it_gsr
asked on
Cisco ASA dns and browsing
I have the underlisted accesslists on Cisco 5510
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any any eq www
access-list acl_inbound extended permit tcp any any eq https
access-list acl_inbound extended permit tcp any host A.B.0.209 eq smtp
access-list acl_inbound extended permit tcp any host f.f.f.135 eq 6999
access-list acl_inbound extended permit tcp any host A.B.0.209 eq https
access-list acl_inbound extended deny tcp any any eq smtp
Applying the acl_inbound on the inside interface prevents browsing the internet from all machines though i can ping external ip's. The problem looks like it's dns related.
i)How can i resolve this problem
ii)which settings do i need to prevent /block the use of external scanning tools on my external IPs or auto block scanning IP addresses without having to use shun manually
access-list acl_inbound extended permit icmp any any
access-list acl_inbound extended permit tcp any any eq www
access-list acl_inbound extended permit tcp any any eq https
access-list acl_inbound extended permit tcp any host A.B.0.209 eq smtp
access-list acl_inbound extended permit tcp any host f.f.f.135 eq 6999
access-list acl_inbound extended permit tcp any host A.B.0.209 eq https
access-list acl_inbound extended deny tcp any any eq smtp
Applying the acl_inbound on the inside interface prevents browsing the internet from all machines though i can ping external ip's. The problem looks like it's dns related.
i)How can i resolve this problem
ii)which settings do i need to prevent /block the use of external scanning tools on my external IPs or auto block scanning IP addresses without having to use shun manually
You do not allow any device to query a public DNS server. You can limit it to the Active Directory servers if you are using a windows domains.
Thanks
Thanks
ASKER
I have a windows infrastructure and the DNS comes off my domain controller which points to the firewall. I will like to limit smtp to only the mail server via the FW.
@Chris I have removed the A.B.0.209 eq https
Who do i have to do to achieve my need
@Chris I have removed the A.B.0.209 eq https
Who do i have to do to achieve my need
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
These are the only access-list I have
access-list acl_inbound extended permit tcp any host A.B.0.209 eq smtp
access-list acl_inbound extended deny tcp any any eq smtp
access-list acl_inbound extended permit ip any any
After applying the access group , I could browse alight but I could not send or receive external mails . I could not access OWA exterally as well
When i tried telnet smtp.gmail.com 25 from the mail server it failed to get a connection. After taking off the access-group I tried the smtp to google again was successful (220 smtp.gmail.com ESMTP n13sm24298068wrn.40 - gsmtp
quit
221 2.0.0 closing connection n13sm24298068wrn.40 - gsmtp)
access-list acl_inbound extended permit tcp any host A.B.0.209 eq smtp
access-list acl_inbound extended deny tcp any any eq smtp
access-list acl_inbound extended permit ip any any
After applying the access group , I could browse alight but I could not send or receive external mails . I could not access OWA exterally as well
When i tried telnet smtp.gmail.com 25 from the mail server it failed to get a connection. After taking off the access-group I tried the smtp to google again was successful (220 smtp.gmail.com ESMTP n13sm24298068wrn.40 - gsmtp
quit
221 2.0.0 closing connection n13sm24298068wrn.40 - gsmtp)
Sorry I didn't catch it earlier this access list is backwards
access-list acl_inbound extended permit tcp any host A.B.0.209 eq smtp
it should be
access-list acl_inbound extended permit tcp host A.B.0.209 any eq smtp
Source is first destination is any because it would be any email server
The way it is written it is saying any host can get to A.B.0.209 not A.B.0.209 can get to any host via smtp
access-list acl_inbound extended permit tcp any host A.B.0.209 eq smtp
it should be
access-list acl_inbound extended permit tcp host A.B.0.209 any eq smtp
Source is first destination is any because it would be any email server
The way it is written it is saying any host can get to A.B.0.209 not A.B.0.209 can get to any host via smtp
ASKER
For some weird reason im unable to access my OWA even after removing the access-group. I want to create an access list that will allow stmp to the natted IP of the internal mail server as well as allow browsing
access-list acl_out extended permit tcp any host X.Y.Z.132 eq smtp
access-group acl_out in interface inside
Will this suffice?
access-list acl_out extended permit tcp any host X.Y.Z.132 eq smtp
access-group acl_out in interface inside
Will this suffice?
you really don't want to filter int he outbound direction it is not a common thing and gets very tricky.
the rule you wrote would break all traffic to the inside network from outside.
