AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of dannyrushton
dannyrushton

asked on 

How can I allow email to pass through our ASA 5510

Hello All,
I am trying to set up our ASA5510 to allow external email from our ISP to pass through and reach our Exchange Server (EXMS1). I have set up NAT for the Inside, Outside translation (78.xx.xx.101 -> 192.168.3.251) and set a rule on our "OUTSIDE_ACCESS_IN" access list to allow SMTP packets through. At present, the config doesn't seem to be working and the ASA is my first port of call as this is the most likely place there is a config error. Could anybody cast an expert eye over the config below and spot any potential issues?
Any input would be greatly appreciated
Danny
ASA Version 7.0(8)
!
hostname ASA
domain-name xxx.org.uk
enable password xxx encrypted
passwd xxx encrypted
names
name 192.168.99.36 TRUSTHQDATA
name 192.168.99.35 OPTI
name 192.168.99.9 SFTP
name 192.168.99.10 WEBMAIL
name 192.168.0.66 CYH
name 192.168.3.251 EXMS1
name 192.168.3.254 DCHQ1
name 192.168.0.71 TRUSTPROXY
dns-guard
!
interface Ethernet0/0
 description Link to 10Mb Entanet Router
 nameif Outside
 security-level 0
 ip address 78.xx.xx.xx 255.255.255.224
!
interface Ethernet0/1
 nameif DMZ
 security-level 50
 ip address 192.168.99.33 255.255.255.224
!
interface Ethernet0/2
 nameif Inside
 security-level 100
 ip address 192.168.0.43 255.255.252.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
banner motd &
banner motd #############################################################################
banner motd Corporate Firewall
banner motd THE PROGRAMS, DATA, AND COMPUTER SYSTEMS HELD ON THIS NETWORK ARE THE
banner motd PROPERTY OF us AND ARE LAWFULLY AVAILABLE TO
banner motd AUTHORISED USERS FOR AUTHORISED COMPANY PURPOSES ONLY.  ACCESS TO ANY
banner motd DATA OR PROGRAM MUST BE AUTHORISED BY THE COMPANY.  IT IS A CRIMINAL
banner motd OFFENCE TO ATTEMPT OR OBTAIN UNAUTHORISED ACCESS TO ANY COMPUTER SYSTEM,
banner motd PROGRAM, OR DATA IN, OR MAKE ANY UNAUTHORISED MODIFICATION TO THE
banner motd CONTENTS OF THIS NETWORK INFRASTRUCTURE.  OFFENDERS ARE LIABLE TO
banner motd CRIMINAL PROSECUTION UNDER THE COMPUTER MISUSE ACT.
banner motd PASSING THIS POINT IMPLIES THAT YOU HAVE READ AND UNDERSTOOD THIS NOTICE.
banner motd IF YOU ARE NOT AN AUTHORISED USER, DISCONNECT IMMEDIATELY!
banner motd #############################################################################
ftp mode passive
object-group network OUTLOOK_WEB_ACCESS
 network-object EXMS1 255.255.255.255
 network-object 192.168.3.252 255.255.255.255
 network-object DCHQ1 255.255.255.255
access-list DMZ_ACCESS_IN extended permit tcp any any eq www
access-list DMZ_ACCESS_IN extended permit tcp any eq 3389 any
access-list DMZ_ACCESS_IN extended permit tcp any eq 2179 any
access-list DMZ_ACCESS_IN extended permit icmp any any
access-list DMZ_ACCESS_IN extended permit icmp any any echo-reply
access-list DMZ_ACCESS_IN extended permit tcp any any eq https
access-list DMZ_ACCESS_IN extended permit udp host OPTI gt 1024 any
access-list DMZ_ACCESS_IN extended permit tcp host OPTI gt 1024 any
access-list DMZ_ACCESS_IN extended permit udp host OPTI eq netbios-dgm any
access-list DMZ_ACCESS_IN extended permit udp host OPTI eq netbios-ns any
access-list Inside_nat0_inbound extended permit ip any 192.168.0.52 255.255.255.252
access-list Inside_nat0_inbound_V1 extended permit ip any 192.168.0.48 255.255.255.248
access-list INSIDE_ACCESS_OUT extended permit tcp any eq www any
access-list INSIDE_ACCESS_OUT extended permit ip 192.168.99.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list INSIDE_ACCESS_OUT extended permit tcp any eq https any
access-list INSIDE_ACCESS_OUT extended permit icmp any any
access-list INSIDE_ACCESS_OUT extended permit icmp any any echo-reply
