Solved

Configure a ASA for Telnet on port 25

Posted on 2010-08-23
17
1,324 Views
Last Modified: 2013-11-16
OK.. In know I am doing this right but I could be wrong.

I have a Cisco ASA 5510

On the Network I have an Exchange Server with the Internal IP address of 192.168.151.42. This is a New Server that I am working on adding to the network. Our Spam Filtering service uses port 25 to telnet on. What I need to do is telnet to the Firewall and using NAT pass on the Data to the Exchange server. So if someone could do me a favor and give me all the commands I would have to enter to ghet this completed.

I need the following:
NAT for the Exchange server is IP Address 192.168.151.42 from an External IP 72.35.10.51 (Only an Example not real IP address)
Open ports 80,25,443,110
Allow Telnet on port 25.

Please help me out, cause it's driving me nuts.

Thanks

0
Comment
Question by:rperault
  • 8
  • 7
  • 2
17 Comments
 
LVL 17

Accepted Solution

by:
Kvistofta earned 500 total points
ID: 33504585
object-group service MAIL
 service-object tcp eq www
 service-object tcp eq smtp
 service-object tcp eq https
 service-object tcp eq pop3

access-l OUTSIDE ext permit object-group MAIL any host 72.35.10.51

access-group OUTSIDE interface outside

static (inside,outside) 72.35.10.51 192.168.151.42

Of course, if you already have an inbound access-list just add the permit-line above and skip the access-group command.

/Kvistofta
0
 

Author Comment

by:rperault
ID: 33504633
OK So thats all I would need. I have removed everything I did, Including my NAT's, ACL anything that had to do with the exchange server. I am starting with a Clean Slate when it comes to this project. If I enter in those Command Lines that should be all I need???
0
 

Author Comment

by:rperault
ID: 33504657
Here is the response I got when adding the Command Lines

Result of the command: "object-group service MAIL"

The command has been sent to the device


Result of the command: "service-object tcp eq www"

Adding obj (service-object tcp eq www ) to grp (MAIL) failed; object already exists


Result of the command: "service-object tcp eq smtp"

Adding obj (service-object tcp eq smtp ) to grp (MAIL) failed; object already exists


Result of the command: "service-object tcp eq https"

Adding obj (service-object tcp eq https ) to grp (MAIL) failed; object already exists


Result of the command: "service-object tcp eq pop3"

Adding obj (service-object tcp eq pop3 ) to grp (MAIL) failed; object already exists


Result of the command: "access-l OUTSIDE ext permit object-group MAIL any host 72.35.10.51"

The command has been sent to the device


Result of the command: "access-group OUTSIDE interface outside"

access-group OUTSIDE interface outside
                       ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "static (inside,outside) 72.35.10.51 192.168.151.42"

ERROR: duplicate of existing static
  inside:192.168.151.42 to outside:192.168.151.42 netmask 255.255.255.255
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33504790
It looks like you have done this multiple times because it complains that there already is an identical object-group.

Regarding the access-group-command, it should be:

"access-group OUTSIDE in interface outside"

But are you sure you are not destroying anything now? If you just send those commands to the unit with ASDM without knowing about existing "access-group" commands you will most probably kill working configuration. If you want to know exact what commands to paste without requirement of deeper knowledge from you you must paste your current configuration here.

/Kvistofta.
0
 
LVL 9

Expert Comment

by:DanJ
ID: 33505044
change the ACL

access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 25
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 80
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 110
access-list OUTSIDE extended permit tcp any host 72.35.10.51 eq 443
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33505072
DanJ: Why???
0
 
LVL 9

Expert Comment

by:DanJ
ID: 33505162
if you open the ports on the server these ports are destination and not source.
0
 

Author Comment

by:rperault
ID: 33505187
Here is my current configuration.


