
<--- More --->
              
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd bMssAdqEOQG43gUP encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ciscoasa.com
access-list access_outside_in extended permit tcp any host 10.101.1.21 eq smtp 
access-list access_outside_in extended permit tcp any host 10.101.1.21 eq www 
access-list access_outside_in extended permit tcp any host 10.101.1.21 eq https 
<--- More --->
              
access-list access_outside_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 68.14.211.50 10.101.1.21 netmask 255.255.255.255 
access-group access_outside_in in interface outside per-user-override
route outside 0.0.0.0 0.0.0.0 68.14.211.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.101.1.0 255.255.255.0 inside
no snmp-server location
<--- More --->
              
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 10.101.1.0 255.255.255.255 inside
telnet 10.101.1.0 255.255.255.0 inside
telnet timeout 5
ssh 10.101.1.0 255.255.255.0 inside
ssh 10.101.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
<--- More --->
              
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:0ed319bc1e0c9875832127b1702c309b
: end
 
ciscoasa(config)#

Open in new window

peterblissAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TG TranIT guyCommented:
Change the IP address from 10.101.1.21 to 68.14.211.50 in all of your Access-list statements
0
batry_boyCommented:
You should not use the public IP address assigned to the outside interface in a one-to-one NAT statement.  You should use the PAT syntax for your static, or you should use a difference public IP that you have available in your public block of addresses.  Judging from your 255.255.255.240 netmask on the outside interface, you should have some available public IP's to use.

However, if you want to use the same public IP for NAT to an inside host as you have assigned to the interface, you should also change the public IP address referenced in your static statement to the keyword "interface" and then specify "interface outside" as the destination in your ACL.  Perform these commands:

no static (inside,outside) 68.14.211.50 10.101.1.21 netmask 255.255.255.255
static (inside,outside) tcp interface www 10.101.1.21 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.101.1.21 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.101.1.21 smtp netmask 255.255.255.255
access-list access_outside_in extended permit tcp any interface outside eq smtp
access-list access_outside_in extended permit tcp any interface outside eq www
access-list access_outside_in extended permit tcp any interface outside eq https
no access-list access_outside_in extended permit tcp any host 10.101.1.21 eq smtp
no access-list access_outside_in extended permit tcp any host 10.101.1.21 eq www
no access-list access_outside_in extended permit tcp any host 10.101.1.21 eq https
clear xlate

Those commands should be entered in that order.  In this fashion, the ACL will stay applied to the interface and you won't have to reapply it since it was never deleted.

Good luck!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
peterblissAuthor Commented:
I wanted to say thank you again for your help that helped out alot.
I knew I had it almost correct it was just missing that little piece of info. By the way I only have one IP available in my block.
Just as a knowledge stand point. If I had say 5 IPS avaliable how would I change the config to use the other IP's

I know I would need a globle  comand like this

global (outside) 1 x.x.x.x-x.x.x.x netmask x.x.x.x

but as for the access list would I then need a static access list something like this

static (inside,outside) 68.14.211.51 10.101.1.21 netmask 255.255.255.255


Thanks again for your help.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

batry_boyCommented:
Well, if you wanted a one-to-one static NAT for 5 public IP's that pointed to 5 different inside IP's, here would be the syntax if you wanted to allow www traffic to each of them (just as an example):

static (inside,outside) 68.14.211.51 10.101.1.21 netmask 255.255.255.255
static (inside,outside) 68.14.211.52 10.101.1.22 netmask 255.255.255.255
static (inside,outside) 68.14.211.53 10.101.1.23 netmask 255.255.255.255
static (inside,outside) 68.14.211.54 10.101.1.24 netmask 255.255.255.255
static (inside,outside) 68.14.211.55 10.101.1.25 netmask 255.255.255.255
access-list access_outside_in extended permit tcp any host 68.14.211.51 eq www
access-list access_outside_in extended permit tcp any host 68.14.211.52 eq www
access-list access_outside_in extended permit tcp any host 68.14.211.53 eq www
access-list access_outside_in extended permit tcp any host 68.14.211.54 eq www
access-list access_outside_in extended permit tcp any host 68.14.211.55 eq www

The "global" command you mention in your post is for outbound NAT only and is paired with a corresponding "nat" statement that has the same sequence number in it.  For example, the following two commands would take any source traffic from 192.168.1.0/24 and NAT it to 1.1.1.1 when going to the outside:

global (outside) 1 1.1.1.1
nat (inside) 1 192.168.1.0 255.255.255.0

If you wanted another set of source IP's to be translated to a different public IP address, then you could put in the following two commands:

global (outside) 2 100.100.100.100
nat (inside) 2 172.16.1.0 255.255.255.0

Those two commands would translate any IP address from source network 172.16.1.0/24 into the public IP address 100.100.100.100 when sending traffic to the outside interface.
0
peterblissAuthor Commented:
I just want to clarify about the global
using the same IP sceem 68.14.211.50-68.14.211.55 if I use this command

static (inside,outside) 68.14.211.51 10.101.1.45 netmask 255.255.255.255
access-list access_outside_in extended permit tcp any host 68.14.211.51 eq www
global (outside) 2 68.14.211.51
nat (inside) 2 10.101.1.45 255.255.255.0

would that be correct?
this would then point all my traffic for IP 68.14.211.51 to that port
0
batry_boyCommented:
No, not exactly.

For inbound access, you would use the static command along with the access-list command to allow the traffic inbound.  The global/nat commands are used when translating addresses for traffic going outbound.

The following command only sets up the mapping but doesn't allow the traffic:

static (inside,outside) 68.14.211.51 10.101.1.45 netmask 255.255.255.255

The next command actually allows the traffic:

access-list access_outside_in extended permit tcp any host 68.14.211.51 eq www
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.