?
Solved

Cisco ASA 5505 initial config

Posted on 2010-01-12
28
Medium Priority
?
701 Views
Last Modified: 2012-08-13
Having trouble with the initial config of an ASA 5505.  Can't browse the Internet from clients pointing to my internal DNS server (which has ISP forwarders setup).  Seems to be a DNS issue, but who knows?  Also doesn't look like mail is coming in.  Any help would be appreciated.
Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name domain.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.194 255.255.255.192 
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list mailserver extended permit tcp any host *.*.*.196 eq smtp 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 *.*.*.195-*.*.*.254 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) *.*.*.196 192.168.1.7 netmask 255.255.255.255 
access-group mailserver in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
!
prompt hostname context 
Cryptochecksum:22d971d7b43e72381b3268558f81126f
: end

Open in new window

0
Comment
Question by:bwander
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 18
  • 7
  • 3
28 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26300118
I saw that you have
access-group mailserver
used, but I don't see it define anywhere?
0
 

Author Comment

by:bwander
ID: 26300137
I have access-list mailserver extended permit tcp any host *.*.*.196 eq smtp

Is that not what I need?
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26300223
sorry I missed that.

In that case, I do not see obvious problem w/ your config. We need to do some troubleshooting. Pls post the output of:

sh xla
sh route
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:bwander
ID: 26300241
Result of the command: "sh xla"

12 in use, 12 most used
Global *.*.*.196 Local 192.168.1.7
Global *.*.*.195 Local 192.168.1.6
Global *.*.*.197 Local 192.168.1.8
Global *.*.*.200 Local 192.168.1.10
Global *.*.*.201 Local 192.168.1.11
Global *.*.*.205 Local 192.168.1.12
Global *.*.*.200 Local 192.168.1.141
Global *.*.*.195 Local 192.168.1.12
Global *.*.*.198 Local 192.168.1.9
Global *.*.*.199 Local 192.168.1.11
Global *.*.*.196 Local 192.168.1.6
Global *.*.*.197 Local 192.168.1.8
0
 

Author Comment

by:bwander
ID: 26300244
Result of the command: "sh route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is *.*.*.193 to network 0.0.0.0

C    *.*.*.192 255.255.255.192 is directly connected, outside
C    127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via *.*.*.193, outside
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26300397
Everything look right to me.

Try to ping these from any PC on the inside network:

192.168.1.1
ping *.*.*.193
ping 4.2.2.2
ping google.com
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 2000 total points
ID: 26301517
>>global (outside) 1 *.*.*.195-*.*.*.254 netmask 255.255.255.0


Remove the above statement and put in these;

global (outside) 1 interface

Then, try the following and in that order.

ping 4.2.2.2

ping www.google.com

Once it works, then we can look at the mail server stuff.

Cheers,
rsivanandan
0
 

Author Comment

by:bwander
ID: 26307276
Thanks for the suggestions.  I'll try after hours today and let you know.
0
 

Author Comment

by:bwander
ID: 26309738
removed previous global command and entered new command: global (outside) 1 interface

DNS is working now and browsing the Internet from clients works, but...

browsing Internet from 192.168.1.6, .7, .8 does not work, these are servers

Mail is still not working
0
 

Author Comment

by:bwander
ID: 26310185
ok, removed other static NAT junk and Internet browsing works fine everywhere.
So working on email, right now outbound works great, inbound does NOT work.
I also tried to allow www and https to internal Exchange server and that is NOT working either.
The MX record for my server points to the *.*.*.196 address, btw.  The outside interface on the asa is *.*.*.194.  Not sure what I have to do to accomodate that.
posted current run config

thank again for the help
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name domain.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.194 255.255.255.192 
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 207.207.0.3
 domain-name domain.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
 port-object eq 3389
object-group service Blackberry tcp
 port-object eq 3101
access-list outside_access_in extended permit tcp any any eq smtp 
access-list outside_access_in extended permit tcp any any eq www 
access-list outside_access_in extended permit tcp any any eq https 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.7 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.7 https netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.1.7 www netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
!
prompt hostname context 
Cryptochecksum:6c82a03dcfe4fd6bfeb603c1d48695b6
: end

