Cisco ASA 5506 - Port forwarding for SMTP and HTTPS not working
Implementing a new Cisco ASA 5506 and I'm unable to get port forwarding for HTTPS and SMTP to work. In the Access Rules area I can see that I am getting port hits on the rules but the pass through from the outside to the inside is failing.
Following is the general config details I have at the moment. Thank you for any assistance you might be able to offer.
:
: Serial Number: ##########
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 03:46:58.616 CDT Wed Sep 7 2016
!
ASA Version 9.5(1)
!
hostname FIREWALL
domain-name domain.com
enable password ***************
names
ip local pool Mail_Datacenter_VPN_Pool 10.0.1.225-10.0.1.245 mask 255.255.255.0
!
interface GigabitEthernet1/1
description Datcenter subnet 1
nameif outside
security-level 0
ip address XX.XX.XX.76 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.1.100.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.100.20 inside
name-server 10.1.100.21 inside
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MSG1
host 10.1.100.30
object network MSG2
host 10.1.100.31
object network MSG3
host 10.1.100.32
object network obj_Mail_Datacenter
subnet 10.1.100.0 255.255.255.0
object network obj_Remote subnet 10.0.0.0 255.255.255.0
object network obj_Ouside_smtp
host 10.1.100.30
object network obj_MSG1_smtp
host 10.1.100.30
object network 10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network obj_Remote_Network
subnet 10.0.0.0 255.255.255.0
object service mapped_SMTP_2500
service tcp destination eq 2500
object network obj_MSG1_https
host 10.1.100.30
object network InsideOut
subnet 10.1.1.0 255.255.255.0
object network obj_XX.XX.XX.78
host XX.XX.XX.78
object network outside-network2
subnet XX.XX.XX.80 255.255.255.248
object network outside-network
subnet XX.XX.XX.72 255.255.255.248
object network obj_MailServer_outside
host XX.XX.XX.74
object network General_Datacenter
subnet 10.1.1.0 255.255.255.0
object network obj_Outside_https
host 10.1.100.30
object-group network DM_INLINE_NETWORK_1
network-object object obj_MSG1_https
network-object object obj_Outside_https
network-object object obj_Ouside_smtp
access-list inside_access_in extended permit tcp any object obj_MSG1_smtp eq smtp inactive
access-list inside_access_in extended permit ip object obj_Mail_Datacenter object 10.0.0.0
access-list inside_access_in extended permit ip object Mail_Datacenter any
access-list outside_cryptomap_1 extended permit ip object obj_Mail_Datacenter object obj_RemoteNet
access-list outside_cryptomap_2 extended permit ip object obj_Mail_Datacenter object obj_Remote_Network
access-list outside_access_in extended permit tcp any object MSG1 eq https
access-list outside_access_in extended permit tcp any object MSG1 eq smtp
access-list outside_authentication extended deny tcp any4 object-group DM_INLINE_NETWORK_1 eq https
access-list outside_authentication extended deny tcp any4 object obj_MSG1_smtp eq smtp
access-list outside_authentication extended deny tcp any4 object obj_Ouside_smtp
access-list outside_authentication extended permit tcp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
object network obj_Ouside_smtp
nat (outside,inside) static XX.XX.XX.74 service tcp smtp smtp
object network Indiana_Datacenter
nat (inside,outside) dynamic XX.XX.XX.77
object network obj_Outside_https
nat (inside,outside) static XX.XX.XX.75 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server DC protocol ldap
aaa-server DC (inside) host 10.1.100.20
timeout 5
ldap-base-dn dc=domain.com
ldap-scope subtree
server-type auto-detect
aaa-server DC (inside) host 10.1.100.21
ldap-base-dn dc=domain,dc=com
ldap-scope subtree
server-type microsoft
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host Blah.duosecurity.com
server-port 636
ldap-base-dn dc=BLAH,dc=duosecurity,dc=
ldap-naming-attribute cn
ldap-login-password ####
ldap-login-dn dc=####,dc=duosecurity,dc=
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication match outside_authentication outside DC
http server enable 444
http 10.1.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn FIREWALL
subject-name CN=FIREWALL
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
quit
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
Following is the general config details I have at the moment. Thank you for any assistance you might be able to offer.
