ASA 5505 Base port forwarding - access to internal servers blocked.

[noreastintegra]

Greetings,

I'm not sure what the issue is. I used a combination or ASDM and configs from other setups that I have working ok.

Inside my network I have some things like https, http, smtp, etc. These also need to be provided publicly on the outside.

I'm not sure what I've done and would appreciate any leads, suggestion or solutions to my issue.



myclient-ASA5505-01# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname myclient-ASA5505-01
domain-name infusion.com
enable password sdfasdfasdfsadfasdf encrypted
passwd sadfasdsadadf encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name infusion.com
access-list goinfgroup_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list outside extended permit tcp any host 1.2.3.4 eq smtp
access-list outside extended permit tcp any host 1.2.3.4 eq 26
access-list outside extended permit tcp any host 1.2.3.4 eq imap4
access-list outside extended permit tcp any host 1.2.3.4 eq 465
access-list outside extended permit tcp any host 1.2.3.4 eq 587
access-list outside extended permit tcp any host 1.2.3.4 eq 993
access-list outside extended permit tcp any host 1.2.3.4 eq www
access-list outside extended permit tcp any host 1.2.3.4 eq https
access-list outside extended permit tcp any host 1.2.3.4 eq 4282
access-list outside extended permit tcp any host 1.2.3.4 eq ssh
access-list outside extended permit tcp any host 1.2.3.4 eq 8000
access-list outside extended permit tcp any host 1.2.3.4 eq 8080
access-list outside extended permit tcp any host 1.2.3.4 eq 8001
access-list outside extended permit tcp any host 1.2.3.4 eq ftp
access-list outside extended permit tcp any any eq 548
access-list outside extended permit tcp any any eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool goinfippool 192.168.200.50-192.168.200.81 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.100.200 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 26 192.168.100.200 26 netmask 255.255.255.255
static (inside,outside) tcp interface imap4 192.168.100.200 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface 465 192.168.100.200 465 netmask 255.255.255.255
static (inside,outside) tcp interface 587 192.168.100.200 587 netmask 255.255.255.255
static (inside,outside) tcp interface 993 192.168.100.200 993 netmask 255.255.255.255
static (inside,outside) tcp interface

http://www 192.168.100.200

http://www netmask

255.255.255.255
static (inside,outside) tcp interface https 192.168.100.200 https netmask 255.255.255.255
static (inside,outside) tcp interface 4282 192.168.100.200 4282 netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.100.200 ssh netmask 255.255.255.255
static (inside,outside) tcp interface 8000 192.168.100.200 8000 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.100.200 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 8081 192.168.100.200 8081 netmask 255.255.255.255
static (inside,outside) tcp interface 8001 192.168.100.204 8001 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 1.2.3.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd auto_config outside
!
dhcpd address 192.168.100.50-192.168.100.81 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy goinfgroup internal
group-policy goinfgroup attributes
dns-server value 192.168.100.200 4.4.4.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value goinfgroup_splitTunnelAcl
default-domain value infusion
username eadmin password blahblah encrypted privilege 15
username jr password blahfoobar encrypted privilege 0
username jr attributes
vpn-group-policy goinfgroup
tunnel-group goinfgroup type remote-access
tunnel-group goinfgroup general-attributes
address-pool goinfippool
default-group-policy goinfgroup
tunnel-group goinfgroup ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:sdfasdsdsfd
: end
myclient-ASA5505-01#


Many thanks!

 

[unclerico]

your access-list is not applied to your outside interface

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[noreastintegra]

Would you happen to have a command that i could enter to achieve the solution?

Thanks!

 

[intelwizrd]

This should be it:

access-group outside_access_in in interface outside