Solved

ASA5505 -  Open Exchange server to outside interface dynamic ip

Posted on 2013-12-07
5
1,140 Views
Last Modified: 2013-12-17
I am trying to put in a NAT command to open up my exchange server that sits on the inside vlan to the outside world.  I want smtp and http, https, traffic translated to Exchange server.

These are the commands that I used.  
I created a network object called Challenger

__________________________
object network challenger
host 192.168.10.72
nat (DMZ,outside) static interface service tcp www www

access-list outside_acl extended permit tcp any object challenger eq www

____________________

I then go inside ASDM GUI and add more tcp services, like https smtp to the ACL

I only have a dynamic IP from the ISP, I need this to continue working if the ip changes.  I realize I will have to make changes at go daddy to point to the new IP but it only changes every few months.

I think the traffic is being impeded by the existing dynamic nat entries for the inside vlan- this is what allows my computers to access the internet.

:
ASA Version 8.4(4)5
!
hostname cpl
domain-name cpl.clinton.com

names
name 10.10.10.0 DMZ
name 192.168.0.0 Management
name 192.168.10.2 CPLserver
name 192.168.10.0 Inside
name 192.168.10.13 ATLANTIS description DNS
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport trunk allowed vlan 11-13
 switchport mode trunk
!
interface Ethernet0/2
 switchport access vlan 11
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
 switchport access vlan 13
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 shutdown
 nameif default
 security-level 10
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan11
 description Inside
 nameif inside
 security-level 90
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan12
 nameif dmz
 security-level 50
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan13
 description Management
 nameif Management
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
boot system disk0:/asa844-5-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup dmz
dns domain-lookup Management
dns server-group DefaultDNS
 name-server ATLANTIS
 domain-name cpl.clinton.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network in_to_out_NAT
 subnet 0.0.0.0 0.0.0.0
object network DMZ_to_out_NAT
 subnet 10.10.10.0 255.255.255.0
object network MGMT_to_out_NAT
 subnet 192.168.0.0 255.255.255.0
object network CPLDHCP
 host 192.168.10.2
 description DCHP
object network ATLANTIS
 host 192.168.10.13
 description DNS-fix other dns server
object network DMZ
 subnet 10.10.10.0 255.255.255.0
 description DMZ
object network CPLManagement
 subnet 192.168.0.0 255.255.255.0
 description Maintenance Backbone
object network Inside
 subnet 192.168.10.0 255.255.255.0
 description Inside Network
object network Lyons
 subnet 192.168.11.0 255.255.255.0
object network columbus
 host 192.168.11.2
object network challenger
 host 192.168.10.72
object-group network obj-10.0.1.0
object-group network obj-10.0.2.0
object-group network outside
 description Needed for DMZ outside access - Dont know why
 network-object object in_to_out_NAT
object-group network INSIDE_VPN
 network-object Inside 255.255.255.0
object-group network LYONS_VPN
 network-object 192.168.11.0 255.255.255.0
object-group network Management_VPN
 network-object Management 255.255.255.0
object-group network DMZ_VPN
 network-object DMZ 255.255.255.0
object-group network DM_INLINE_NETWORK_1
 group-object INSIDE_VPN
 group-object Management_VPN
 group-object DMZ_VPN
object-group network LYONSDMZ_VPN
 network-object 11.11.11.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 group-object LYONS_VPN
 group-object Management_VPN
 group-object LYONSDMZ_VPN
object-group network DM_INLINE_NETWORK_3
 group-object INSIDE_VPN
 group-object Management_VPN
 group-object DMZ_VPN
object-group network DM_INLINE_NETWORK_4
 group-object LYONS_VPN
 group-object Management_VPN
 group-object LYONSDMZ_VPN
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
 port-object eq smtp
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list INSIDE-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list DMZ-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list MANAGEMENT-NAT0 remark NO NAT between Local Networks
access-list DMZtoInside remark DMZ to DHCP
access-list DMZtoInside extended permit ip object DMZ_to_out_NAT object CPLDHCP
access-list dmz_access_in remark dmz needs access to dns , because CPLDHCP dns is broken at the moment.
access-list dmz_access_in remark DMZ to DHCP
access-list dmz_access_in extended deny ip object DMZ object CPLManagement
access-list dmz_access_in remark dmz needs access to dns , because CPLDHCP dns is broken at the moment.
access-list dmz_access_in extended permit ip object DMZ object ATLANTIS
access-list dmz_access_in_1 extended deny ip object DMZ object CPLManagement
access-list dmz_access_in_1 remark dmz needs access to atlantis's dns, because CPLDHCP dns is broken at the moment
access-list dmz_access_in_1 extended permit ip object DMZ object ATLANTIS
access-list dmz_access_in_1 remark DMZ to DHCP
access-list dmz_access_in_1 extended permit ip object DMZ object CPLDHCP
access-list dmz_access_in_1 extended deny ip object DMZ object Inside
access-list dmz_access_in_1 extended permit ip object DMZ object columbus
access-list dmz_access_in_1 extended deny ip object DMZ object Lyons
access-list dmz_access_in_1 remark allows outside access to dmz
access-list dmz_access_in_1 extended permit ip object DMZ object-group outside
access-list split-tunnel-anyconnect remark split-tunnel routes allows anyconnect users to access inside network.
access-list split-tunnel-anyconnect remark Should fix DNS issue and allow outside internet
access-list split-tunnel-anyconnect standard permit 192.168.10.0 255.255.255.0
access-list split-tunnel-anyconnect remark Allow Management comp to ping Anyconnect users
access-list split-tunnel-anyconnect standard permit 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4
access-list global_mpc_1 extended permit ip object-group INSIDE_VPN object-group LYONS_VPN
access-list global_mpc extended permit ip object-group INSIDE_VPN object-group LYONS_VPN
access-list global_mpc_2 extended permit ip object-group INSIDE_VPN object-group LYONS_VPN
access-list global_mpc_4 extended permit ip object Inside object-group outside
access-list global_mpc_3 extended permit ip any object-group outside
access-list global_mpc_5 extended permit ip object CPLManagement object-group outside
access-list inside_mpc extended permit ip any object Lyons
access-list outside_acl extended permit tcp any object challenger object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging buffered debugging
logging asdm debugging
mtu default 1500
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu Management 1500
ip local pool remoteusers 192.168.11.10-192.168.11.249 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any dmz
icmp permit any Management
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
!
object network in_to_out_NAT
 nat (inside,outside) dynamic interface
object network DMZ_to_out_NAT
 nat (dmz,outside) dynamic interface
object network MGMT_to_out_NAT
 nat (Management,outside) dynamic interface
object network challenger
 nat (dmz,outside) static interface service tcp www www
access-group dmz_access_in_1 in interface dmz
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NTSERVERAUTH protocol nt
aaa-server NTSERVERAUTH (inside) host ATLANTIS
 timeout 5
 nt-auth-domain-controller cpl.clinton.com
user-identity default-domain LOCAL
http server enable
http Management 255.255.255.0 Management
http 192.168.11.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal test
 protocol esp encryption 3des
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto map lyons.dnsget.org 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer *********
crypto map outside_map 1 set ikev1 transform-set L2L
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint1
 enrollment self
 subject-name CN=cpl
 proxy-ldc-issuer
 crl configure
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.0.200 255.255.255.255 Management
telnet 192.168.0.201 255.255.255.255 Management
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
vpnclient server cpl.dnsget.org
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect

