Link to home
Start Free TrialLog in
Avatar of albmed7589
albmed7589

asked on

Cisco asa blocking exchange

Hey guys I have a Cisco ASA 5505 and to be quite honest I have no idea what im doing with it.

sure I know how to forward ports and so forth on a regular router but here where I work we use a asa that manages nat rules and our firewall.

Long story short it's blocking my exchange server from receiving external emails. I can email internally happily but I cant get emails from yahoo,gmail,aol and such. Also the "outlook web access" is being blocked externally from the intranet, I can view and use it inside the intranet but not out I can also send out emails to external addresses but not receive them.

I've just started using the cisco asa and so far the only way I know you to interface with it is by using cisco asdm.

worst part is everything was working fine yesterday but  deleated some of the rules that seemed out of date in the nat settings from the asa

the exchange server lives on 10.10.10.20 and this is my config

: Saved
:
ASA Version 8.4(2) 
!
hostname ORMILA-ASA
enable password oolzv7Sjg9JinOyO encrypted
passwd oolzv7Sjg9JinOyO encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.0.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 24.199.225.90 255.255.255.248 
!
boot system disk0:/asa842-k8.bin
ftp mode passive
object network MAIL-10.10.10.21
 host 10.10.10.21
object network OBJ-10.0.0.0
 subnet 10.0.0.0 255.0.0.0
object network MAILHTTPSSL-10.10.10.20
 host 10.10.10.20
object network NETWORK_OBJ_192.168.1.0
 subnet 192.168.1.0 255.255.255.0
object network 10.10.10.104
 host 10.10.10.104
object network RDProute
 host 10.10.10.104
 description RDProute
object service RDProute2
 service tcp source eq 3389 destination eq 3389 
 description RDProute2
object network 10.10.10.212
 host 10.10.10.212
 description Cone Cam
object network mail
 host 10.10.10.20
object network 10.10.10.20mx
 host 10.10.10.20
object-group network obj_any
object-group network MXLogic
 network-object 208.65.144.0 255.255.248.0
 network-object 208.81.64.0 255.255.248.0
object-group service RDP tcp
 port-object eq 3389
object-group service Cams tcp
 description Security Cams
 port-object eq 8000
access-list OUTSIDE extended permit tcp any host 10.10.10.21 eq www 
access-list OUTSIDE extended permit tcp any host 10.10.10.21 eq https 
access-list OUTSIDE extended permit tcp any host 10.10.10.21 eq smtp 
access-list OUTSIDE extended permit tcp any host 10.10.10.20 eq www 
access-list OUTSIDE extended permit tcp any host 10.10.10.20 eq https 
access-list OUTSIDE extended permit tcp object-group MXLogic host 10.10.10.20 eq smtp 
access-list split_tunnel extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0 
access-list NETFLOW-EXPORT-ACL extended permit ip any any 
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination outside 204.15.97.243 2055
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu inside 1500
mtu outside 1500
ip local pool DHCP-for-VPN 192.168.1.25-192.168.1.35 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.0 NETWORK_OBJ_192.168.1.0
!
object network OBJ-10.0.0.0
 nat (inside,outside) dynamic interface
object network mail
 nat (inside,outside) static 0.0.0.0
object network 10.10.10.20mx
 nat (inside,outside) static MXLogic
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 24.199.225.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication http console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http server idle-timeout 30
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host outside 204.15.97.243 community *****
snmp-server location Oakridge, NC
snmp-server contact NITOR NOC 888-357-8880
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set XFORMSET-AES-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set XFORMSET-AES-SHA esp-aes-256 esp-sha-hmac 
crypto dynamic-map CRYPTO-DYN-MAP 30 set ikev1 transform-set XFORMSET-AES-SHA XFORMSET-AES-MD5
crypto dynamic-map CRYPTO-DYN-MAP 30 set security-association lifetime seconds 28800
crypto dynamic-map CRYPTO-DYN-MAP 30 set security-association lifetime kilobytes 4608000
crypto map CRYPTO_MAP 65535 ipsec-isakmp dynamic CRYPTO-DYN-MAP
crypto map CRYPTO_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 des-sha1
webvpn
group-policy OAKRIDGE-TUNNELGROUP internal
group-policy OAKRIDGE-TUNNELGROUP attributes
 dns-server value 10.10.10.4 10.10.10.20
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value ormila.com
username twilliams password MDfDWXozYe2pRqRx encrypted privilege 15
username nitor password d5UTYysRFncPT9j0 encrypted privilege 15
username enable password FeYAF7dLGj2Y64qx encrypted
tunnel-group OAKRIDGE-TUNNELGROUP type remote-access
tunnel-group OAKRIDGE-TUNNELGROUP general-attributes
 address-pool DHCP-for-VPN
 default-group-policy OAKRIDGE-TUNNELGROUP
tunnel-group OAKRIDGE-TUNNELGROUP ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map default-policy
 match default-inspection-traffic
class-map NETFLOW-EXPORT-CLASS
 match access-list NETFLOW-EXPORT-ACL
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect icmp error 
  inspect ip-options 
 class NETFLOW-EXPORT-CLASS
  flow-export event-type all destination 204.15.97.243
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4df68de65004e1c16c6346df061531e0
: end
asdm image disk0:/asdm-645.bin
asdm history enable

Open in new window

Avatar of csg-unit
csg-unit
Flag of United States of America image

You are missing the NAT, for your mail server to the outside.  In ASDM with 8.4 code, you need to go to the object for 10.2.2.21 and add the NAT for the outside IP you are using for mail.  Same for 10.2.2.20.
Avatar of albmed7589
albmed7589

ASKER

its strange the exchange server is on 10.10.10.20 where did you get those ips?
SOLUTION
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
im guessing 10.10.10.21 is an out of date configuration by IT guys of the past
so I've made an access list for any source can use the smtp port with 10.10.10.20,  but ive not noticed any changes
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial