rperault
asked on
Configure a ASA for Telnet on port 25
OK.. In know I am doing this right but I could be wrong.
I have a Cisco ASA 5510
On the Network I have an Exchange Server with the Internal IP address of 192.168.151.42. This is a New Server that I am working on adding to the network. Our Spam Filtering service uses port 25 to telnet on. What I need to do is telnet to the Firewall and using NAT pass on the Data to the Exchange server. So if someone could do me a favor and give me all the commands I would have to enter to ghet this completed.
I need the following:
NAT for the Exchange server is IP Address 192.168.151.42 from an External IP 72.35.10.51 (Only an Example not real IP address)
Open ports 80,25,443,110
Allow Telnet on port 25.
Please help me out, cause it's driving me nuts.
Thanks
I have a Cisco ASA 5510
On the Network I have an Exchange Server with the Internal IP address of 192.168.151.42. This is a New Server that I am working on adding to the network. Our Spam Filtering service uses port 25 to telnet on. What I need to do is telnet to the Firewall and using NAT pass on the Data to the Exchange server. So if someone could do me a favor and give me all the commands I would have to enter to ghet this completed.
I need the following:
NAT for the Exchange server is IP Address 192.168.151.42 from an External IP 72.35.10.51 (Only an Example not real IP address)
Open ports 80,25,443,110
Allow Telnet on port 25.
Please help me out, cause it's driving me nuts.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is the response I got when adding the Command Lines
Result of the command: "object-group service MAIL"
The command has been sent to the device
Result of the command: "service-object tcp eq www"
Adding obj (service-object tcp eq www ) to grp (MAIL) failed; object already exists
Result of the command: "service-object tcp eq smtp"
Adding obj (service-object tcp eq smtp ) to grp (MAIL) failed; object already exists
Result of the command: "service-object tcp eq https"
Adding obj (service-object tcp eq https ) to grp (MAIL) failed; object already exists
Result of the command: "service-object tcp eq pop3"
Adding obj (service-object tcp eq pop3 ) to grp (MAIL) failed; object already exists
Result of the command: "access-l OUTSIDE ext permit object-group MAIL any host 72.35.10.51"
The command has been sent to the device
Result of the command: "access-group OUTSIDE interface outside"
access-group OUTSIDE interface outside
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "static (inside,outside) 72.35.10.51 192.168.151.42"
ERROR: duplicate of existing static
inside:192.168.151.42 to outside:192.168.151.42 netmask 255.255.255.255
Result of the command: "object-group service MAIL"
The command has been sent to the device
Result of the command: "service-object tcp eq www"
Adding obj (service-object tcp eq www ) to grp (MAIL) failed; object already exists
Result of the command: "service-object tcp eq smtp"
Adding obj (service-object tcp eq smtp ) to grp (MAIL) failed; object already exists
Result of the command: "service-object tcp eq https"
Adding obj (service-object tcp eq https ) to grp (MAIL) failed; object already exists
Result of the command: "service-object tcp eq pop3"
Adding obj (service-object tcp eq pop3 ) to grp (MAIL) failed; object already exists
Result of the command: "access-l OUTSIDE ext permit object-group MAIL any host 72.35.10.51"
The command has been sent to the device
Result of the command: "access-group OUTSIDE interface outside"
access-group OUTSIDE interface outside
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "static (inside,outside) 72.35.10.51 192.168.151.42"
ERROR: duplicate of existing static
inside:192.168.151.42 to outside:192.168.151.42 netmask 255.255.255.255
It looks like you have done this multiple times because it complains that there already is an identical object-group.
Regarding the access-group-command, it should be:
"access-group OUTSIDE in interface outside"
But are you sure you are not destroying anything now? If you just send those commands to the unit with ASDM without knowing about existing "access-group" commands you will most probably kill working configuration. If you want to know exact what commands to paste without requirement of deeper knowledge from you you must paste your current configuration here.
/Kvistofta.
Regarding the access-group-command, it should be:
"access-group OUTSIDE in interface outside"
But are you sure you are not destroying anything now? If you just send those commands to the unit with ASDM without knowing about existing "access-group" commands you will most probably kill working configuration. If you want to know exact what commands to paste without requirement of deeper knowledge from you you must paste your current configuration here.
/Kvistofta.
change the ACL
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 25
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 80
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 110
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 443
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 25
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 80
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 110
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 443
DanJ: Why???
if you open the ports on the server these ports are destination and not source.
ASKER
Here is my current configuration.
