ASA 5505 incoming traffic issue - Firewalls

This is a discussion on ASA 5505 incoming traffic issue - Firewalls ; have an issue getting emailthrough the Cisco ASA to our email server is 10.100.50.172 255.255.0.0 Everything else is working. We have internet. All outgoin traffic is OK. Is anybody see what's wrong. Thanks, ASA Version 8.0(2) ! hostname RedRiverASA names ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: ASA 5505 incoming traffic issue

  1. ASA 5505 incoming traffic issue

    have an issue getting emailthrough the Cisco ASA to our email server
    is 10.100.50.172 255.255.0.0
    Everything else is working. We have internet. All outgoin traffic is
    OK. Is anybody see what's wrong. Thanks,

    ASA Version 8.0(2)
    !
    hostname RedRiverASA

    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.100.86.1 255.255.0.0
    ospf cost 10
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxx.yyy.15.10 255.255.255.248
    ospf cost 10
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd Vcn8uAzrKx1tjbpj encrypted
    boot system disk0:/asa802-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name redriverfoods.com
    object-group service VideoFlow
    service-object tcp range 3230 3253
    service-object tcp eq h323
    service-object udp range 3230 3235
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 10.100.0.0 255.255.0.0
    static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask
    255.255.255.255
    access-group out_in in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.100.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet 10.100.0.0 255.255.0.0 inside
    telnet timeout 30
    ssh timeout 5
    console timeout 30
    dhcpd auto_config outside
    !

    no threat-detection basic-threat
    no threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:bd3505f41995b9dba0c49b19e79760f5

  2. Re: ASA 5505 incoming traffic issue

    On Jun 19, 6:48 pm, Exclusive wrote:
    > have an issue getting emailthrough the Cisco ASA to our email server
    > is 10.100.50.172 255.255.0.0
    > Everything else is working. We have internet. All outgoin traffic is
    > OK. Is anybody see what's wrong. Thanks,
    >
    > ASA Version 8.0(2)
    > !
    > hostname RedRiverASA
    >
    > names
    > !
    > interface Vlan1
    > nameif inside
    > security-level 100
    > ip address 10.100.86.1 255.255.0.0
    > ospf cost 10
    > !
    > interface Vlan2
    > nameif outside
    > security-level 0
    > ip address xxx.yyy.15.10 255.255.255.248
    > ospf cost 10
    > !
    > interface Ethernet0/0
    > switchport access vlan 2
    > !
    > interface Ethernet0/1
    > !
    > interface Ethernet0/2
    > !
    > interface Ethernet0/3
    > !
    > interface Ethernet0/4
    > !
    > interface Ethernet0/5
    > !
    > interface Ethernet0/6
    > !
    > interface Ethernet0/7
    > !
    > passwd Vcn8uAzrKx1tjbpj encrypted
    > boot system disk0:/asa802-k8.bin
    > ftp mode passive
    > clock timezone EST -5
    > clock summer-time EDT recurring
    > dns server-group DefaultDNS
    > domain-name redriverfoods.com
    > object-group service VideoFlow
    > service-object tcp range 3230 3253
    > service-object tcp eq h323
    > service-object udp range 3230 3235
    > access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
    > access-list out_in extended permit tcp any host xxx.yyy.15.10 eq https
    > access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
    > pager lines 24
    > logging asdm informational
    > mtu inside 1500
    > mtu outside 1500
    > no failover
    > icmp unreachable rate-limit 1 burst-size 1
    > icmp permit any inside
    > icmp permit any outside
    > asdm image disk0:/asdm-602.bin
    > no asdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 10.100.0.0 255.255.0.0
    > static (inside,outside) xxx.yyy.15.10 10.100.50.172 netmask
    > 255.255.255.255
    > access-group out_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    > disconnect 0:02:00
    > timeout uauth 0:05:00 absolute
    > dynamic-access-policy-record DfltAccessPolicy
    > http server enable
    > http 10.100.0.0 255.255.0.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > no crypto isakmp nat-traversal
    > telnet 10.100.0.0 255.255.0.0 inside
    > telnet timeout 30
    > ssh timeout 5
    > console timeout 30
    > dhcpd auto_config outside
    > !
    >
    > no threat-detection basic-threat
    > no threat-detection statistics access-list
    > !
    > class-map inspection_default
    > match default-inspection-traffic
    > !
    > !
    > policy-map global_policy
    > class inspection_default
    > !
    > service-policy global_policy global
    > prompt hostname context
    > Cryptochecksum:bd3505f41995b9dba0c49b19e79760f5



    static (inside,outside) tcp interface smtp 10.100.50.172 smtp
    netmask 255.255.255.255

  3. Re: ASA 5505 incoming traffic issue

    This works in this case, but I also need to open tcp 3230-3238, udp
    3230-3258 for video conferencing. . How I can resolve this? Thanks for
    the help!

  4. Re: ASA 5505 incoming traffic issue

    On Jun 20, 4:30*pm, Exclusive wrote:
    > This works in this case, but I also need to open tcp 3230-3238, udp
    > 3230-3258 for video conferencing. . How I can resolve this? Thanks for
    > the help!


    it should be similar

    static (inside,outside) tcp interface 3230 10.100.50.172 3230 netmask
    255.255.255.255

    I am not sure you are able to port map by port range, the best way to
    do this is to assign a global ip address and use static and access-
    list to control the traffic flow

  5. Re: ASA 5505 incoming traffic issue

    swk wrote:
    > I am not sure you are able to port map by port range, the best way to
    > do this is to assign a global ip address and use static and access-
    > list to control the traffic flow


    object-group service polycom udp
    port-object range 3230 3253
    object-group service filemaker tcp
    port-object range 5003 5003
    object-group service jabber tcp-udp
    port-object range 5222 5223

    access-list outside_access_in extended permit tcp any host 12.110.110.204 object-group jabber
    access-list outside_access_in extended permit udp any host 144.51.68.4 object-group jabber
    access-list outside_access_in extended permit tcp any host 198.81.129.148 object-group filemaker
    access-list outside_access_in extended permit udp host 12.110.110.204 host 198.81.129.148 object-group polycom


  6. Re: ASA 5505 incoming traffic issue

    Is anybody now can figure out why the port mapped traffic like
    (smtp,www,RDP) is not going to the server Zeus. I guess is something
    wrong with the AAA access-list.
    Thanks, for the help!

    hostname ASA

    names
    name 10.100.50.172 Zeus
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.100.86.1 255.255.0.0
    ospf cost 10
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address xxx.yyy.15.10 255.255.255.248
    ospf cost 10
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7

    boot system disk0:/asa802-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name foods.com
    object-group service VDC
    description Video Conferencing
    service-object tcp source range 3230 3238 range 3230 3238
    service-object tcp eq h323
    service-object udp source range 3230 3258 range 3230 3258
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
    access-list out_in extended permit tcp any host xxx.yyy.15.10 eq 3389
    access-list out_in extended permit object-group VDC any host xxx.yyy.
    15.10
    access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq
    3389
    access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq
    smtp
    access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq
    www
    access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq
    pptp
    access-list AAA extended permit object-group VDC host xxx.yyy.15.10
    host 10.100
    86.5
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 10.100.0.0 255.255.0.0
    static (inside,outside) interface access-list AAA
    access-group out_in in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.100.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet 10.100.0.0 255.255.0.0 inside
    telnet timeout 30
    ssh timeout 5
    console timeout 30
    dhcpd auto_config outside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    !
    service-policy global_policy global

+ Reply to Thread