?
Solved

Internal access to https & SMTP server after static Nat rules applied

Posted on 2008-11-19
2
Medium Priority
?
900 Views
Last Modified: 2012-05-05
I have applied two static NAT rules to my ASA 5510 to allow SMTP and HTTPS traffic to different  internal ip addresses. I can now access thes services externaly. However internal traffic is generating the following messages:
       portmap translation creation failed for tcp src inside:192.168.16.113/56267 dst inside:OWA/80
                 portmap translation creation failed for tcp src inside:192.168.16.9/2222 dst inside:SMTP/6805

this is generated when internal access is required to the mail server from outlook or web based access using Microsofts OWA client.

This is a reduced copy of my config

: Saved
:
ASA Version 8.0(3)
!
hostname ASA5510
domain-name misltd.local
enable password xRejrreNS5FwEE2d encrypted
names
name 192.168.16.4 FTP-HTTP description FTP-HTTP
name 192.168.16.11 OWA description Outlook Web Access
name 192.168.16.8 SMTP description Exchange Server
name 87.83.14.243 External-2 description Second External IP
name 87.83.14.244 External-3 description Third External IP
name 87.83.14.242 External-1 description First External IP
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address External-1 255.255.255.248
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.16.12 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name misltd.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq www
object-group network Webroot
 description Webroot inbound mail servers
 network-object 194.116.198.0 255.255.254.0
 network-object 203.100.58.0 255.255.255.0
 network-object 208.87.136.0 255.255.254.0
access-list outside_access_in extended permit tcp any host External-2 object-group DM_INLINE_TCP_1 inactive
access-list outside_access_in extended permit tcp any host External-3 eq https
access-list outside_access_in extended permit tcp object-group Webroot host External-2 eq smtp
access-list VPN-Users_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.117.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.117.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.112.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.16.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.16.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.113.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.114.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.111.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.112.0 255.255.255.0
access-list VPN-Users_splitTunnelAcl_1 standard permit any
access-list outside_3_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.113.0 255.255.255.0
access-list outside_4_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list outside_5_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.114.0 255.255.255.0
access-list outside_6_cryptomap extended permit ip 192.168.0.0 255.255.0.0 192.168.111.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPN-Pool 192.168.16.205-192.168.16.210 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (outside,inside) tcp OWA https External-3 https netmask 255.255.255.255
static (outside,inside) tcp SMTP smtp External-2 smtp netmask 255.255.255.255
static (inside,outside) tcp External-2 smtp SMTP smtp netmask 255.255.255.255
static (inside,outside) tcp External-3 https OWA https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 87.83.14.241 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
ldap attribute-map CISCOMAP
dynamic-access-policy-record DfltAccessPolicy
aaa-server misltd protocol ldap
aaa-server misltd host 192.168.16.6
 ldap-base-dn dc=misltd,dc=local
 ldap-scope subtree
 ldap-naming-attribute samAccountName
 ldap-login-password *
 ldap-login-dn cn=administrator,cn=users,dc=misltd,dc=local
 server-type microsoft
aaa authentication telnet console LOCAL
http server enable
http 192.168.16.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set peer 78.86.109.149
crypto map outside_map0 1 set transform-set ESP-3DES-MD5
crypto map outside_map0 1 set nat-t-disable
crypto map outside_map0 1 set phase1-mode aggressive
crypto map outside_map0 2 match address outside_2_cryptomap
crypto map outside_map0 2 set peer 83.104.191.233
crypto map outside_map0 2 set transform-set ESP-3DES-SHA
crypto map outside_map0 2 set nat-t-disable
crypto map outside_map0 3 match address outside_3_cryptomap
crypto map outside_map0 3 set pfs
crypto map outside_map0 3 set peer 78.86.108.125
crypto map outside_map0 3 set transform-set ESP-3DES-SHA
crypto map outside_map0 3 set nat-t-disable
crypto map outside_map0 4 match address outside_4_cryptomap
crypto map outside_map0 4 set peer 78.86.111.232
crypto map outside_map0 4 set transform-set ESP-3DES-SHA
crypto map outside_map0 4 set nat-t-disable
crypto map outside_map0 4 set phase1-mode aggressive
crypto map outside_map0 5 match address outside_5_cryptomap
crypto map outside_map0 5 set peer 62.49.141.61
crypto map outside_map0 5 set transform-set ESP-3DES-SHA
crypto map outside_map0 5 set nat-t-disable
crypto map outside_map0 5 set phase1-mode aggressive
crypto map outside_map0 6 match address outside_6_cryptomap
crypto map outside_map0 6 set pfs
crypto map outside_map0 6 set peer 62.49.129.117
crypto map outside_map0 6 set transform-set ESP-3DES-SHA
crypto map outside_map0 6 set nat-t-disable
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.16.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.16.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.2.100-192.168.2.200 management
dhcpd dns 192.168.16.12 interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
ntp authenticate
ntp server 192.168.16.6 source inside prefer
ntp server 192.168.16.7 source inside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 192.168.16.6 192.168.16.7
 dns-server value 192.168.16.6 192.168.16.7
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value misltd.local
group-policy VPN-Users internal
group-policy VPN-Users attributes
 wins-server value 192.168.16.6 192.168.16.7
 dns-server value 192.168.16.6 192.168.16.7
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-Users_splitTunnelAcl
 default-domain value misltd.local
username misadmin password FE9WV/Qmp1SHPUvH encrypted privilege 15
username g.kirby password BwsT2MWdgjYb/uMV encrypted privilege 0
username g.kirby attributes
 vpn-group-policy VPN-Users
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN-Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group 78.86.109.149 type ipsec-l2l
tunnel-group 78.86.109.149 ipsec-attributes
 pre-shared-key *
tunnel-group 83.104.191.233 type ipsec-l2l
tunnel-group 83.104.191.233 ipsec-attributes
 pre-shared-key *
tunnel-group VPN-Users type remote-access
tunnel-group VPN-Users general-attributes
 address-pool VPN-Pool
 authentication-server-group misltd
 default-group-policy VPN-Users
tunnel-group VPN-Users ipsec-attributes
 pre-shared-key *
tunnel-group 78.86.108.125 type ipsec-l2l
tunnel-group 78.86.108.125 ipsec-attributes
 pre-shared-key *
tunnel-group 78.86.111.232 type ipsec-l2l
tunnel-group 78.86.111.232 ipsec-attributes
 pre-shared-key *
tunnel-group 62.49.141.61 type ipsec-l2l
tunnel-group 62.49.141.61 ipsec-attributes
 pre-shared-key *
tunnel-group 62.49.129.117 type ipsec-l2l
tunnel-group 62.49.129.117 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7db74770f11fd56cc08e5078478063b0
: end
asdm image disk0:/asdm-603.bin
asdm location FTP-HTTP 255.255.255.255 inside
asdm location SMTP 255.255.255.255 inside
asdm location OWA 255.255.255.255 inside
asdm location External-2 255.255.255.255 inside
asdm location External-3 255.255.255.255 inside
asdm history enable

0
Comment
Question by:MISLtd
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22993861
Remove these. Since you are going to the OWA/SMTP addresses directly, you don't need them.

static (outside,inside) tcp OWA https External-3 https netmask 255.255.255.255
static (outside,inside) tcp SMTP smtp External-2 smtp netmask 255.255.255.255


0
 
LVL 1

Author Comment

by:MISLtd
ID: 22993930
That worked well, it's a shame that Cisco tec support did not meet the same standard.

Thanks for your help
0

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question