:
ASA Version 8.2(1)
!
hostname saf001
domain-name default.domain.invalid
enable password 5nvFrY5HdpjUlhi. encrypted
passwd 5nvFrY5HdpjUlhi. encrypted
names
name 192.168.151.9 Fileserver
name 000.000.000.000 lsf001
name 000.000.000.000 sainf001
name 192.168.151.73 Exchange
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 000.000.000.000 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.151.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 10
ip address 192.168.152.1 255.255.255.0
!
interface Ethernet0/3
nameif backup
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa722-19-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service RDP tcp
port-object eq telnet
object-group service MAIL
service-object tcp eq www
service-object tcp eq smtp
service-object tcp eq https
service-object tcp eq pop3
access-list no_nat extended permit ip 192.168.151.0 255.255.255.0 172.16.151.0 255.255.255.0
access-list no_nat extended permit ip 192.168.151.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no_nat extended permit ip 192.168.151.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_to_lsc extended permit ip 192.168.151.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list vpn_to_saindia extended permit ip 192.168.151.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.151.0 255.255.255.0 172.16.151.0 255.255.255.0
access-list Split standard permit 192.168.151.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.151.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 000.000.000.000 echo-reply
access-list outside_access_in extended permit icmp any host 000.000.000.000 traceroute
access-list outside_access_in extended permit icmp any host 000.000.000.000 time-exceeded
access-list outside_access_in extended permit icmp any host 000.000.000.000 source-quench
access-list outside_access_in extended permit tcp any host 000.000.000.000 eq h323
access-list outside_access_in extended permit tcp any host 000.000.000.000 range 3230 3235
access-list outside_access_in extended permit udp any host 000.000.000.000 range 3220 3253
access-list outside_access_in extended permit ip any host 000.000.000.000
access-list outside_access_in extended permit icmp any host 000.000.000.000
access-list backup_access_in extended permit icmp any host 000.000.000.000 echo-reply
access-list backup_access_in extended permit icmp any host 000.000.000.000 traceroute
access-list backup_access_in extended permit icmp any host 000.000.000.000 time-exceeded
access-list backup_access_in extended permit icmp any host 000.000.000.000 source-quench
access-list dmz_access_in extended permit icmp any any echo-reply
access-list dmz_access_in extended deny ip any 192.168.151.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list internal-out extended permit icmp any any echo-reply
access-list internal-out extended permit icmp any any time-exceeded
access-list internal-out extended permit icmp any any unreachable
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging history informational
logging asdm informational
logging facility 17
logging host inside 192.168.151.77
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu management 1500
ip local pool vpnpool 000.000.000.000-000.000.00
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.152.0 255.255.255.0
static (outside,outside) tcp Fileserver 3389 Fileserver 3389 netmask 255.255.255.255
static (dmz,outside) 000.000.000.000 192.168.152.10 netmask 255.255.255.255
static (dmz,outside) 192.168.5.5 172.16.1.5 netmask 255.255.255.255
static (inside,dmz) 192.168.151.0 192.168.151.0 netmask 255.255.255.0
static (inside,outside) 192.168.151.42 192.168.151.42 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group backup_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 69.38.165.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
dynamic-access-policy-reco
description "match to Domain logon"
priority 500
aaa-server LDAP-to-DC protocol ldap
aaa-server LDAP-to-DC (inside) host Fileserver
ldap-base-dn DC=hidden,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=samanager,CN=Users,DC=h
server-type microsoft
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.151.0 255.255.255.0 inside
snmp-server host inside 192.168.151.77 community n0tpub11c version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set 3des-sha
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpnmap 10 match address vpn_to_lsc
crypto map vpnmap 10 set peer lsf001
crypto map vpnmap 10 set transform-set 3des-sha
crypto map vpnmap 15 match address vpn_to_saindia
crypto map vpnmap 15 set peer sainf001
crypto map vpnmap 15 set transform-set 3des-sha
crypto map vpnmap 20 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
crypto map backupvpnmap 10 match address vpn_to_lsc
crypto map backupvpnmap 10 set peer lsf001
crypto map backupvpnmap 10 set transform-set 3des-sha
crypto map backupvpnmap 20 ipsec-isakmp dynamic dynmap
crypto map backupvpnmap interface backup
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 3600
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet 192.168.151.77 255.255.255.255 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.151.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 backup
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source outside
webvpn
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server value 192.168.151.77
dns-server value 192.168.151.77
vpn-simultaneous-logins 10
vpn-idle-timeout 20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value smartanalyst.com
backup-servers 000.000.000.000
username admin password ouw0VSB7F/7IddfL encrypted
username Rwillemin password uMxDA6PHXg5Kl2Z4 encrypted
username ritadmin password KwLDWmz3JZopPuHd encrypted privilege 15
username managedtech password 1E9KZubrnJFUF0Gs encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group 000.000.000.000 type ipsec-l2l
tunnel-group 000.000.000.000 ipsec-attributes
pre-shared-key *
tunnel-group 000.000.000.000type ipsec-l2l
tunnel-group 000.000.000.000 ipsec-attributes
pre-shared-key *
tunnel-group sa-vpnclient type remote-access
tunnel-group sa-vpnclient general-attributes
address-pool vpnpool
authentication-server-grou
default-group-policy clientgroup
tunnel-group sa-vpnclient ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group Remote ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e79b633607
: end
asdm image disk0:/asdm-621.bin
asdm history enable
:
ASA Version 8.2(1)
!
