Enable SMTP, and WWW access to ASA 5505

I have a standard ASA 5505 Firewall which needs SMTP and WWW acces thru it to our network.

Ive tried to follow ACL rules but i dont know what im missing.

Any and all help is appreciated greatly.

below is the current Running Config
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
 interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 206.221.999.001 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host 206.221.999.11 eq smtp 
access-list outside_access_in extended permit tcp any host 206.221.999.11 eq www 
access-list outside_access_in extended permit tcp any host 206.221.999.33 eq www 
access-list outside_access_in extended permit tcp any host 206.221.999.33 eq https 
access-list outside_access_in extended permit tcp any host 206.221.999.33 eq 5800 
access-list outside_access_in extended permit tcp any host 206.221.999.33 eq 5900 
access-list outside_access_in extended permit tcp any host 206.221.999.33 eq 3392 
access-list outside_access_in extended permit tcp any host 206.221.999.33 eq 8080 
access-list outside_access_in extended permit tcp any host 206.221.999.11 eq domain 
access-list outside_access_in extended permit tcp any host 206.221.999.22 eq domain 
access-list outside_access_in extended permit tcp any host 206.221.999.33 eq domain 
access-list outside_access_in extended permit 25 any host 206.221.999.11 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 172.16.10.1-172.16.10.8
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
alias (inside) 192.168.1.152 206.221.999.33 255.255.255.255
static (inside,outside) tcp 206.221.999.11 smtp 192.168.1.150 smtp netmask 255.255.255.255 
static (inside,outside) tcp 206.221.999.11 domain 192.168.1.150 domain netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 206.221.999.00 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context

Open in new window

LVL 3
MutogiIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

InteraXCommented:
Loking at your config, SMTP should work. Try adding the following to get http working.

static (inside,outside) tcp 206.221.999.11 80 192.168.1.150 80 netmask 255.255.255.255

What is the following for? It looks like you are trying to allow IP protocol 25 in. This is not the same as TCP:25 (SMTP)

access-list outside_access_in extended permit 25 any host 206.221.999.11

See http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers for a list of the IP protocol numbers.

The following appears to be allowing inbound DNS queries. Not really a good idea unless you have a properly secured DNS server.

access-list outside_access_in extended permit tcp any host 206.221.999.11 eq domain
access-list outside_access_in extended permit tcp any host 206.221.999.22 eq domain
access-list outside_access_in extended permit tcp any host 206.221.999.33 eq domain

A lot of the outside_access_in ACL seems to be redundant as you don't have the NAT's in place, including the above.
InteraXCommented:
Just checked the outside if config. This has a /28 subnet mask. Looking at the IP, all your ACE's with destination IP's above 15 are redundant.
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

Ragu RamachandranCommented:
try this: (you don't need protocol details while natting)
no static (inside,outside) tcp 206.221.999.11 smtp 192.168.1.150 smtp netmask 255.255.255.255
no static (inside,outside) tcp 206.221.999.11 domain 192.168.1.150 domain netmask 255.255.255.255
static (inside,outside) 206.221.999.11 192.168.1.150 netmask 255.255.255.255
static (inside,outside) 206.221.999.11 192.168.1.150 netmask 255.255.255.255

I don't know why you have this following access list: I would remove it
no access-list outside_access_in extended permit 25 any host 206.221.999.11
Ragu RamachandranCommented:
If you are using SSL, then i would permit that too:
access-list outside_access_in extended permit tcp any host 206.221.999.11 eq https
MutogiIT ManagerAuthor Commented:
i still only have internet to the inside network, but still no emails.

i started from scarth and redid it all to everyones likin.

ive tried the ASDM packet tracer with no luck.

Help please anyone??


User Access Verification


!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name whouldntyouliketoknow.com
access-list outside_access_in_1 extended permit tcp any host 206.221.111.222 eq smtp log
access-list outside_access_in_1 extended permit tcp any host 206.221.111.222 eq www
access-list outside_access_in_1 extended permit tcp any host 206.221.111.333 eq www
access-list outside_access_in_1 extended permit tcp any host 206.221.111.333 eq https
access-list outside_access_in_1 extended permit tcp any host 206.221.111.333 eq 5800
access-list outside_access_in_1 extended permit tcp any host 206.221.111.333 eq 5900
access-list outside_access_in_1 extended permit tcp any host 206.221.111.333 eq 3392
access-list outside_access_in_1 extended permit tcp any host 206.221.111.333 eq 8080
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 206.221.111.222 smtp 192.168.1.150 smtp netmask 255.255.255.255
static (inside,outside) tcp 206.221.111.222 www 192.168.1.150 www netmask 255.255.255.255
static (inside,outside) tcp 206.221.111.333 https 192.168.1.150 https netmask 255.255.255.255
static (inside,outside) tcp 206.221.111.333 www 192.168.1.152 www netmask 255.255.255.255
static (inside,outside) tcp 206.221.111.333 https 192.168.1.152 https netmask 255.255.255.255
static (inside,outside) tcp 206.221.111.333 3392 192.168.1.152 3392 netmask 255.255.255.255
static (inside,outside) tcp 206.221.111.333 ftp 192.168.1.152 ftp netmask 255.255.255.255
static (inside,outside) tcp 206.221.111.333 5800 192.168.1.152 5800 netmask 255.255.255.255
static (inside,outside) tcp 206.221.111.333 5900 192.168.1.152 5900 netmask 255.255.255.255
static (inside,outside) tcp 206.221.111.333 8080 192.168.1.150 8080 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 206.221.111.000 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 206.221.111.111 255.255.255.255 outside
ssh timeout 5
console timeout 60
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 1024
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MutogiIT ManagerAuthor Commented:
called cisco, paid for their service.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.