:
ASA Version 8.2(1)
!
hostname saf001
domain-name default.domain.invalid
enable password 5nvFrY5HdpjUlhi. encrypted
passwd 5nvFrY5HdpjUlhi. encrypted
names
name 192.168.151.9 Fileserver
name 000.000.000.000 lsf001
name 000.000.000.000 sainf001
name 192.168.151.73 Exchange
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 000.000.000.000 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.151.1 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 10
 ip address 192.168.152.1 255.255.255.0
!
interface Ethernet0/3
 nameif backup
 security-level 0
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa722-19-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service RDP tcp
 port-object eq telnet
object-group service MAIL
 service-object tcp eq www
 service-object tcp eq smtp
 service-object tcp eq https
 service-object tcp eq pop3
access-list no_nat extended permit ip 192.168.151.0 255.255.255.0 172.16.151.0 255.255.255.0
access-list no_nat extended permit ip 192.168.151.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list no_nat extended permit ip 192.168.151.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_to_lsc extended permit ip 192.168.151.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list vpn_to_saindia extended permit ip 192.168.151.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 192.168.151.0 255.255.255.0 172.16.151.0 255.255.255.0
access-list Split standard permit 192.168.151.0 255.255.255.0
access-list Split_Tunnel_List standard permit 192.168.151.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 000.000.000.000 echo-reply
access-list outside_access_in extended permit icmp any host 000.000.000.000 traceroute
access-list outside_access_in extended permit icmp any host 000.000.000.000 time-exceeded
access-list outside_access_in extended permit icmp any host 000.000.000.000 source-quench
access-list outside_access_in extended permit tcp any host 000.000.000.000 eq h323
access-list outside_access_in extended permit tcp any host 000.000.000.000 range 3230 3235
access-list outside_access_in extended permit udp any host 000.000.000.000 range 3220 3253
access-list outside_access_in extended permit ip any host 000.000.000.000
access-list outside_access_in extended permit icmp any host 000.000.000.000
access-list backup_access_in extended permit icmp any host 000.000.000.000 echo-reply
access-list backup_access_in extended permit icmp any host 000.000.000.000 traceroute
access-list backup_access_in extended permit icmp any host 000.000.000.000 time-exceeded
access-list backup_access_in extended permit icmp any host 000.000.000.000 source-quench
access-list dmz_access_in extended permit icmp any any echo-reply
access-list dmz_access_in extended deny ip any 192.168.151.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list internal-out extended permit icmp any any echo-reply
access-list internal-out extended permit icmp any any time-exceeded
access-list internal-out extended permit icmp any any unreachable
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging history informational
logging asdm informational
logging facility 17
logging host inside 192.168.151.77
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu management 1500
ip local pool vpnpool 000.000.000.000-000.000.000.000mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 192.168.152.0 255.255.255.0
static (outside,outside) tcp Fileserver 3389 Fileserver 3389 netmask 255.255.255.255
static (dmz,outside) 000.000.000.000 192.168.152.10 netmask 255.255.255.255
static (dmz,outside) 192.168.5.5 172.16.1.5 netmask 255.255.255.255
static (inside,dmz) 192.168.151.0 192.168.151.0 netmask 255.255.255.0
static (inside,outside) 192.168.151.42 192.168.151.42 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group backup_access_in in interface backup
route outside 0.0.0.0 0.0.0.0 69.38.165.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record vpnClients
 description "match to Domain logon"
 priority 500
aaa-server LDAP-to-DC protocol ldap
aaa-server LDAP-to-DC (inside) host Fileserver
 ldap-base-dn DC=hidden,DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=samanager,CN=Users,DC=hidden,DC=com
 server-type microsoft
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.151.0 255.255.255.0 inside
snmp-server host inside 192.168.151.77 community n0tpub11c version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.2 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set 3des-sha
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpnmap 10 match address vpn_to_lsc
crypto map vpnmap 10 set peer lsf001
crypto map vpnmap 10 set transform-set 3des-sha
crypto map vpnmap 15 match address vpn_to_saindia
crypto map vpnmap 15 set peer sainf001
crypto map vpnmap 15 set transform-set 3des-sha
crypto map vpnmap 20 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
crypto map backupvpnmap 10 match address vpn_to_lsc
crypto map backupvpnmap 10 set peer lsf001
crypto map backupvpnmap 10 set transform-set 3des-sha
crypto map backupvpnmap 20 ipsec-isakmp dynamic dynmap
crypto map backupvpnmap interface backup
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 3600
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
telnet 192.168.151.77 255.255.255.255 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.151.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 backup
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source outside
webvpn
group-policy clientgroup internal
group-policy clientgroup attributes
 wins-server value 192.168.151.77
 dns-server value 192.168.151.77
 vpn-simultaneous-logins 10
 vpn-idle-timeout 20
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value smartanalyst.com
 backup-servers 000.000.000.000
username admin password ouw0VSB7F/7IddfL encrypted
username Rwillemin password uMxDA6PHXg5Kl2Z4 encrypted
username ritadmin password KwLDWmz3JZopPuHd encrypted privilege 15
username managedtech password 1E9KZubrnJFUF0Gs encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group LDAP-to-DC
tunnel-group 000.000.000.000 type ipsec-l2l
tunnel-group 000.000.000.000 ipsec-attributes
 pre-shared-key *
tunnel-group 000.000.000.000type ipsec-l2l
tunnel-group 000.000.000.000 ipsec-attributes
 pre-shared-key *
tunnel-group sa-vpnclient type remote-access
tunnel-group sa-vpnclient general-attributes
 address-pool vpnpool
 authentication-server-group LDAP-to-DC
 default-group-policy clientgroup
tunnel-group sa-vpnclient ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
tunnel-group Remote type remote-access
tunnel-group Remote general-attributes
 address-pool vpnpool
 default-group-policy clientgroup
tunnel-group Remote ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 1500
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e79b633607e6b76d418396cf22e3d10
: end
asdm image disk0:/asdm-621.bin
asdm history enable