hostname saf001
domain-name default.domain.invalid
enable password 5nvFrY5HdpjUlhi. encrypted
passwd 5nvFrY5HdpjUlhi. encrypted
names
name 192.168.151.9 Fileserver
name 000.000.000.000 lsf001
name 000.000.000.000 sainf001
name 192.168.151.73 Exchange
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 000.000.000.000 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.151.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 10
ip address 192.168.152.1 255.255.255.0
!
interface Ethernet0/3
nameif backup
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa722-19-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service RDP tcp
port-object eq telnet
object-group service MAIL
service-object tcp eq www
service-object tcp eq smtp
service-object tcp eq https
service-object tcp eq pop3
access-list no_nat extended permit ip 192.168.151.0 255.255.255.0 172.16.151.0 255.255.255.0
access-list no_nat extended permit ip 192.168.151.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no_nat extended permit ip 192.168.151.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_to_lsc extended permit ip 192.168.151.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list vpn_to_saindia extended permit ip 192.168.151.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.151.0 255.255.255.0 172.16.151.0 255.255.255.0
access-list Split standard permit 192.168.151.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.151.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 000.000.000.000 echo-reply
access-list outside_access_in extended permit icmp any host 000.000.000.000 traceroute
access-list outside_access_in extended permit icmp any host 000.000.000.000 time-exceeded
access-list outside_access_in extended permit icmp any host 000.000.000.000 source-quench
access-list outside_access_in extended permit tcp any host 000.000.000.000 eq h323
access-list outside_access_in extended permit tcp any host 000.000.000.000 range 3230 3235
access-list outside_access_in extended permit udp any host 000.000.000.000 range 3220 3253
access-list outside_access_in extended permit ip any host 000.000.000.000
access-list outside_access_in extended permit icmp any host 000.000.000.000
access-list backup_access_in extended permit icmp any host 000.000.000.000 echo-reply
access-list backup_access_in extended permit icmp any host 000.000.000.000 traceroute
access-list backup_access_in extended permit icmp any host 000.000.000.000 time-exceeded
access-list backup_access_in extended permit icmp any host 000.000.000.000 source-quench
access-list dmz_access_in extended permit icmp any any echo-reply
access-list dmz_access_in extended deny ip any 192.168.151.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list internal-out extended permit icmp any any echo-reply
access-list internal-out extended permit icmp any any time-exceeded
access-list internal-out extended permit icmp any any unreachable
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging history informational
logging asdm informational
logging facility 17
logging host inside 192.168.151.77
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu management 1500
ip local pool vpnpool 000.000.000.000-000.000.00
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.152.0 255.255.255.0
static (outside,outside) tcp Fileserver 3389 Fileserver 3389 netmask 255.255.255.255
static (dmz,outside) 000.000.000.000 192.168.152.10 netmask 255.255.255.255
static (dmz,outside) 192.168.5.5 172.16.1.5 netmask 255.255.255.255
static (inside,dmz) 192.168.151.0 192.168.151.0 netmask 255.255.255.0
static (inside,outside) 192.168.151.42 192.168.151.42 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group backup_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 69.38.165.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
dynamic-access-policy-reco
description "match to Domain logon"
priority 500
aaa-server LDAP-to-DC protocol ldap
aaa-server LDAP-to-DC (inside) host Fileserver
ldap-base-dn DC=hidden,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=samanager,CN=Users,DC=h
server-type microsoft
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.151.0 255.255.255.0 inside
snmp-server host inside 192.168.151.77 community n0tpub11c version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set 3des-sha
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpnmap 10 match address vpn_to_lsc
crypto map vpnmap 10 set peer lsf001
crypto map vpnmap 10 set transform-set 3des-sha
crypto map vpnmap 15 match address vpn_to_saindia
crypto map vpnmap 15 set peer sainf001
crypto map vpnmap 15 set transform-set 3des-sha
crypto map vpnmap 20 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
crypto map backupvpnmap 10 match address vpn_to_lsc
crypto map backupvpnmap 10 set peer lsf001
crypto map backupvpnmap 10 set transform-set 3des-sha
crypto map backupvpnmap 20 ipsec-isakmp dynamic dynmap
