?
Solved

ASA 5510 Email and Terminal issues

Posted on 2011-03-06
4
Medium Priority
?
422 Views
Last Modified: 2012-05-11
I am having two issues:



1. my email going out is working along with internal, but inbound email is not working. My barracuda email filter is 192.168.1.107 and my exchange 2007 is 192.168.1.222 along with this OWA does not work.



2. Terminal Services does not work when I try from the home pc in I get server not available or disconnected





Below is my congig





ASA Version 8.3(1)
!
hostname wsigateway
domain-name wsystems.com
enable password yVSkMxWRc/S396FB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 64.XXX.XXX.XXX 255.XXX.XXX.XXX
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.23.59.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name wsystems.com
object network email_server_static
 host 192.168.1.222
object network wsiftp_static
 host 192.168.1.188
object network terminal1_static
 host 192.168.1.191
object network ram_static
 host 192.168.1.116
object network wsi_internal_lan
 subnet 192.168.0.0 255.255.0.0
object network Baccuda
 host 192.168.1.107
object-group service RDP tcp
 port-object eq 3389
access-list 100 extended permit tcp any host 64.XXX.XXX.XXX eq smtp
access-list 100 extended permit tcp any host 64.XXX.XXX.XXX eq ftp
access-list 100 extended permit tcp any host 64..XXX.XXX.XXX eq 3389
access-list 100 extended permit tcp any host 64.XXX.XXX.XXX eq 162
access-list 100 extended permit tcp any host 64.XXX.XXX.XXX eq https
access-list 100 extended permit tcp any host 192.168.0.0 eq smtp
access-list 100 extended permit tcp any host 192.168.0.0 eq ftp
access-list 100 extended permit tcp any host 192.168.0.0 eq ftp-data
access-list 100 extended permit tcp any host 192.168.0.0 eq pop3
access-list acl_out extended permit tcp any host 192.168.1.222 eq https
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (management,outside) source dynamic any interface
!
object network email_server_static
 nat (inside,outside) static 64.XXX.XXX.XXX
object network wsiftp_static
 nat (inside,outside) static 64.XXX.XXX.XXX
object network terminal1_static
 nat (inside,outside) static 64.XXX.XXX.XXX service tcp 3389 3389
object network ram_static
 nat (inside,outside) static 64.XXX.XXX.XXX
object network wsi_internal_lan
 nat (inside,outside) dynamic interface
object network Baccuda
 nat (any,any) static 64.XXX.XXX.XXX
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 64.XXX.XXX.XXX1
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.23.59.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:61dd614b76a12c7d8f3ada886d7da8c6
: end
wsigateway#
0
Comment
Question by:pfdrinstr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35047393
Still trying to get the hang of the new NAT from 8.3 but it should go something like this for (for example) RDP:
 object network  terminal1_static
        host 64.x.x.x
      object network PublicServer_RDP
        host 192.168.1.191
        nat (inside,outside) static terminal1_static
      access-list outside_access_in line 1 extended permit tcp any host 192.168.1.191 eq 3389
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35047487
As I said, getting the hang of it :-~

Try this:

object network  terminal1_static
        host 64.x.x.x
      object network PublicServer_RDP
        host 192.168.1.191
        nat (inside,outside) static terminal1_static
      object service rdp
        service tcp destination eq 3389
      access-list outside_access_in line 1 extended permit object rdp any host 192.168.1.191

0
 

Author Comment

by:pfdrinstr
ID: 35048427
Everything works now except inbound email from exchange. how do I setup MX record ip address tpo access inside.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35054370
An MX record is setup up with the help of your DNS provider, the company through which you registered your domain. Ask them to set up an MX record and provide them the public address to which it should point.
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question