Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA port forwarding not working

Posted on 2010-11-10
8
Medium Priority
?
1,206 Views
Last Modified: 2012-05-10
I have a Cisco ASA 5510 with an SSM-10 module installed.

The ASA has two interfaces which I'm using. One has a single public outside IP address, the other a private address for the LAN. I am able to NAT (PAT) connections from the LAN just fine, and the SSM-10 module is able to block web sites.

However, I also want to forward in smtp connections only destined for the outside interface to a server on the LAN. I believe this should work, but I'm not getting any replies when connecting. I've searched around and think I'm doing it right in the config, but obviously there is something wrong because it doesn't work. Below is my config from the ASA without the full IP's.

I appreciate any help anyone can give!

: Saved
:
ASA Version 8.2(1)
!
hostname asa
enable password XXXXXXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 81.A.A.A 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.18.12.3 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list smtp_into_LAN extended permit tcp any interface outside eq smtp log
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging trap debugging
logging asdm debugging
logging facility 16
logging device-id hostname
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 10.18.12.0 255.255.255.0
nat (management) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.18.12.11 smtp netmask 255.255.255.255
access-group smtp_into_LAN in interface outside
route outside 0.0.0.0 0.0.0.0 81.A.A.B 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.18.12.0 255.255.255.0 inside
http 81.A.A.C 255.255.255.248 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 81.A.A.C 255.255.255.248 outside
ssh 10.18.12.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inside-class
 match access-list
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect esmtp
policy-map inside-policy
 class inside-class
  csc fail-close
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXX
: end
0
Comment
Question by:snagsy1980
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 34100682
Looks OK to me though, if your using exchange turn this off

policy-map global_policy
 class inspection_default
 no inspect esmtp

your port forwarding looks fine http://www.petenetlive.com/KB/Article/0000077.htm


Pete
0
 
LVL 7

Assisted Solution

by:snagsy1980
snagsy1980 earned 0 total points
ID: 34100718
Thanks Pete

I've just switched this off as you suggest and it still doesn't work. That section now reads:

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map inside-policy
 class inside-class
  csc fail-close

Do you think the SSM-10 could be to blame here?

Thanks!
0
 
LVL 14

Expert Comment

by:SIM50
ID: 34102389
It's not going to work. For you email server, you will need one to one static NAT.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 33

Expert Comment

by:MikeKane
ID: 34102800
I'll ditto Pete since it looks ok to me also.  

Would you verify that ports are down by getting on the 10.18.12.11 host and hitting http://www.canyouseeme.org  and have it test port 25.      That site should report it as open.    If it fails, then check the ASA's ASDM log or the console logging "show logging" and see if any packets are dropped.      

If the ASA reports that nothing is dropped, then the problem is probably downstream.
0
 
LVL 7

Accepted Solution

by:
snagsy1980 earned 0 total points
ID: 34103635
Thanks for your help here, I've just managed to solve this now. It was a routing problem in my test environment and not the ASA or my config afterall! It has been really useful to confirm that my config should work though.

Thanks all!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 34109681
>>For you email server, you will need one to one static NAT.

This information is incorrect, you can port forward SMTP - I've deployed hundreds of pix/asa firewalls in this configuration.

If the config is right (which yours is) and mail never flows, chances are, the exchange/mail server is misconfigured, or something (like an annoying ISP) is blocking SMTP upstream.

Glad you are fixed though :) Have a good weekend :)


 - Hi Mike :)
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34112119
Pete is correct.   I've also port forwarded SMTP with success.
0
 
LVL 7

Author Closing Comment

by:snagsy1980
ID: 34134616
sorted!
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question