Link to home
Create AccountLog in
Avatar of bradibutler
bradibutler

asked on

Remote Desktop, Mail, OWA, Remote Web Workplace through Cisco ASA 5505

I'm trying to set up a new ASA 5505. Not having much luck getting particular services to pass through the ASA to our Windows Server 2003 Small Business Server.

The items I'm trying to allow through the ASA to our server are:
- Outlook Web Access
- Remote Web Workplace
- Mail to Exchange
- Remote Desktop to Server

I know I don't have the entries for anything other than Remote Desktop for the server, but I assume the proper command line will apply to all, as long as it's specified to the respective ports of each service. I tried to forward 3389 to the server but unfortunately, no luck.

Here is my running config. Hopefully someone can shed some light on what I'm doing wrong. Any input regarding the other items I want to forward would be greatly appreciated too!! Thanks in advance!!

Setup:
INTERNET -> DSL MODEM -> CISCOASA -> Small Biz Server 2003 (IP: 192.168.1.10)

: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name companydomain
enable password O/4va7NOU8F5vh4C encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address isp.provided.staticIP.address 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name metalworld
access-list MWIRemote_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.1.192 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPool 192.168.1.200-192.168.1.225 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp isp.provided.staticIP https 192.168.1.10 https netmask 255.255.255.255
static (inside,outside) tcp isp.provided.staticIP pop3 192.168.1.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp isp.provided.staticIP smtp 192.168.1.10 smtp netmask 255.255.255.255
static (inside,outside) tcp isp.provided.staticIP 4125 192.168.1.10 4125 netmask 255.255.255.255
static (outside,inside) tcp 192.168.1.10 3389 isp.provided.staticIP 3389 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 isp.provided.gateway.address 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server SBS protocol nt
aaa-server SBS host 192.168.1.10
 timeout 5
 nt-auth-domain-controller administration
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.150-192.168.1.250 inside
dhcpd dns 192.168.1.10 isp.provided.dns.address interface inside
dhcpd wins 192.168.1.10 interface inside
dhcpd lease 604800 interface inside
dhcpd ping_timeout 500 interface inside
dhcpd domain companydomain interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy MWIRemote internal
group-policy MWIRemote attributes
 wins-server value 192.168.1.10
 dns-server value 192.168.1.10 isp.provided.dns.address
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value MWIRemote_splitTunnelAcl
 default-domain value companydomain
tunnel-group MWIRemote type remote-access
tunnel-group MWIRemote general-attributes
 address-pool VPNPool
 authentication-server-group SBS
 default-group-policy MWIRemote
prompt hostname context
Cryptochecksum:d3232c6aab01870efd0ec88a8f499827
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

try this

no static (inside,outside) tcp isp.provided.staticIP https 192.168.1.10 https netmask 255.255.255.255
no static (inside,outside) tcp isp.provided.staticIP pop3 192.168.1.10 pop3 netmask 255.255.255.255
no static (inside,outside) tcp isp.provided.staticIP smtp 192.168.1.10 smtp netmask 255.255.255.255
no static (inside,outside) tcp isp.provided.staticIP 4125 192.168.1.10 4125 netmask 255.255.255.255
no static (outside,inside) tcp 192.168.1.10 3389 isp.provided.staticIP 3389 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 4125 192.168.1.10 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
access-list outside-in permit tcp any interface outside eq https
access-list outside-in permit tcp any interface outside eq pop3
access-list outside-in permit tcp any interface outside eq smtp
access-list outside-in permit tcp any interface outside eq 4125
access-list outside-in permit tcp any interface outside eq 3389
oops, this
>>no static (outside,inside) tcp 192.168.1.10 3389 isp.provided.staticIP 3389 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255

should be two lines
no static (outside,inside) tcp 192.168.1.10 3389 isp.provided.staticIP 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255
Avatar of bradibutler
bradibutler

ASKER

Cyclops3590:

Unfortunately that didn't work out for me (unless I did something stupid with the commands you provided which is highly possible!). For example, when trying to connect through Remote Desktop the ASDM Syslog says:
Inbound TCP connection denied from my.ip/62932 to isp.provided.static.ip/3389 flags SYN  on interface outside

: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name companydomain
enable password O/4va7NOU8F5vh4C encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address isp.provided.static.ip 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name companydomain
access-list outside-in extended permit tcp any interface outside eq https
access-list outside-in extended permit tcp any interface outside eq pop3
access-list outside-in extended permit tcp any interface outside eq smtp
access-list outside-in extended permit tcp any interface outside eq 4125
access-list outside-in extended permit tcp any interface outside eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.1.10 https netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.10 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.10 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 4125 192.168.1.10 4125 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 isp.provided.gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.199 inside
dhcpd dns 192.168.1.10 142.163.127.60 interface inside
dhcpd wins 192.168.1.10 interface inside
dhcpd lease 604800 interface inside
dhcpd ping_timeout 500 interface inside
dhcpd domain companydomain interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1b72e56e9447794dc08d78f30e418ca0
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

ASKER CERTIFIED SOLUTION
Avatar of Cyclops3590
Cyclops3590
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks Cyclops3590!!! Working like a charm!! Quick question though, does this set up seem secure to you? Or is it ok? Any suggestions?
from what I can tell, yes.  You are only allowing what you require.  the only thing I'd change is the following

access-list inside-in permit tcp host 192.168.1.10 any eq smtp
access-list inside-in deny tcp any any eq smtp
access-list inside-in permit ip any any
access-group inside-in in interface inside

by default you were allowing all traffic from the inside out anyway.  all this does is ensure that only the mail server is allowed to send out over email.  The reason for this is that if a client somehow gets a mass-mailing worm on their computer, then it won't be able to send out the email and get your IP blacklisted affecting everyone's ability to send out legit email.