asked on
ASA5505 - Open Exchange server to outside interface dynamic ip
I am trying to put in a NAT command to open up my exchange server that sits on the inside vlan to the outside world. I want smtp and http, https, traffic translated to Exchange server.
These are the commands that I used.
I created a network object called Challenger
__________________________
object network challenger
host 192.168.10.72
nat (DMZ,outside) static interface service tcp www www
access-list outside_acl extended permit tcp any object challenger eq www
____________________
I then go inside ASDM GUI and add more tcp services, like https smtp to the ACL
I only have a dynamic IP from the ISP, I need this to continue working if the ip changes. I realize I will have to make changes at go daddy to point to the new IP but it only changes every few months.
I think the traffic is being impeded by the existing dynamic nat entries for the inside vlan- this is what allows my computers to access the internet.
:
ASA Version 8.4(4)5
!
hostname cpl
domain-name cpl.clinton.com
names
name 10.10.10.0 DMZ
name 192.168.0.0 Management
name 192.168.10.2 CPLserver
name 192.168.10.0 Inside
name 192.168.10.13 ATLANTIS description DNS
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 11-13
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 11
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 13
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
shutdown
nameif default
security-level 10
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan11
description Inside
nameif inside
security-level 90
ip address 192.168.10.1 255.255.255.0
!
interface Vlan12
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Vlan13
description Management
nameif Management
security-level 100
ip address 192.168.0.1 255.255.255.0
!
boot system disk0:/asa844-5-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup Management
dns server-group DefaultDNS
name-server ATLANTIS
domain-name cpl.clinton.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network in_to_out_NAT
subnet 0.0.0.0 0.0.0.0
object network DMZ_to_out_NAT
subnet 10.10.10.0 255.255.255.0
object network MGMT_to_out_NAT
subnet 192.168.0.0 255.255.255.0
object network CPLDHCP
host 192.168.10.2
description DCHP
object network ATLANTIS
host 192.168.10.13
description DNS-fix other dns server
object network DMZ
subnet 10.10.10.0 255.255.255.0
description DMZ
object network CPLManagement
subnet 192.168.0.0 255.255.255.0
description Maintenance Backbone
object network Inside
subnet 192.168.10.0 255.255.255.0
description Inside Network
object network Lyons
subnet 192.168.11.0 255.255.255.0
object network columbus
host 192.168.11.2
object network challenger
host 192.168.10.72
object-group network obj-10.0.1.0
object-group network obj-10.0.2.0
object-group network outside
description Needed for DMZ outside access - Dont know why
network-object object in_to_out_NAT
object-group network INSIDE_VPN
network-object Inside 255.255.255.0
object-group network LYONS_VPN
network-object 192.168.11.0 255.255.255.0
object-group network Management_VPN
network-object Management 255.255.255.0
object-group network DMZ_VPN
network-object DMZ 255.255.255.0
object-group network DM_INLINE_NETWORK_1
group-object INSIDE_VPN
group-object Management_VPN
group-object DMZ_VPN
object-group network LYONSDMZ_VPN
network-object 11.11.11.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
group-object LYONS_VPN
group-object Management_VPN
group-object LYONSDMZ_VPN
object-group network DM_INLINE_NETWORK_3
group-object INSIDE_VPN
group-object Management_VPN
group-object DMZ_VPN
object-group network DM_INLINE_NETWORK_4
group-object LYONS_VPN
group-object Management_VPN
group-object LYONSDMZ_VPN
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq smtp
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list DMZtoInside remark DMZ to DHCP
access-list DMZtoInside extended permit ip object DMZ_to_out_NAT object CPLDHCP
access-list dmz_access_in remark dmz needs access to dns , because CPLDHCP dns is broken at the moment.
access-list dmz_access_in remark DMZ to DHCP
access-list dmz_access_in extended deny ip object DMZ object CPLManagement
access-list dmz_access_in remark dmz needs access to dns , because CPLDHCP dns is broken at the moment.
