Solved

Allow Port 587 Traffic Out on ASA5505

Posted on 2014-02-08
2
1,901 Views
Last Modified: 2014-02-09
I need to send email from the inside to outside over port 587.  In other words, allow email to go out port 587 from any computer on the inside.  I am new to the ASA.  Can someone help me with the command to run on my ASA to open that port?  Below is my running config:

vpn(config)# sh running-config
: Saved
:
ASA Version 8.2(1)
!
no names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 11.111.11 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
regex blockex1 "/tumblr/"
regex blockex2 "tumblr\.com"
boot system disk0:/asa821.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name technologyblends.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 11.111.11 eq ftp
access-list outside-access-in extended permit tcp any host 11.111.11 eq https

access-list outside-access-in extended permit tcp any host 11.111.11 eq ftp-d
ata
access-list outside-access-in extended permit tcp any host 11.111.11 range 50
00 5010
access-list INSIDE extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10
.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.1.6 https netmask 255.255.25
5.255
static (inside,outside) tcp interface ftp 192.168.1.6 ftp netmask 255.255.255.25
5
static (inside,outside) tcp interface ftp-data 192.168.1.6 ftp-data netmask 255.
255.255.255
static (inside,outside) tcp interface 5000 192.168.1.6 5000 netmask 255.255.255.
255
static (inside,outside) tcp interface 5001 192.168.1.6 5001 netmask 255.255.255.
255
static (inside,outside) tcp interface 5002 192.168.1.6 5002 netmask 255.255.255.
255
static (inside,outside) tcp interface 5003 192.168.1.6 5003 netmask 255.255.255.
255
static (inside,outside) tcp interface 5004 192.168.1.6 5004 netmask 255.255.255.
255
static (inside,outside) tcp interface 5005 192.168.1.6 5005 netmask 255.255.255.
255
static (inside,outside) tcp interface 5006 192.168.1.6 5006 netmask 255.255.255.
255
static (inside,outside) tcp interface 5007 192.168.1.6 5007 netmask 255.255.255.
255
static (inside,outside) tcp interface 5008 192.168.1.6 5008 netmask 255.255.255.
255
static (inside,outside) tcp interface 5009 192.168.1.6 5009 netmask 255.255.255.
255
static (inside,outside) tcp interface 5010 192.168.1.6 5010 netmask 255.255.255.
255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 11.111.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint1 outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/anyconnect-win-3.1.02040-k9.pkg 1
 svc image disk0:/anyconnect-macosx-i386-3.1.02040-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool

tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
class-map type inspect http match-any block-url-class
 match request uri regex blockex1
 match request header host regex blockex2
!
!
policy-map type inspect http block-tmb-policy
 parameters
 class block-url-class
  drop-connection log
policy-map global_policy
 class global-class
  inspect pptp
  inspect http block-tmb-policy
  inspect ipsec-pass-thru
  inspect icmp
!

: end

Open in new window

0
Comment
Question by:obautista
2 Comments
 
LVL 9

Accepted Solution

by:
ffleisma earned 500 total points
ID: 39845056
as shown from your configuration

ACL:
access-list INSIDE extended permit ip any any

access-group INSIDE in interface inside


this is basically allowing everything (any-source, any destination, any-ports)

NAT:
global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0


Now this is basically NATing everything

So basically, traffic towards port 587 should already be allowed in the firewall. But if you like a more specific command you can apply the following:

access-list INSIDE line 1 extended permit tcp any any eq 587


line 1, puts it on top of the current "INSIDE" ACL
this allows for source "any" destination "any" with equal to TCP port 587 "destination" port

Since the FW is currently allowing everything, adding the ACL should not make any different. But later on you should consider limiting the allowed source or limit traffic going to internet to ports 80-http, 443-https, snmp, etc. In current network state, someone plug in a torrent PC, it can download from your network :-)

hope this help, and let me know if you have any more questions
0
 

Author Closing Comment

by:obautista
ID: 39845430
Thank you
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question