troubleshooting Question
Cisco ASA 5506 - Port forwarding for SMTP and HTTPS not working
Mark2016 asked on
Implementing a new Cisco ASA 5506 and I'm unable to get port forwarding for HTTPS and SMTP to work. In the Access Rules area I can see that I am getting port hits on the rules but the pass through from the outside to the inside is failing.
Following is the general config details I have at the moment. Thank you for any assistance you might be able to offer.
:
: Serial Number: ##########
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 03:46:58.616 CDT Wed Sep 7 2016
!
ASA Version 9.5(1)
!
hostname FIREWALL
domain-name domain.com
enable password ***************
names
ip local pool Mail_Datacenter_VPN_Pool 10.0.1.225-10.0.1.245 mask 255.255.255.0
!
interface GigabitEthernet1/1
description Datcenter subnet 1
nameif outside
security-level 0
ip address XX.XX.XX.76 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.1.100.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.100.20 inside
name-server 10.1.100.21 inside
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MSG1
host 10.1.100.30
object network MSG2
host 10.1.100.31
object network MSG3
host 10.1.100.32
object network obj_Mail_Datacenter
subnet 10.1.100.0 255.255.255.0
object network obj_Remote subnet 10.0.0.0 255.255.255.0
object network obj_Ouside_smtp
host 10.1.100.30
object network obj_MSG1_smtp
host 10.1.100.30
object network 10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network obj_Remote_Network
subnet 10.0.0.0 255.255.255.0
object service mapped_SMTP_2500
service tcp destination eq 2500
object network obj_MSG1_https
host 10.1.100.30
object network InsideOut
subnet 10.1.1.0 255.255.255.0
object network obj_XX.XX.XX.78
host XX.XX.XX.78
object network outside-network2
subnet XX.XX.XX.80 255.255.255.248
object network outside-network
subnet XX.XX.XX.72 255.255.255.248
object network obj_MailServer_outside
host XX.XX.XX.74
object network General_Datacenter
subnet 10.1.1.0 255.255.255.0
object network obj_Outside_https
host 10.1.100.30
object-group network DM_INLINE_NETWORK_1
network-object object obj_MSG1_https
network-object object obj_Outside_https
network-object object obj_Ouside_smtp
access-list inside_access_in extended permit tcp any object obj_MSG1_smtp eq smtp inactive
access-list inside_access_in extended permit ip object obj_Mail_Datacenter object 10.0.0.0
access-list inside_access_in extended permit ip object Mail_Datacenter any
access-list outside_cryptomap_1 extended permit ip object obj_Mail_Datacenter object obj_RemoteNet
access-list outside_cryptomap_2 extended permit ip object obj_Mail_Datacenter object obj_Remote_Network
access-list outside_access_in extended permit tcp any object MSG1 eq https
access-list outside_access_in extended permit tcp any object MSG1 eq smtp
access-list outside_authentication extended deny tcp any4 object-group DM_INLINE_NETWORK_1 eq https
access-list outside_authentication extended deny tcp any4 object obj_MSG1_smtp eq smtp
access-list outside_authentication extended deny tcp any4 object obj_Ouside_smtp
access-list outside_authentication extended permit tcp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
object network obj_Ouside_smtp
nat (outside,inside) static XX.XX.XX.74 service tcp smtp smtp
object network Indiana_Datacenter
nat (inside,outside) dynamic XX.XX.XX.77
object network obj_Outside_https
nat (inside,outside) static XX.XX.XX.75 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server DC protocol ldap
aaa-server DC (inside) host 10.1.100.20
timeout 5
ldap-base-dn dc=domain.com
ldap-scope subtree
server-type auto-detect
aaa-server DC (inside) host 10.1.100.21
ldap-base-dn dc=domain,dc=com
ldap-scope subtree
server-type microsoft
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host Blah.duosecurity.com
server-port 636
ldap-base-dn dc=BLAH,dc=duosecurity,dc=
ldap-naming-attribute cn
ldap-login-password ####
ldap-login-dn dc=####,dc=duosecurity,dc=
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication match outside_authentication outside DC
http server enable 444
http 10.1.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn FIREWALL
subject-name CN=FIREWALL
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
quit
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
Following is the general config details I have at the moment. Thank you for any assistance you might be able to offer.
:
: Serial Number: ##########
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 03:46:58.616 CDT Wed Sep 7 2016
!
ASA Version 9.5(1)
!
hostname FIREWALL
domain-name domain.com
enable password ***************
names
ip local pool Mail_Datacenter_VPN_Pool 10.0.1.225-10.0.1.245 mask 255.255.255.0
!
interface GigabitEthernet1/1
description Datcenter subnet 1
nameif outside
security-level 0
ip address XX.XX.XX.76 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.1.100.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.100.20 inside
name-server 10.1.100.21 inside
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MSG1
host 10.1.100.30
object network MSG2
host 10.1.100.31
object network MSG3
host 10.1.100.32
object network obj_Mail_Datacenter
subnet 10.1.100.0 255.255.255.0
object network obj_Remote subnet 10.0.0.0 255.255.255.0
object network obj_Ouside_smtp
host 10.1.100.30
object network obj_MSG1_smtp
host 10.1.100.30
object network 10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network obj_Remote_Network
subnet 10.0.0.0 255.255.255.0
object service mapped_SMTP_2500
service tcp destination eq 2500
object network obj_MSG1_https
host 10.1.100.30
object network InsideOut
subnet 10.1.1.0 255.255.255.0
object network obj_XX.XX.XX.78
host XX.XX.XX.78
object network outside-network2
subnet XX.XX.XX.80 255.255.255.248
object network outside-network
subnet XX.XX.XX.72 255.255.255.248
object network obj_MailServer_outside
host XX.XX.XX.74
object network General_Datacenter
subnet 10.1.1.0 255.255.255.0
object network obj_Outside_https
host 10.1.100.30
object-group network DM_INLINE_NETWORK_1
network-object object obj_MSG1_https
network-object object obj_Outside_https
network-object object obj_Ouside_smtp
access-list inside_access_in extended permit tcp any object obj_MSG1_smtp eq smtp inactive
access-list inside_access_in extended permit ip object obj_Mail_Datacenter object 10.0.0.0
access-list inside_access_in extended permit ip object Mail_Datacenter any
access-list outside_cryptomap_1 extended permit ip object obj_Mail_Datacenter object obj_RemoteNet
access-list outside_cryptomap_2 extended permit ip object obj_Mail_Datacenter object obj_Remote_Network
access-list outside_access_in extended permit tcp any object MSG1 eq https
access-list outside_access_in extended permit tcp any object MSG1 eq smtp
access-list outside_authentication extended deny tcp any4 object-group DM_INLINE_NETWORK_1 eq https
access-list outside_authentication extended deny tcp any4 object obj_MSG1_smtp eq smtp
access-list outside_authentication extended deny tcp any4 object obj_Ouside_smtp
access-list outside_authentication extended permit tcp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
object network obj_Ouside_smtp
nat (outside,inside) static XX.XX.XX.74 service tcp smtp smtp
object network Indiana_Datacenter
nat (inside,outside) dynamic XX.XX.XX.77
object network obj_Outside_https
nat (inside,outside) static XX.XX.XX.75 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server DC protocol ldap
aaa-server DC (inside) host 10.1.100.20
timeout 5
ldap-base-dn dc=domain.com
ldap-scope subtree
server-type auto-detect
aaa-server DC (inside) host 10.1.100.21
ldap-base-dn dc=domain,dc=com
ldap-scope subtree
server-type microsoft
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host Blah.duosecurity.com
server-port 636
ldap-base-dn dc=BLAH,dc=duosecurity,dc=
ldap-naming-attribute cn
ldap-login-password ####
ldap-login-dn dc=####,dc=duosecurity,dc=
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication match outside_authentication outside DC
http server enable 444
http 10.1.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn FIREWALL
subject-name CN=FIREWALL
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
quit
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 2 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Most Valuable Expert award recognizes technology experts who passionately share their knowledge with the community, demonstrate the core values of this platform, and go the extra mile in all aspects of their contributions. This award is based off of nominations by EE users and experts. Multiple MVEs may be awarded each year.