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 78.33.42.99 eq www
access-list OUTSIDE_ACCESS_IN extended permit tcp host 217.33.254.149 host 78.33.42.99 eq 3389
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
access-list OUTSIDE_ACCESS_IN extended permit icmp any any echo-reply
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 78.xx.xx.100 eq www
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 78.xx.xx.100 eq https
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 78.xx.xx.99 eq https
access-list OUTSIDE_ACCESS_IN extended permit icmp any any traceroute
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 78.xx.xx.101 eq smtp
access-list INSIDE_ACCESS_IN extended permit ip any any
access-list INSIDE_OUTBOUND_NAT0_ACL extended permit ip 192.168.0.0 255.255.0.0 192.168.0.96 255.255.255.252
access-list OUTBOUND_NAT extended permit ip 192.168.0.0 255.255.0.0 192.168.0.52 255.255.255.252
!
pager lines 50
logging asdm debugging
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN_Pool 192.168.0.51-192.168.0.54
no failover
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
nat-control
global (Outside) 101 interface
nat (DMZ) 2 0.0.0.0 0.0.0.0
nat (Inside) 0 access-list Inside_nat0_inbound_V1 outside
nat (Inside) 101 0.0.0.0 0.0.0.0
static (DMZ,Outside) 78.xx.xx.99 OPTI netmask 255.255.255.255
static (Inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.252.0
static (Inside,Outside) 78.xx.xx.100 CYH netmask 255.255.255.255
static (Inside,Outside) 78.xx.xx.101 EXMS1 netmask 255.255.255.255
static (Inside,Outside) 78.xx.xx.102 DCHQ1 netmask 255.255.255.255
static (Inside,Outside) 78.xx.xx.103 WEBMAIL netmask 255.255.255.255
static (Inside,Outside) 78.xx.xx.104 TRUSTPROXY netmask 255.255.255.255
static (Inside,Outside) 78.xx.xx.105 SFTP netmask 255.255.255.255
access-group OUTSIDE_ACCESS_IN in interface Outside
access-group DMZ_ACCESS_IN in interface DMZ
access-group INSIDE_ACCESS_IN in interface Inside
route Outside 0.0.0.0 0.0.0.0 78.xx.xx.97 1
route Inside 192.168.0.0 255.255.0.0 192.198.0.1 1
!
router ospf 1
 network 192.168.99.32 255.255.255.224 area 0
 network 192.168.0.0 255.255.0.0 area 0
 network 0.0.0.0 0.0.0.0 area 0
 area 0
 log-adj-changes
 default-information originate
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (Inside) host 192.168.3.230
 timeout 5
 key 1nfl4mm4bl3
group-policy WrekinVPN_1 internal
group-policy WrekinVPN_1 attributes
 wins-server value 192.138.3.254 192.138.3.244
 dns-server value 192.138.3.254 192.138.3.244
 default-domain value wrekinhousingtrust.org.uk
 webvpn
group-policy WrekinVPN internal
http server enable
http 192.168.0.0 255.255.252.0 Inside
http 192.168.99.64 255.255.255.224 management
snmp-server host Inside 192.168.0.100 community public
snmp-server host Inside 192.168.3.219 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map management_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map management_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map management_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map management_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map
crypto map management_map interface management
isakmp enable management
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group VPN type ipsec-ra
tunnel-group VPN general-attributes
 address-pool VPN_Pool
 authentication-server-group RADIUS2
 default-group-policy VPN_1
tunnel-group VPN ipsec-attributes
 pre-shared-key *
telnet 192.168.0.0 255.255.252.0 Inside
telnet timeout 10
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
webvpn
 enable Outside
Cryptochecksum:b44e3218bcd599cd666934ddc00cbc95
: end

Open in new window

Hardware FirewallsCisco
Avatar of undefined
Last Comment
Pete Long
8/22/2022 - Mon
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent