We help IT Professionals succeed at work.
Get Started

Cisco ASA 5506 - Port forwarding for SMTP and HTTPS not working

Mark2016
Mark2016 asked
on
202 Views
Last Modified: 2018-09-26
Implementing a new Cisco ASA 5506 and I'm unable to get port forwarding for HTTPS and SMTP to work. In the Access Rules area I can see that I am getting port hits on the rules but the pass through from the outside to the inside is failing.

Following is the general config details I have at the moment. Thank you for any assistance you might be able to offer.

 
:
: Serial Number: ##########
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 03:46:58.616 CDT Wed Sep 7 2016
!
ASA Version 9.5(1)
!
hostname FIREWALL
domain-name domain.com
enable password ***************
names
ip local pool Mail_Datacenter_VPN_Pool 10.0.1.225-10.0.1.245 mask 255.255.255.0
!
interface GigabitEthernet1/1
 description Datcenter subnet 1
 nameif outside
 security-level 0
 ip address XX.XX.XX.76 255.255.255.248
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.1.100.1 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.1.100.20 inside
 name-server 10.1.100.21 inside
 domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network MSG1
 host 10.1.100.30
object network MSG2
 host 10.1.100.31
object network MSG3
 host 10.1.100.32
object network obj_Mail_Datacenter
 subnet 10.1.100.0 255.255.255.0
object network obj_Remote subnet 10.0.0.0 255.255.255.0
object network obj_Ouside_smtp
 host 10.1.100.30
object network obj_MSG1_smtp
 host 10.1.100.30
object network 10.0.0.0
 subnet 10.0.0.0 255.255.255.0
object network obj_Remote_Network
 subnet 10.0.0.0 255.255.255.0
object service mapped_SMTP_2500
 service tcp destination eq 2500
object network obj_MSG1_https
 host 10.1.100.30
object network InsideOut
 subnet 10.1.1.0 255.255.255.0
object network obj_XX.XX.XX.78
 host XX.XX.XX.78
object network outside-network2
 subnet XX.XX.XX.80 255.255.255.248
object network outside-network
 subnet XX.XX.XX.72 255.255.255.248
object network obj_MailServer_outside
 host XX.XX.XX.74
object network General_Datacenter
 subnet 10.1.1.0 255.255.255.0
object network obj_Outside_https
 host 10.1.100.30
object-group network DM_INLINE_NETWORK_1
 network-object object obj_MSG1_https
 network-object object obj_Outside_https
 network-object object obj_Ouside_smtp
access-list inside_access_in extended permit tcp any object obj_MSG1_smtp eq smtp inactive
access-list inside_access_in extended permit ip object obj_Mail_Datacenter object 10.0.0.0
access-list inside_access_in extended permit ip object Mail_Datacenter any
access-list outside_cryptomap_1 extended permit ip object obj_Mail_Datacenter object obj_RemoteNet
access-list outside_cryptomap_2 extended permit ip object obj_Mail_Datacenter object obj_Remote_Network
access-list outside_access_in extended permit tcp any object MSG1 eq https
access-list outside_access_in extended permit tcp any object MSG1 eq smtp
access-list outside_authentication extended deny tcp any4 object-group DM_INLINE_NETWORK_1 eq https
access-list outside_authentication extended deny tcp any4 object obj_MSG1_smtp eq smtp
access-list outside_authentication extended deny tcp any4 object obj_Ouside_smtp
access-list outside_authentication extended permit tcp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (any,outside) dynamic interface
object network obj_Ouside_smtp
 nat (outside,inside) static XX.XX.XX.74 service tcp smtp smtp
object network Indiana_Datacenter
 nat (inside,outside) dynamic XX.XX.XX.77
object network obj_Outside_https
 nat (inside,outside) static XX.XX.XX.75 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server DC protocol ldap
aaa-server DC (inside) host 10.1.100.20
 timeout 5
 ldap-base-dn dc=domain.com
 ldap-scope subtree
 server-type auto-detect
aaa-server DC (inside) host 10.1.100.21
 ldap-base-dn dc=domain,dc=com
 ldap-scope subtree
 server-type microsoft
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host Blah.duosecurity.com
 server-port 636
 ldap-base-dn dc=BLAH,dc=duosecurity,dc=com
 ldap-naming-attribute cn
 ldap-login-password ####
 ldap-login-dn dc=####,dc=duosecurity,dc=com
 ldap-over-ssl enable
 server-type auto-detect
user-identity default-domain LOCAL
aaa authentication match outside_authentication outside DC
http server enable 444
http 10.1.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn FIREWALL
 subject-name CN=FIREWALL
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0

  quit

crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10

 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
Comment
Watch Question
CERTIFIED EXPERT
Most Valuable Expert 2015
Commented:
This problem has been solved!
Unlock 1 Answer and 2 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE