Solved

ASA 5510 Email and Terminal issues

Posted on 2011-03-06
4
410 Views
Last Modified: 2012-05-11
I am having two issues:



1. my email going out is working along with internal, but inbound email is not working. My barracuda email filter is 192.168.1.107 and my exchange 2007 is 192.168.1.222 along with this OWA does not work.



2. Terminal Services does not work when I try from the home pc in I get server not available or disconnected





Below is my congig





ASA Version 8.3(1)
!
hostname wsigateway
domain-name wsystems.com
enable password yVSkMxWRc/S396FB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 64.XXX.XXX.XXX 255.XXX.XXX.XXX
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.23.59.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name wsystems.com
object network email_server_static
 host 192.168.1.222
object network wsiftp_static
 host 192.168.1.188
object network terminal1_static
 host 192.168.1.191
object network ram_static
 host 192.168.1.116
object network wsi_internal_lan
 subnet 192.168.0.0 255.255.0.0
object network Baccuda
 host 192.168.1.107
object-group service RDP tcp
 port-object eq 3389
access-list 100 extended permit tcp any host 64.XXX.XXX.XXX eq smtp
access-list 100 extended permit tcp any host 64.XXX.XXX.XXX eq ftp
access-list 100 extended permit tcp any host 64..XXX.XXX.XXX eq 3389
access-list 100 extended permit tcp any host 64.XXX.XXX.XXX eq 162
access-list 100 extended permit tcp any host 64.XXX.XXX.XXX eq https
access-list 100 extended permit tcp any host 192.168.0.0 eq smtp
access-list 100 extended permit tcp any host 192.168.0.0 eq ftp
access-list 100 extended permit tcp any host 192.168.0.0 eq ftp-data
access-list 100 extended permit tcp any host 192.168.0.0 eq pop3
access-list acl_out extended permit tcp any host 192.168.1.222 eq https
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (management,outside) source dynamic any interface
!
object network email_server_static
 nat (inside,outside) static 64.XXX.XXX.XXX
object network wsiftp_static
 nat (inside,outside) static 64.XXX.XXX.XXX
object network terminal1_static
 nat (inside,outside) static 64.XXX.XXX.XXX service tcp 3389 3389
object network ram_static
 nat (inside,outside) static 64.XXX.XXX.XXX
object network wsi_internal_lan
 nat (inside,outside) dynamic interface
object network Baccuda
 nat (any,any) static 64.XXX.XXX.XXX
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 64.XXX.XXX.XXX1
route inside 192.168.0.0 255.255.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.23.59.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:61dd614b76a12c7d8f3ada886d7da8c6
: end
wsigateway#
0
Comment
Question by:pfdrinstr
  • 3
4 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35047393
Still trying to get the hang of the new NAT from 8.3 but it should go something like this for (for example) RDP:
 object network  terminal1_static
        host 64.x.x.x
      object network PublicServer_RDP
        host 192.168.1.191
        nat (inside,outside) static terminal1_static
      access-list outside_access_in line 1 extended permit tcp any host 192.168.1.191 eq 3389
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35047487
As I said, getting the hang of it :-~

Try this:

object network  terminal1_static
        host 64.x.x.x
      object network PublicServer_RDP
        host 192.168.1.191
        nat (inside,outside) static terminal1_static
      object service rdp
        service tcp destination eq 3389
      access-list outside_access_in line 1 extended permit object rdp any host 192.168.1.191

0
 

Author Comment

by:pfdrinstr
ID: 35048427
Everything works now except inbound email from exchange. how do I setup MX record ip address tpo access inside.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35054370
An MX record is setup up with the help of your DNS provider, the company through which you registered your domain. Ask them to set up an MX record and provide them the public address to which it should point.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now