:
: Serial Number: ##########
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 03:46:58.616 CDT Wed Sep 7 2016
!
ASA Version 9.5(1)
!
hostname FIREWALL
domain-name domain.com
enable password ***************
names
ip local pool Mail_Datacenter_VPN_Pool 10.0.1.225-10.0.1.245 mask 255.255.255.0
!
interface GigabitEthernet1/1
description Datcenter subnet 1
nameif outside
security-level 0
ip address XX.XX.XX.76 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.1.100.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.100.20 inside
name-server 10.1.100.21 inside
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MSG1
host 10.1.100.30
object network MSG2
host 10.1.100.31
object network MSG3
host 10.1.100.32
object network obj_Mail_Datacenter
subnet 10.1.100.0 255.255.255.0
object network obj_Remote subnet 10.0.0.0 255.255.255.0
object network obj_Ouside_smtp
host 10.1.100.30
object network obj_MSG1_smtp
host 10.1.100.30
object network 10.0.0.0
subnet 10.0.0.0 255.255.255.0
object network obj_Remote_Network
subnet 10.0.0.0 255.255.255.0
object service mapped_SMTP_2500
service tcp destination eq 2500
object network obj_MSG1_https
host 10.1.100.30
object network InsideOut
subnet 10.1.1.0 255.255.255.0
object network obj_XX.XX.XX.78
host XX.XX.XX.78
object network outside-network2
subnet XX.XX.XX.80 255.255.255.248
object network outside-network
subnet XX.XX.XX.72 255.255.255.248
object network obj_MailServer_outside
host XX.XX.XX.74
object network General_Datacenter
subnet 10.1.1.0 255.255.255.0
object network obj_Outside_https
host 10.1.100.30
object-group network DM_INLINE_NETWORK_1
network-object object obj_MSG1_https
network-object object obj_Outside_https
network-object object obj_Ouside_smtp
access-list inside_access_in extended permit tcp any object obj_MSG1_smtp eq smtp inactive
access-list inside_access_in extended permit ip object obj_Mail_Datacenter object 10.0.0.0
access-list inside_access_in extended permit ip object Mail_Datacenter any
access-list outside_cryptomap_1 extended permit ip object obj_Mail_Datacenter object obj_RemoteNet
access-list outside_cryptomap_2 extended permit ip object obj_Mail_Datacenter object obj_Remote_Network
access-list outside_access_in extended permit tcp any object MSG1 eq https
access-list outside_access_in extended permit tcp any object MSG1 eq smtp
access-list outside_authentication extended deny tcp any4 object-group DM_INLINE_NETWORK_1 eq https
access-list outside_authentication extended deny tcp any4 object obj_MSG1_smtp eq smtp
access-list outside_authentication extended deny tcp any4 object obj_Ouside_smtp
access-list outside_authentication extended permit tcp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outside) dynamic interface
object network obj_Ouside_smtp
nat (outside,inside) static XX.XX.XX.74 service tcp smtp smtp
object network Indiana_Datacenter
nat (inside,outside) dynamic XX.XX.XX.77
object network obj_Outside_https
nat (inside,outside) static XX.XX.XX.75 service tcp https https
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.73 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server DC protocol ldap
aaa-server DC (inside) host 10.1.100.20
timeout 5
ldap-base-dn dc=domain.com
ldap-scope subtree
server-type auto-detect
aaa-server DC (inside) host 10.1.100.21
ldap-base-dn dc=domain,dc=com
ldap-scope subtree
server-type microsoft
aaa-server Duo-LDAP protocol ldap
aaa-server Duo-LDAP (outside) host Blah.duosecurity.com
server-port 636
ldap-base-dn dc=BLAH,dc=duosecurity,dc=
ldap-naming-attribute cn
ldap-login-password ####
ldap-login-dn dc=####,dc=duosecurity,dc=
ldap-over-ssl enable
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication match outside_authentication outside DC
http server enable 444
http 10.1.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn FIREWALL
subject-name CN=FIREWALL
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
quit
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Premium Content
You need an Expert Office subscription to comment.Start Free Trial