access-list dmz_access_in extended permit ip object DMZ object ATLANTIS
access-list dmz_access_in_1 extended deny ip object DMZ object CPLManagement
access-list dmz_access_in_1 remark dmz needs access to atlantis's dns, because CPLDHCP dns is broken at the moment
access-list dmz_access_in_1 extended permit ip object DMZ object ATLANTIS
access-list dmz_access_in_1 remark DMZ to DHCP
access-list dmz_access_in_1 extended permit ip object DMZ object CPLDHCP
access-list dmz_access_in_1 extended deny ip object DMZ object Inside
access-list dmz_access_in_1 extended permit ip object DMZ object columbus
access-list dmz_access_in_1 extended deny ip object DMZ object Lyons
access-list dmz_access_in_1 remark allows outside access to dmz
access-list dmz_access_in_1 extended permit ip object DMZ object-group outside
access-list split-tunnel-anyconnect remark split-tunnel routes allows anyconnect users to access inside network.
access-list split-tunnel-anyconnect remark Should fix DNS issue and allow outside internet
access-list split-tunnel-anyconnect standard permit 192.168.10.0 255.255.255.0
access-list split-tunnel-anyconnect remark Allow Management comp to ping Anyconnect users
access-list split-tunnel-anyconnect standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list global_mpc_1 extended permit ip object-group INSIDE_VPN object-group LYONS_VPN
access-list global_mpc extended permit ip object-group INSIDE_VPN object-group LYONS_VPN
access-list global_mpc_2 extended permit ip object-group INSIDE_VPN object-group LYONS_VPN
access-list global_mpc_4 extended permit ip object Inside object-group outside
access-list global_mpc_3 extended permit ip any object-group outside
access-list global_mpc_5 extended permit ip object CPLManagement object-group outside
access-list inside_mpc extended permit ip any object Lyons
access-list outside_acl extended permit tcp any object challenger object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging buffered debugging
logging asdm debugging
mtu default 1500
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Management 1500
ip local pool remoteusers 192.168.11.10-192.168.11.2
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
icmp permit any Management
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
!
object network in_to_out_NAT
nat (inside,outside) dynamic interface
object network DMZ_to_out_NAT
nat (dmz,outside) dynamic interface
object network MGMT_to_out_NAT
nat (Management,outside) dynamic interface
object network challenger
nat (dmz,outside) static interface service tcp www www
access-group dmz_access_in_1 in interface dmz
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa-server NTSERVERAUTH protocol nt
aaa-server NTSERVERAUTH (inside) host ATLANTIS
timeout 5
nt-auth-domain-controller cpl.clinton.com
user-identity default-domain LOCAL
http server enable
http Management 255.255.255.0 Management
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal test
protocol esp encryption 3des
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map lyons.dnsget.org 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer *********
crypto map outside_map 1 set ikev1 transform-set L2L
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=cpl
proxy-ldc-issuer
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.200 255.255.255.255 Management
telnet 192.168.0.201 255.255.255.255 Management
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
vpnclient server cpl.dnsget.org
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
dhcpd auto_config outside
!
dhcprelay server CPLserver inside
dhcprelay enable dmz
dhcprelay enable Management
dhcprelay timeout 60
priority-queue outside
priority-queue inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server ATLANTIS source inside prefer
webvpn
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.4.
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.10.13
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value cpl.clinton.com
group-policy GroupPolicy_********* internal
group-policy GroupPolicy_********* attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group ********* type ipsec-l2l
tunnel-group ********* general-attributes
default-group-policy GroupPolicy_
tunnel-group *********1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map DM_INLINE_Child-Class1
description QOS outside
match access-list global_mpc_3
class-map inside-class
match access-list inside_mpc
class-map DM_INLINE_Child-Class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map DM_INLINE_Child-Policy
class DM_INLINE_Child-Class
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map inside-policy
class class-default
shape average 64000 64000
service-policy DM_INLINE_Child-Policy
policy-map DM_INLINE_Child-Policy1
class DM_INLINE_Child-Class1
priority
policy-map inside-policyQOS
class inside-class
police input 512000 1500
police output 512000 1500
!
service-policy global_policy global
service-policy inside-policyQOS interface inside
smtp-server 207.28.234.63
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:5bebfa83871
: end
asdm image disk0:/asdm-649-103.bin
no asdm history enable
These are the commands that I used.
I created a network object called Challenger
__________________________
object network challenger
host 192.168.10.72
nat (DMZ,outside) static interface service tcp www www
access-list outside_acl extended permit tcp any object challenger eq www
____________________
I then go inside ASDM GUI and add more tcp services, like https smtp to the ACL
I only have a dynamic IP from the ISP, I need this to continue working if the ip changes. I realize I will have to make changes at go daddy to point to the new IP but it only changes every few months.
I think the traffic is being impeded by the existing dynamic nat entries for the inside vlan- this is what allows my computers to access the internet.
:
ASA Version 8.4(4)5
!
hostname cpl
domain-name cpl.clinton.com
names
name 10.10.10.0 DMZ
name 192.168.0.0 Management
name 192.168.10.2 CPLserver
name 192.168.10.0 Inside
name 192.168.10.13 ATLANTIS description DNS
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 11-13
switchport mode trunk
!
interface Ethernet0/2
switchport access vlan 11
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 13
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
shutdown
nameif default
security-level 10
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan11
description Inside
nameif inside
security-level 90
ip address 192.168.10.1 255.255.255.0
!
interface Vlan12
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.0
!
interface Vlan13
description Management
nameif Management
security-level 100
ip address 192.168.0.1 255.255.255.0
!
boot system disk0:/asa844-5-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup Management
dns server-group DefaultDNS
name-server ATLANTIS
domain-name cpl.clinton.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network in_to_out_NAT
subnet 0.0.0.0 0.0.0.0
object network DMZ_to_out_NAT
subnet 10.10.10.0 255.255.255.0
object network MGMT_to_out_NAT
subnet 192.168.0.0 255.255.255.0
object network CPLDHCP
host 192.168.10.2
description DCHP
object network ATLANTIS
host 192.168.10.13
description DNS-fix other dns server
object network DMZ
subnet 10.10.10.0 255.255.255.0
description DMZ
object network CPLManagement
subnet 192.168.0.0 255.255.255.0
description Maintenance Backbone
object network Inside
subnet 192.168.10.0 255.255.255.0
description Inside Network
object network Lyons
subnet 192.168.11.0 255.255.255.0
object network columbus
host 192.168.11.2
object network challenger
host 192.168.10.72
object-group network obj-10.0.1.0
object-group network obj-10.0.2.0
object-group network outside
description Needed for DMZ outside access - Dont know why
network-object object in_to_out_NAT
object-group network INSIDE_VPN
network-object Inside 255.255.255.0
object-group network LYONS_VPN
network-object 192.168.11.0 255.255.255.0
object-group network Management_VPN
network-object Management 255.255.255.0
object-group network DMZ_VPN
network-object DMZ 255.255.255.0
object-group network DM_INLINE_NETWORK_1
group-object INSIDE_VPN
group-object Management_VPN
group-object DMZ_VPN
object-group network LYONSDMZ_VPN
network-object 11.11.11.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
group-object LYONS_VPN
group-object Management_VPN
group-object LYONSDMZ_VPN
object-group network DM_INLINE_NETWORK_3
group-object INSIDE_VPN
group-object Management_VPN
group-object DMZ_VPN
object-group network DM_INLINE_NETWORK_4
group-object LYONS_VPN
group-object Management_VPN
group-object LYONSDMZ_VPN
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq smtp
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list DMZtoInside remark DMZ to DHCP
access-list DMZtoInside extended permit ip object DMZ_to_out_NAT object CPLDHCP
access-list dmz_access_in remark dmz needs access to dns , because CPLDHCP dns is broken at the moment.
access-list dmz_access_in remark DMZ to DHCP
access-list dmz_access_in extended deny ip object DMZ object CPLManagement
access-list dmz_access_in remark dmz needs access to dns , because CPLDHCP dns is broken at the moment.
access-list dmz_access_in extended permit ip object DMZ object ATLANTIS
access-list dmz_access_in_1 extended deny ip object DMZ object CPLManagement
access-list dmz_access_in_1 remark dmz needs access to atlantis's dns, because CPLDHCP dns is broken at the moment
access-list dmz_access_in_1 extended permit ip object DMZ object ATLANTIS
access-list dmz_access_in_1 remark DMZ to DHCP
access-list dmz_access_in_1 extended permit ip object DMZ object CPLDHCP
access-list dmz_access_in_1 extended deny ip object DMZ object Inside
access-list dmz_access_in_1 extended permit ip object DMZ object columbus
access-list dmz_access_in_1 extended deny ip object DMZ object Lyons
access-list dmz_access_in_1 remark allows outside access to dmz
access-list dmz_access_in_1 extended permit ip object DMZ object-group outside
access-list split-tunnel-anyconnect remark split-tunnel routes allows anyconnect users to access inside network.
