Cisco ASA 5505 Config Help

Hi i need some help setting up my ASA i had it working for the longest time and havent touched it and now i cannot remember for the life of me how to get this working again.  Here is my setup.
Motorola Cable Modem - Dynamic IP address kept up to date with DDNS Service
Cisco ASA 5505 - plugged into Cable modem and recieving IP address
AD, DNS Server plugged into ASA device recieving IP and able to access internet
My workstation plugged into ASA and recieving IP and able to access internet.

Problem i am not able to get my exchange routing properly through ASA again.  OWA is not working SMTP via port 587 is not working either.  Please take a look at the below config and let me know what needs changed i appreciate any and all help.

Goal is to be able to access servers from internal and external via RDP hit OWA internal and external and have SMTP working.

Thanks,
Brandon
Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(3)6 
!
hostname ciscoasa
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq 587 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:dcf45bf5486274161463b2eb70c00bc8
: end

Open in new window

balintonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kparrentCommented:
Do you have port 443 opened?
0
balintonAuthor Commented:
In the ASA?  i set the route and assigned the ACL so that should be fine am i missing something elsewhere?  I know exchange an owa work fine when the ASA is not in place so its with my current config.  
0
lrmooreCommented:
What you have posted looks like it should be working.
Your access-list is correct
The acess-list is applied to the interface correctly
The static port mappings are correct

>i had it working for the longest time and havent touched it
Obvious question is what changed? If you haven't touched the ASA, what about the server? Have you power cycled it?

>ASA Version 8.0(3)6
Highly recommend upgrading to a more recent version if you have CCO access or an active SmarNet contract.

>dhcpd address 192.168.1.2-192.168.1.33 inside
> dhcpd enable inside
If you have AD and local DNS, you need to provide the domain-name and the AD server IP for DNS in the dhcp scope unless you are statically assigning everything.

0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

balintonAuthor Commented:
I Irmoore you actually got this working for me the first time around.
I had reracked all of my equipment and changed out the ASA for another device which was horrible so i put the ASA back in place and  forgot what my password was so i reset it back to factory and this is the config that i have loaded back on it from what i could remember before.  I should have backed up the config.

I would love to upgrade but i do not an active contract or CCO access.  If there is another way to get the upgrade package let me know.

DHCP how do i go about setting that up?

Thanks alot for your help!
0
balintonAuthor Commented:
ok i think i just screwed myself... :(  I found an upgrade and loaded it into my device for the asa portion and forgot that you have to load the asdm part as well.  Now i cannot access my device because i am getting the below message.  I know i need to load the asdm upgrade to the device but i cant.  I dont have a COM port so i cant connect to console.  Any other options?

your asa image has a version number which is not supported by asdm
0
Pete LongTechnical ConsultantCommented:
If you didnt delete the ASDM image switch back to it

connect and issue a "show flash" command

you should see the old adsm image and the new one

e,g, (yours will be different!)

asdm512-k8.bin
asdm521-k8.bin

heres one of my spares with 2 versions on....

ciscoasa(config)# show flash
Initializing disk0: cache, please wait....Done.
-#- --length-- -----date/time------ path
6 6764544 Jan 01 2003 00:05:22 asa712-k8.bin
7 1868412 Jan 01 2003 00:05:48 securedesktop-asa-3.1.1.29-k9.pkg
8 398305 Jan 01 2003 00:06:04 sslclient-win-1.1.0.154.pkg
9 7495680 Apr 25 2007 14:41:54 asdm512-k8.bin
12 8312832 May 21 2007 13:29:08 asa722-k8.bin
13 5623108 May 21 2007 13:31:26 asdm-522.bin

then note the OLD version and issue an "asdm image" command that points to the OLD one


ciscoasa(config)# asdm image disk0:/asdm-512.bin
ciscoasa(config)# write mem
Building configuration...
Cryptochecksum: 6a88d6fc fef680b3 b86e1ae8 d768560f
1515 bytes copied in 3.700 secs (505 bytes/sec)
[OK]
ciscoasa(config)#

then you should be back on the old one again



0
balintonAuthor Commented:
I cannot log back in since the version I am running is not compatible with the version on the asa?
0
balintonAuthor Commented:
lrmoore can you email me offline i have a question to ask you?
Brandon_Linton@hotmail.com
0
Pete LongTechnical ConsultantCommented:
>>I cannot log back in since the version I am running is not compatible with the version on the asa?

Log in with the console cable? http://www.petenetlive.com/KB/Article/0000075.htm to CLI
0
balintonAuthor Commented:
Would love to but can't find the stinking cable... :(. Any other options?
0
balintonAuthor Commented:
ok i just bought a new cable online should be here in a day or two so i can get back in and finish the rest.  I have upgraded the ASA to version 8.2.2 and will need to upgrade the ASDM to whatever version it comes with.  Is there any reason to go to version 8.3 or just stay at 8.2 i am reading online to just stay at 8.2 since its so stable.
0
balintonAuthor Commented:
do i have to have the asdm image loaded on the device to connect or could someone send me the compatible MSI version for 8.2 that i could install on my laptop and would that then let me connect so i can upload the asdm pacakge?
0
lrmooreCommented:
OK, looked back at the old question...
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_24019834.html

>static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255
This should be as follows to get email working:
   static (inside,outside) tcp interface smtp 192.168.1.5 587 netmask 255.255.255.255
                                                           ^^

Even if you get the .msi installer for ASDM, I'm pretty sure the .bin file also has to be on the ASA. Unfortunately, I don't have an ASA in my lab to verify. Console access is probably your last best hope.

>Is there any reason to go to version 8.3 or just stay at 8.2
Stay at 8.2. For a minor release number, 8.3 is actually a total rewrite and everything changes.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
balintonAuthor Commented:
Errr.... i just started snooping around a little deaper since everything seemed to be working well and noticed that my ddns client was not working and my ip had changed so no mail flow... :(  All is working fine except the fact that i cannot access my asa because of the upgrade.  thanks all for your help i have a few more questions but i will startup some new questions for those and hopefully the console cable will be delivered this week.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.