The rule would be the access-list usually outside_access_in
on the outside interface it depends on the ASA version you are using what that would look like either it would be the internal NAT or external NAT IP address and the protocol. You really do not want to try to filter inbound traffic from the outside on the inside interface. I would also suggest to not use the out direction at all unless you are really sure of what you are doing.
pre-8.3 would be
access-list outside_access_in extended permit any host EXTERNALIP eq smtp
access-list outside_access_in extended permit any host EXTERNALIP eq https
Post 8.3
access-list outside_access_in extended permit any host INTERNALIP eq smtp
access-list outside_access_in extended permit any host INTERNALIP eq https
the rule you wrote would break all traffic to the inside network from outside.
The rule would be the access-list usually outside_access_in
on the outside interface it depends on the ASA version you are using what that would look like either it would be the internal NAT or external NAT IP address and the protocol. You really do not want to try to filter inbound traffic from the outside on the inside interface. I would also suggest to not use the out direction at all unless you are really sure of what you are doing.
pre-8.3 would be
access-list outside_access_in extended permit any host EXTERNALIP eq smtp
access-list outside_access_in extended permit any host EXTERNALIP eq https
Post 8.3
access-list outside_access_in extended permit any host INTERNALIP eq smtp
access-list outside_access_in extended permit any host INTERNALIP eq https
ASKER
An email from internal to an external address just got delivered but no external -emails to internal yet
ASKER
Is there any reason why external e-mails are not getting to my server now?
There is object network obj-A.B.0.209
nat (inside,outside) static X.Y.Z.132
There is object network obj-A.B.0.209
nat (inside,outside) static X.Y.Z.132
ASKER
Hi Cheever000,
The external mails are not coming through. What can be wrong and how can i fix it
The external mails are not coming through. What can be wrong and how can i fix it
What does the outside access list show and what is the result of the show version
ASKER
Software Version 8.4(4)1
no external access-list
no external access-list
you have to create an external access list, by default cisco traffic can go from higher to lower security level inside is usually 100 outside is 0
Traffic isnt' allowed from 0 to anything unless you allow it, the list I gave you above should function work with the post 8.3 one.
access-group outside_access_in in in out
Traffic isnt' allowed from 0 to anything unless you allow it, the list I gave you above should function work with the post 8.3 one.
access-group outside_access_in in in out
ASKER
there are no external as you advised earlier. these are the list
access-list acl_inbound; 3 elements; name hash: 0x16f47df8
access-list acl_inbound line 1 extended permit tcp host A.B.0.209 any eq smtp
(hitcnt=93) 0x9db29453
access-list acl_inbound line 2 extended deny tcp any any eq smtp (hitcnt=1171) 0
x6645d943
access-list acl_inbound line 3 extended permit ip any any (hitcnt=25575) 0x84731
45d
access-list acl_inbound; 3 elements; name hash: 0x16f47df8
access-list acl_inbound line 1 extended permit tcp host A.B.0.209 any eq smtp
(hitcnt=93) 0x9db29453
access-list acl_inbound line 2 extended deny tcp any any eq smtp (hitcnt=1171) 0
x6645d943
access-list acl_inbound line 3 extended permit ip any any (hitcnt=25575) 0x84731
45d
ASKER
I just added
access-list outside_access_in extended permit tcp any host X.y.z.132 eq smtp
access-list outside_access_in extended permit tcp any host x.y.z.132 eq https
access-group outside_access_in in in out
but im getting zero hits
access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host x.y.z.132
eq smtp (hitcnt=0) 0x295342dd
access-list outside_access_in line 2 extended permit tcp any host x.y.z.132
eq https (hitcnt=0) 0x11b38e7c
access-list outside_access_in extended permit tcp any host X.y.z.132 eq smtp
access-list outside_access_in extended permit tcp any host x.y.z.132 eq https
access-group outside_access_in in in out
but im getting zero hits
access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host x.y.z.132
eq smtp (hitcnt=0) 0x295342dd
access-list outside_access_in line 2 extended permit tcp any host x.y.z.132
eq https (hitcnt=0) 0x11b38e7c
ASKER
sorry i used the external instead of internal. ALL is
ASKER
The mails are flowing Now. Thanks Chervoo. I will award the points to you
My second part of the question was
ii)which settings do i need to prevent /block the use of external scanning tools on my external IPs or auto block scanning IP addresses without having to use shun manually
My second part of the question was
ii)which settings do i need to prevent /block the use of external scanning tools on my external IPs or auto block scanning IP addresses without having to use shun manually
there are threat detection settings that can help, but they can get a bit out of hand as well.
ASKER
Problem resolved
Of the items in the list the following is unnecessary, a rule higher up the list allows any / any: https.
access-list acl_inbound extended permit tcp any host A.B.0.209 eq https
You do nothing at all in the access list to grant DNS access, and while you think the problem may be DNS related you give no information at all about your DNS infrastructure.
Where, in your network infrastructure, are your DNS servers? If they're behind the same interface as this, are you using Root Hints or Forwarders? If they're not behind the same, why haven't you created a rule to allow DNS?
Chris