dhcpd auto_config outside
!
dhcprelay server CPLserver inside
dhcprelay enable dmz
dhcprelay enable Management
dhcprelay timeout 60
priority-queue outside
priority-queue inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server ATLANTIS source inside prefer
webvpn
 no anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.10.13
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 default-domain value cpl.clinton.com
group-policy GroupPolicy_********* internal
group-policy GroupPolicy_********* attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1

tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group ********* type ipsec-l2l
tunnel-group ********* general-attributes
 default-group-policy GroupPolicy_
tunnel-group *********1 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map DM_INLINE_Child-Class1
 description QOS outside
 match access-list global_mpc_3
class-map inside-class
 match access-list inside_mpc
class-map DM_INLINE_Child-Class
 match access-list global_mpc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map DM_INLINE_Child-Policy
 class DM_INLINE_Child-Class
  priority
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
policy-map inside-policy
 class class-default
  shape average 64000 64000
  service-policy DM_INLINE_Child-Policy
policy-map DM_INLINE_Child-Policy1
 class DM_INLINE_Child-Class1
  priority
policy-map inside-policyQOS
 class inside-class
  police input 512000 1500
  police output 512000 1500
!
service-policy global_policy global
service-policy inside-policyQOS interface inside
smtp-server 207.28.234.63
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:5bebfa83871eac7939681ffd82f879b6
: end
asdm image disk0:/asdm-649-103.bin
no asdm history enable
0
Comment
Question by:clintonpubliclibrary
  • 3
  • 2
5 Comments
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
Is anything getting through? HTTP?

Have you looked at this KB article?

http://support.microsoft.com/kb/320027

Also most ISP when you have a dynamic IP block SMTP traffic, have you verified this is working?
0
 

Accepted Solution

by:
clintonpubliclibrary earned 0 total points
Comment Utility
Finally found a an example that fixed my situation


access-list OutsideAllowedIn extended permit tcp any host 192.168.10.72 eq 25
access-group OutsideAllowedIn in interface outside
object network Challenger
host 192.168.10.72
object network Challenger
nat (inside,outside) static interface service tcp 25 25
object network my-inside-net
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic interface

Strange thing is if I try to duplicate the same entries using the asdm gui - it gives me an error saying I cant use the outside interface in my dymaic pat(hide) - yet it takes it in the with CLI with no complaints.
0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
I'm glad you figured it out.. but I guess my reply was not answering or even attempting to help you.. sorry.
0
 

Author Closing Comment

by:clintonpubliclibrary
Comment Utility
No one else answered my question or even attemtped to help trouble shoot it.  I figured it out on my own.
0
 

Author Comment

by:clintonpubliclibrary
Comment Utility
I apologize for the poor comment.  I was frustrated that I couldn't resolve a seemingly simple port forwarding task in a timely manner.  I apologize that I came off as unprofessional and rude.  DMTechgroup did try to help.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now