access-list split-tunnel-anyconnect remark Should fix DNS issue and allow outside internet
access-list split-tunnel-anyconnect standard permit 192.168.10.0 255.255.255.0
access-list split-tunnel-anyconnect remark Allow Management comp to ping Anyconnect users
access-list split-tunnel-anyconnect standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list global_mpc_1 extended permit ip object-group INSIDE_VPN object-group LYONS_VPN
access-list global_mpc extended permit ip object-group INSIDE_VPN object-group LYONS_VPN
access-list global_mpc_2 extended permit ip object-group INSIDE_VPN object-group LYONS_VPN
access-list global_mpc_4 extended permit ip object Inside object-group outside
access-list global_mpc_3 extended permit ip any object-group outside
access-list global_mpc_5 extended permit ip object CPLManagement object-group outside
access-list inside_mpc extended permit ip any object Lyons
access-list outside_acl extended permit tcp any object challenger object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging buffered debugging
logging asdm debugging
mtu default 1500
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Management 1500
ip local pool remoteusers 192.168.11.10-192.168.11.2
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
icmp permit any Management
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
!
object network in_to_out_NAT
nat (inside,outside) dynamic interface
object network DMZ_to_out_NAT
nat (dmz,outside) dynamic interface
object network MGMT_to_out_NAT
nat (Management,outside) dynamic interface
object network challenger
nat (dmz,outside) static interface service tcp www www
access-group dmz_access_in_1 in interface dmz
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa-server NTSERVERAUTH protocol nt
aaa-server NTSERVERAUTH (inside) host ATLANTIS
timeout 5
nt-auth-domain-controller cpl.clinton.com
user-identity default-domain LOCAL
http server enable
http Management 255.255.255.0 Management
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal test
protocol esp encryption 3des
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map lyons.dnsget.org 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer *********
crypto map outside_map 1 set ikev1 transform-set L2L
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=cpl
proxy-ldc-issuer
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.0.200 255.255.255.255 Management
telnet 192.168.0.201 255.255.255.255 Management
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
vpnclient server cpl.dnsget.org
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
dhcpd auto_config outside
!
dhcprelay server CPLserver inside
dhcprelay enable dmz
dhcprelay enable Management
dhcprelay timeout 60
priority-queue outside
priority-queue inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server ATLANTIS source inside prefer
webvpn
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.4.
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.10.13
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value cpl.clinton.com
group-policy GroupPolicy_********* internal
group-policy GroupPolicy_********* attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group ********* type ipsec-l2l
tunnel-group ********* general-attributes
default-group-policy GroupPolicy_
tunnel-group *********1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map DM_INLINE_Child-Class1
description QOS outside
match access-list global_mpc_3
class-map inside-class
match access-list inside_mpc
class-map DM_INLINE_Child-Class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map DM_INLINE_Child-Policy
class DM_INLINE_Child-Class
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
policy-map inside-policy
class class-default
shape average 64000 64000
service-policy DM_INLINE_Child-Policy
policy-map DM_INLINE_Child-Policy1
class DM_INLINE_Child-Class1
priority
policy-map inside-policyQOS
class inside-class
police input 512000 1500
police output 512000 1500
!
service-policy global_policy global
service-policy inside-policyQOS interface inside
smtp-server 207.28.234.63
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:5bebfa83871
: end
asdm image disk0:/asdm-649-103.bin
no asdm history enable
ExchangeHardware FirewallsRouters
Last Comment
clintonpubliclibrary
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I'm glad you figured it out.. but I guess my reply was not answering or even attempting to help you.. sorry.
ASKER
No one else answered my question or even attemtped to help trouble shoot it. I figured it out on my own.
ASKER
I apologize for the poor comment. I was frustrated that I couldn't resolve a seemingly simple port forwarding task in a timely manner. I apologize that I came off as unprofessional and rude. DMTechgroup did try to help.
Have you looked at this KB article?
http://support.microsoft.com/kb/320027
Also most ISP when you have a dynamic IP block SMTP traffic, have you verified this is working?