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 17

Expert Comment

by:Kvistofta
ID: 33505210
Of course. Sorry for the typo. I still recommend using object-groups instead of individual ace:s for each port.

/Kvistofta
0
 

Author Comment

by:rperault
ID: 33505255
So whats the consenus?
0
 

Author Comment

by:rperault
ID: 33505275
Everything so far I am being told I have already done. I have built the Firewall from scratch 2 years ago and many like them, but this one is a bit different.
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33505312
You have your static in place and you have created the object-group containing the 4 ports you wanna open. You just need to add this to your config:

access-l outside_access_in ext permit any host 72.35.10.51 object-group MAIL

/Kvistofta
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33505325
Or if you are infamiliar with CLI, use ASDM. At the end of your rule-set for inbound traffic allow traffic from anyone destined to your mailservers public ip, and select the objec-tgoup MAIL as service.

/Kvistofta
0
 

Author Comment

by:rperault
ID: 33505346
So should I use Objects instead of Ace's
0
 
LVL 17

Expert Comment

by:Kvistofta
ID: 33505404
ACE = line in a ACL
ACL = access-list
Object-group = definition of hosts or ports to be used in the ACE.

You need to add an ACE (either from cli or asdm) to allow traffic as follows:
from: any
to: your mailservers PUBLIC ip
Services: the 4 tcp ports specified above.

Either you do 4 different lines as stated above with 4 different ports, or you create an object-group containing those 4 ports and make one single ace that references the object group containing those 4 ports.

object-groups doesnt add functionality. It is just a way to make the configuration easier to read and manage. I see that you have repetitive lines where you allow certain icmp-traffic in your acl. You could "bundle" them into an object-group instead to shorten the acl so that it is more human readable.

But for this case if this confuese you, you can just copy the 4 lines that DonJ posted above. It will have the same effect.

/Kvistofta
0
 

Author Comment

by:rperault
ID: 33505485
NO it doesn't confuse me. I know how to work both CLI and ADSM, and I know how to Configure and Maintain, FW's, Router and Switches... Everything that has been mentioned has already been done, and to the letter, and still nothing.. Looks as if it's time to back track and see whats happen somewhere along the line I will update if I find anything.
0
 

Author Comment

by:rperault
ID: 33505502
The Only solution I don't see here is the ability to telnet via port 25. Am I missing something? Thats whats stopping me at the moment.. When I try to telnet using my Ip address I get nothing.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now