• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 442
  • Last Modified:

Inside port visible with OWA and SMTP in DMZ

Hi Experts,

I've been busy whole weekend configuring an ASA 5505 with Sec+ lic. I have put my OWA (https) en UTM (smtp) in the DMZ. It all works, I can access webmail and the mail flows in and out, but when I check for open ports on the website www.grc.com with ShieldsUP! ports 25 and 443 are shown open on the inside. In the DMZ that should be normal, but on the inside they should be stealh in my opinion. Also the Ping reply check fails. I'm getting the message: "Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet." I thought this was default behaviour of the ASA not replying on ping?

With my previous router (CopperJet 1622) I created a similar situation and al was in Stealth mode.
When I disconnect the DMZ cable from the ASA and run the test again, all ports show Stealth but the message aboout relying to Ping remains.

Could you expersts have a look at my config and see what I have misconfigured? I am on ASA version 8.2(1) and ASDM 6.2(1).

Attached to this post you'll find my current config attached (Asa5505-EE.txt)

Thanks in advance! Your help is highly appreciated!

   Asa5505-EE.txt
0
Hieristie
Asked:
Hieristie
  • 4
  • 3
1 Solution
 
Ernie BeekCommented:
You are using the interface ip address for forwarding OWA and UTM as well as for natting your LAN to the outside. So when using grc it sees that ports (because it's all on the same public ip).
Let me browse a bit more for the ping part.
0
 
max_the_kingCommented:
ASA does not reply on ping, unless you configure it to do that on particular machines (which is not your case)
0
 
HieristieAuthor Commented:
@ erniebee:. This is due to the fact that I have only one static ip from my ISP. Is it anyhow possible to change the config so that the ports are hidden on the inside or in other words is there a need to change the config for security reasons?
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
Ernie BeekCommented:
There isn't really a need for change. The ports are visible from the outside but point to the dmz. Because you have only one ip those ports will show when doing a scan initiated from the inside. But as said, that scan only shows that the ports are open, not where they are going to.
0
 
HieristieAuthor Commented:
Still It strikes me odd that with the copperjet the test showed full stealth mode, why isn't this possble with the ASA? I have the same funtionality as I had with the copperjet. A dmz for the webmail and utm and a internal mailserver on the inside. Anything on the ping?
0
 
Ernie BeekCommented:
Keep in mind that you are testing open ports on your public ip, not on your inside or dmz ip. If the dmz is connected ports 25 and 443 on your public ip are forwarded to 172.100.1.6 and 172.100.1.248 and they respond on their respective ports, hence showing in grc. if the dmz is disconnected, the ports are still forwarded but nothing responds (duh) hence not showing in grc.
I'm not familiar with the copperjet but perhaps that didn't allow incoming connections from everyone (so that the grc address was ignored)? Can't say.

For the ping, try adding: icmp deny any outside

As per Cisco:
The icmp command controls ICMP traffic that terminates on any adaptive security appliance interface. If no ICMP control list is configured, then the adaptive security appliance accepts all ICMP traffic that terminates at any interface, including the outside interface. However, by default, the adaptive security appliance does not respond to ICMP echo requests directed to a broadcast address.
0
 
HieristieAuthor Commented:
icmp deny any outside gives the response I was looking for! Thanks for your time and sharing your expertise.
0
 
Ernie BeekCommented:
No problem, glad I could help :)
Thx for the points.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now