Solved

Cisco ASA port forwarding not working

Posted on 2010-11-10
8
1,183 Views
Last Modified: 2012-05-10
I have a Cisco ASA 5510 with an SSM-10 module installed.

The ASA has two interfaces which I'm using. One has a single public outside IP address, the other a private address for the LAN. I am able to NAT (PAT) connections from the LAN just fine, and the SSM-10 module is able to block web sites.

However, I also want to forward in smtp connections only destined for the outside interface to a server on the LAN. I believe this should work, but I'm not getting any replies when connecting. I've searched around and think I'm doing it right in the config, but obviously there is something wrong because it doesn't work. Below is my config from the ASA without the full IP's.

I appreciate any help anyone can give!

: Saved
:
ASA Version 8.2(1)
!
hostname asa
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 81.A.A.A 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.18.12.3 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list smtp_into_LAN extended permit tcp any interface outside eq smtp log
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap debugging
logging asdm debugging
logging facility 16
logging device-id hostname
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 10.18.12.0 255.255.255.0
nat (management) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.18.12.11 smtp netmask 255.255.255.255
access-group smtp_into_LAN in interface outside
route outside 0.0.0.0 0.0.0.0 81.A.A.B 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.18.12.0 255.255.255.0 inside
http 81.A.A.C 255.255.255.248 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 81.A.A.C 255.255.255.248 outside
ssh 10.18.12.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inside-class
 match access-list
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect esmtp
policy-map inside-policy
 class inside-class
  csc fail-close
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXX
: end
0
Comment
Question by:snagsy1980
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 34100682
Looks OK to me though, if your using exchange turn this off

policy-map global_policy
 class inspection_default
 no inspect esmtp

your port forwarding looks fine http://www.petenetlive.com/KB/Article/0000077.htm


Pete
0
 
LVL 7

Assisted Solution

by:snagsy1980
snagsy1980 earned 0 total points
ID: 34100718
Thanks Pete

I've just switched this off as you suggest and it still doesn't work. That section now reads:

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map inside-policy
 class inside-class
  csc fail-close

Do you think the SSM-10 could be to blame here?

Thanks!
0
 
LVL 13

Expert Comment

by:SIM50
ID: 34102389
It's not going to work. For you email server, you will need one to one static NAT.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34102800
I'll ditto Pete since it looks ok to me also.  

Would you verify that ports are down by getting on the 10.18.12.11 host and hitting http://www.canyouseeme.org  and have it test port 25.      That site should report it as open.    If it fails, then check the ASA's ASDM log or the console logging "show logging" and see if any packets are dropped.      

If the ASA reports that nothing is dropped, then the problem is probably downstream.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 7

Accepted Solution

by:
snagsy1980 earned 0 total points
ID: 34103635
Thanks for your help here, I've just managed to solve this now. It was a routing problem in my test environment and not the ASA or my config afterall! It has been really useful to confirm that my config should work though.

Thanks all!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 34109681
>>For you email server, you will need one to one static NAT.

This information is incorrect, you can port forward SMTP - I've deployed hundreds of pix/asa firewalls in this configuration.

If the config is right (which yours is) and mail never flows, chances are, the exchange/mail server is misconfigured, or something (like an annoying ISP) is blocking SMTP upstream.

Glad you are fixed though :) Have a good weekend :)


 - Hi Mike :)
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34112119
Pete is correct.   I've also port forwarded SMTP with success.
0
 
LVL 7

Author Closing Comment

by:snagsy1980
ID: 34134616
sorted!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now