Open in new window

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 26310401
Okay, so far so good. Now let's look at the email server;

static (inside,outside) tcp interface smtp 192.168.1.7 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.7 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.7 www netmask 255.255.255.255

access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq https

Remove all the above because it is not correct, and add the following - that should get your email working as well;

static (inside,outside) tcp *.*.*.196 smtp 192.168.1.7 smtp netmask 255.255.255.255
static (inside,outside) tcp *.*.*.196 https 192.168.1.7 https netmask 255.255.255.255
static (inside,outside) tcp *.*.*.196 www 192.168.1.7 www netmask 255.255.255.255

access-list outside_access_in extended permit tcp any *.*.*.196 eq smtp
access-list outside_access_in extended permit tcp any *.*.*.196 eq www
access-list outside_access_in extended permit tcp any *.*.*.196 eq https

access-group outside_access_in in interface outside

Cheers,
rsivanandan
0
 

Author Comment

by:bwander
ID: 26320382
I will make those changes and get back with you.  Thanks.
0
 

Author Comment

by:bwander
ID: 26353970
when entering the access-list commands I get an error, ERROR: % Invalid Hostname, with the ^ symbol under the eq in the command
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 26356062
Not clear, it is the same access-list that you have but with limiting access only to *.*.* .196. Can you post the error here?

Cheers,
rsivanandan
0
 

Author Comment

by:bwander
ID: 26360943
I can tell you replacing the *.196 with any is accepted.  I'll post the error, but it's exactly as I described.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 26366218
Do you mean '*.196' ?

no no, Put in the full ip address, I meant to replace * with the respective octect. Since you haven't posted it I do not know .

Cheers,
rsivanandan
0
 

Author Comment

by:bwander
ID: 26369720
the command includes the full IP address, no stars.  When I replace the full IP address with any the command is accepted.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 26371457
This is strange,

After you put the below;

access-list outside_access_in extended permit tcp any ?

when you put a question mark as above, what are all the options?

Cheers,
rsivanandan
0
 

Author Comment

by:bwander
ID: 26372248
Result of the command: "access-list outside_access_in extended permit tcp any *.*.*.196 eq smtp"

access-list outside_access_in extended permit tcp any *.*.*.196 eq smtp
                                                                                                        ^
ERROR: % Invalid Hostname
0
 

Author Comment

by:bwander
ID: 26372263
Result of the command: "access-list outside_access_in extended permit tcp any ?"

configure mode commands/options:
  Hostname or A.B.C.D  Destination IP address
  any                  Abbreviation for destination address and mask of 0.0.0.0
                       0.0.0.0
  eq                   Port equal to operator
  gt                   Port greater than operator
  host                 Use this keyword to configure destination host
  interface            Use interface address as destination address
  lt                   Port less than operator
  neq                  Port not equal to operator
  object-group         Optional service object-group name for source port or
                       network object-group for destination address
  range                Port range operator
0
 

Author Comment

by:bwander
ID: 26372481
access-list outside_access_in extended permit tcp any *.*.*.196 255.255.255.255 eq smtp

this command was accepted.  Does it need a netmask and if so, is this correct?
0
 

Author Comment

by:bwander
ID: 26374882
I happened to do a show run after entering the command above and found this:

access-list outside_access_in extended permit tcp any host *.*.*.196 eq smtp

It has included "host" before the destination IP, although I didn't type that in the command, I used the IP and the netmask.

Is this what was missing, or does adding host or a netmask make it incorrect?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 26377008
Oh yeah, that is what I missed. The 'host' or the mask is okay and is correct now (Haven't been working on Cisco for more than 3 years now :-) ).

After that, does the email work?

Cheers,
rsivanandan
0
 

Author Comment

by:bwander
ID: 26377083
I will try and let you know.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 26377553
that should be it. Anyways will wait to hear from ya.

Cheers,
rsivanandan
0
 

Author Comment

by:bwander
ID: 26469761
Inbound email still isn't working.  Outbound works fine.
0
 

Author Comment

by:bwander
ID: 26469771
Outside interface is configured with *.*.*.194/26 and permit statement for mail server uses *.*.*.196

Is this ok?
0
 

Author Comment

by:bwander
ID: 26479185
Email is working now.

Thanks for the help
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question