crypto map backupvpnmap interface backup
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 3600
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
track 1 rtr 123 reachability
telnet 192.168.151.77 255.255.255.255 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.151.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 backup
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source outside
webvpn
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server value 192.168.151.77
dns-server value 192.168.151.77
vpn-simultaneous-logins 10
vpn-idle-timeout 20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value smartanalyst.com
backup-servers 000.000.000.000
username admin password ouw0VSB7F/7IddfL encrypted
username Rwillemin password uMxDA6PHXg5Kl2Z4 encrypted
username ritadmin password KwLDWmz3JZopPuHd encrypted privilege 15
username managedtech password 1E9KZubrnJFUF0Gs encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group 000.000.000.000 type ipsec-l2l
tunnel-group 000.000.000.000 ipsec-attributes
pre-shared-key *
tunnel-group 000.000.000.000type ipsec-l2l
tunnel-group 000.000.000.000 ipsec-attributes
pre-shared-key *
tunnel-group sa-vpnclient type remote-access
tunnel-group sa-vpnclient general-attributes
address-pool vpnpool
authentication-server-grou
default-group-policy clientgroup
tunnel-group sa-vpnclient ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group Remote ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e79b633607
: end
asdm image disk0:/asdm-621.bin
asdm history enable
Of course. Sorry for the typo. I still recommend using object-groups instead of individual ace:s for each port.
/Kvistofta
/Kvistofta
ASKER
So whats the consenus?
ASKER
Everything so far I am being told I have already done. I have built the Firewall from scratch 2 years ago and many like them, but this one is a bit different.
You have your static in place and you have created the object-group containing the 4 ports you wanna open. You just need to add this to your config:
access-l outside_access_in ext permit any host 72.35.10.51 object-group MAIL
/Kvistofta
access-l outside_access_in ext permit any host 72.35.10.51 object-group MAIL
/Kvistofta
Or if you are infamiliar with CLI, use ASDM. At the end of your rule-set for inbound traffic allow traffic from anyone destined to your mailservers public ip, and select the objec-tgoup MAIL as service.
/Kvistofta
/Kvistofta
ASKER
So should I use Objects instead of Ace's
ACE = line in a ACL
ACL = access-list
Object-group = definition of hosts or ports to be used in the ACE.
You need to add an ACE (either from cli or asdm) to allow traffic as follows:
from: any
to: your mailservers PUBLIC ip
Services: the 4 tcp ports specified above.
Either you do 4 different lines as stated above with 4 different ports, or you create an object-group containing those 4 ports and make one single ace that references the object group containing those 4 ports.
object-groups doesnt add functionality. It is just a way to make the configuration easier to read and manage. I see that you have repetitive lines where you allow certain icmp-traffic in your acl. You could "bundle" them into an object-group instead to shorten the acl so that it is more human readable.
But for this case if this confuese you, you can just copy the 4 lines that DonJ posted above. It will have the same effect.
/Kvistofta
ACL = access-list
Object-group = definition of hosts or ports to be used in the ACE.
You need to add an ACE (either from cli or asdm) to allow traffic as follows:
from: any
to: your mailservers PUBLIC ip
Services: the 4 tcp ports specified above.
Either you do 4 different lines as stated above with 4 different ports, or you create an object-group containing those 4 ports and make one single ace that references the object group containing those 4 ports.
object-groups doesnt add functionality. It is just a way to make the configuration easier to read and manage. I see that you have repetitive lines where you allow certain icmp-traffic in your acl. You could "bundle" them into an object-group instead to shorten the acl so that it is more human readable.
But for this case if this confuese you, you can just copy the 4 lines that DonJ posted above. It will have the same effect.
/Kvistofta
ASKER
NO it doesn't confuse me. I know how to work both CLI and ADSM, and I know how to Configure and Maintain, FW's, Router and Switches... Everything that has been mentioned has already been done, and to the letter, and still nothing.. Looks as if it's time to back track and see whats happen somewhere along the line I will update if I find anything.
ASKER
The Only solution I don't see here is the ability to telnet via port 25. Am I missing something? Thats whats stopping me at the moment.. When I try to telnet using my Ip address I get nothing.
ASKER