ASA 5510 Access Rules and NAT\PAT ing

[jrdebug]

guys I have 3 ports configured as follows:

INTERNAL = local
EXTERNAL = with public IP
MANAGEMENT

i have a single IP from my ISP.

what i want to happen?

i want to host our webmail in-house.

what have i done so far?

- All IP requests to pass from INTERNAL to EXTERNAL interface.
- PAT local IP's to single public IP.
- Asked my ISP to enter our public IP as the MX record in the DNS server

Question:

how do i allow SMTP requests to pass from EXTERNAL interface directly to my local exchange server?

btw, i would appreciate if you could reply to me the procedure using ASDM. i don't know CLI.

thanks in advance

Jeffrey Rebong

 

[Supergrrover]

I know you asked for ASDM but this is a complete guide to doing it through the CLI (couldn't find ASDM example.)

http://www.cisco.com/en/US/products...s_configuration_example09186a008067cf3b.shtml

- you can apply the same steps but through the ASDM pages. You will have to hunt around for a bit though.

Here is a specific guide for the commands to enter in the CLI.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml#open

This is the ASDM user guide

http://www.cisco.com/en/US/docs/security/asdm/6_1/user/guide/usergd.html

As a side note - learn the CLI. It will be your best friend for Cisco. It is worth every bit of effort you put into it and being able to post the config is easier to do for corrections/troubleshooting on the boards. Hope this helps.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[jrdebug]

thanks supergrrover. i tried to do CLI and found samples but i encountered a problem in opening the port 25 (SMTP) using the STATIC command. i found

cisco# static (internal,external) external_ip internal_ip

it says ERROR invalid command

my run config is as follows:

_____________________________________
hostname SOLB-ASA5510
domain-name domain_name
enable password /XyfdNoOJG2liQmo encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif EXTERNAL
security-level 50
ip address if_ip 255.255.255.252
!
interface Ethernet0/1
nameif INTERNAL
security-level 100
ip address if_ip 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list INTERNAL_access_in extended permit ip any any
access-list EXTERNAL_access_out extended permit ip interface EXTERNAL any
pager lines 24
logging asdm informational
mtu EXTERNAL 1500
mtu INTERNAL 1500
mtu management 1500
icmp permit any INTERNAL
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (EXTERNAL) 10 interface
nat (INTERNAL) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
access-group EXTERNAL_access_in in interface EXTERNAL
access-group EXTERNAL_access_out out interface EXTERNAL
access-group INTERNAL_access_in in interface INTERNAL
access-group INTERNAL_access_out out interface INTERNAL
route EXTERNAL 0.0.0.0 0.0.0.0 gateway_ip 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username username password 87fcgQ80XZp7LcFH encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http private_ip 255.255.255.255 INTERNAL
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.3 255.255.255.255 management
telnet timeout 5
ssh 192.168.1.3 255.255.255.255 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.100 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:a914fbfbdacec022c209094dc4546885
: end

_______________________

thanks in advanced!

Jeffrey Rebong

 

[rbradely]

cisco#config t
cisco(config)#static (inside,outside) tcp public.ip smtp private.ip smtp netmask 255.255.255.255

 

[jrdebug]

thanks rbradely.

does this mean i have to type the first line to be able to use the static command?



Jeffrey Rebong

 

[rbradely]

Yes.

the CLI works like this:

User Exec Mode -> 'enable' cmd -> Privileged Exec Mode -> 'config t' cmd -> Configuration Mode.

in Configuration Mode you can make the changes needed.

'copy r s' will save your changes.

From Configuration Mode you can enter Interface Configuration Mode with 'interface <int.name>' this were you can make changes to the interface.

Exit will take you back a level.