Solved

Allow Port 587 Traffic Out on ASA5505

Posted on 2014-02-08
2
1,834 Views
Last Modified: 2014-02-09
I need to send email from the inside to outside over port 587.  In other words, allow email to go out port 587 from any computer on the inside.  I am new to the ASA.  Can someone help me with the command to run on my ASA to open that port?  Below is my running config:

vpn(config)# sh running-config
: Saved
:
ASA Version 8.2(1)
!
no names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 11.111.11 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
regex blockex1 "/tumblr/"
regex blockex2 "tumblr\.com"
boot system disk0:/asa821.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name technologyblends.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 11.111.11 eq ftp
access-list outside-access-in extended permit tcp any host 11.111.11 eq https

access-list outside-access-in extended permit tcp any host 11.111.11 eq ftp-d
ata
access-list outside-access-in extended permit tcp any host 11.111.11 range 50
00 5010
access-list INSIDE extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10
.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.1.6 https netmask 255.255.25
5.255
static (inside,outside) tcp interface ftp 192.168.1.6 ftp netmask 255.255.255.25
5
static (inside,outside) tcp interface ftp-data 192.168.1.6 ftp-data netmask 255.
255.255.255
static (inside,outside) tcp interface 5000 192.168.1.6 5000 netmask 255.255.255.
255
static (inside,outside) tcp interface 5001 192.168.1.6 5001 netmask 255.255.255.
255
static (inside,outside) tcp interface 5002 192.168.1.6 5002 netmask 255.255.255.
255
static (inside,outside) tcp interface 5003 192.168.1.6 5003 netmask 255.255.255.
255
static (inside,outside) tcp interface 5004 192.168.1.6 5004 netmask 255.255.255.
255
static (inside,outside) tcp interface 5005 192.168.1.6 5005 netmask 255.255.255.
255
static (inside,outside) tcp interface 5006 192.168.1.6 5006 netmask 255.255.255.
255
static (inside,outside) tcp interface 5007 192.168.1.6 5007 netmask 255.255.255.
255
static (inside,outside) tcp interface 5008 192.168.1.6 5008 netmask 255.255.255.
255
static (inside,outside) tcp interface 5009 192.168.1.6 5009 netmask 255.255.255.
255
static (inside,outside) tcp interface 5010 192.168.1.6 5010 netmask 255.255.255.
255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 11.111.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/anyconnect-win-3.1.02040-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool

tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
class-map type inspect http match-any block-url-class
 match request uri regex blockex1
 match request header host regex blockex2
!
!
policy-map type inspect http block-tmb-policy
 parameters
 class block-url-class
  drop-connection log
policy-map global_policy
 class global-class
  inspect pptp
  inspect http block-tmb-policy
  inspect ipsec-pass-thru
  inspect icmp
!

: end

Open in new window

0
Comment
Question by:obautista
2 Comments
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 39845056
as shown from your configuration

ACL:
access-list INSIDE extended permit ip any any

access-group INSIDE in interface inside


this is basically allowing everything (any-source, any destination, any-ports)

NAT:
global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0


Now this is basically NATing everything

So basically, traffic towards port 587 should already be allowed in the firewall. But if you like a more specific command you can apply the following:

access-list INSIDE line 1 extended permit tcp any any eq 587


line 1, puts it on top of the current "INSIDE" ACL
this allows for source "any" destination "any" with equal to TCP port 587 "destination" port

Since the FW is currently allowing everything, adding the ACL should not make any different. But later on you should consider limiting the allowed source or limit traffic going to internet to ports 80-http, 443-https, snmp, etc. In current network state, someone plug in a torrent PC, it can download from your network :-)

hope this help, and let me know if you have any more questions
0
 

Author Closing Comment

by:obautista
ID: 39845430
Thank you
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco MRA Phones 4 15
Physical Network Design 11 87
Cisco ACS TACACS 2 39
cisco nexus experiance 2 29
How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now