Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA not allowing inbound traffic, no SMTP, WWW, POP etc...

Status
Not open for further replies.
ndinc

ndinc

ISP
Jun 29, 2005
111
US
Hello all and Happy Holidays....

I have a very same ASA running fine on another one of our network. I pre configured this ASA with all the Statics and ACL and I am able to get outbound internet as well as SSH and other managment access.

No SMTP, WWW, POP etc...nothing.. I had it up for 20 minutes trying to work it out and I was force to put back the old firewall (Sonicwall) to get back to work.

I would really like some fresh eyes to see what I am missing.

Thanks in advance


: Saved
:
ASA Version 8.0(2)
!
hostname ASA
domain-name xxx.com
enable password xbuOFGS/b6r6SI6t encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.x.x.123 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 68.x.x.129 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xbuOFGS/b6r6SI6t encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.x.x.30
name-server 68.x.x.30
domain-name ocnetaccess.com
access-list outside_access_in extended permit tcp any host 68.x.x.150 eq smtp
access-list outside_access_in extended permit tcp any host 68.x.x.145 eq www
access-list outside_access_in extended permit tcp any host 68.x.x.200 eq www
access-list outside_access_in extended permit tcp any host 68.x.x.205 eq www
access-list outside_access_in extended permit tcp any host 68.x.x.220 eq www
access-list outside_access_in extended permit tcp any host 68.x.x.230 eq www
access-list outside_access_in extended permit tcp any host 68.x.x.235 eq www
access-list outside_access_in extended permit tcp any host 68.x.x.200 eq pop3
access-list outside_access_in extended permit tcp any host 68.x.x.205 eq pop3
access-list outside_access_in extended permit tcp any host 68.x.x.210 eq pop3
access-list outside_access_in extended permit tcp any host 68.x.x.220 eq pop3
access-list outside_access_in extended permit tcp any host 68.x.x.230 eq pop3
access-list outside_access_in extended permit tcp any host 68.x.x.235 eq pop3
access-list outside_access_in extended permit tcp host 70.x.x.110 host 68.x.x.150 eq ssh
access-list outside_access_in extended permit tcp host 70.x.x.110 host 68.x.x.150 eq https
access-list outside_access_in extended permit tcp any host 68.x.x.250 eq domain
access-list outside_access_in extended permit udp any host 68.x.x.250 eq domain
access-list outside_access_in extended permit tcp host 68.x.x.30 host 68.x.x.205 eq smtp
access-list outside_access_in extended permit tcp host 67.x.x.254 host 68.x.x.205 eq smtp
access-list outside_access_in extended permit tcp host 158.x.x.14 host 68.x.x.205 eq smtp
access-list outside_access_in extended permit tcp host 157.x.x.194 host 68.x.x.205 eq smtp
access-list outside_access_in extended permit tcp host 66.x.x.92 host 68.x.x.205 eq smtp
access-list outside_access_in extended permit tcp 66.x.x.240 255.255.255.248 host 68.x.x.205 eq ftp
access-list outside_access_in extended permit tcp 66.x.x.240 255.255.255.248 host 68.x.x.205 eq 81
access-list outside_access_in extended permit tcp 66.x.x.240 255.255.255.248 host 68.x.x.205 eq smtp
access-list outside_access_in extended permit tcp 207.x.x.112 255.255.255.248 host 68.x.x.210 eq smtp
access-list outside_access_in extended permit tcp 207.x.x.120 255.255.255.248 host 68.x.x.210 eq smtp
access-list outside_access_in extended permit tcp 207.x.x.64 255.255.255.240 host 68.x.x.200 eq smtp
access-list outside_access_in extended permit tcp host 64.x.x.102 host 68.x.x.200 eq smtp
access-list outside_access_in extended permit tcp host 65.x.x.175.46 host 68.x.x.210 eq smtp
access-list outside_access_in extended permit tcp any host 68.x.x.220 eq smtp
access-list outside_access_in extended permit tcp host 64.x.x162 host 68.x.x.210 eq smtp
pager lines 24
logging enable
logging asdm informational
logging from-address xxxx@xxxxx.com
logging recipient-address xxxxx@xxxx.com level errors
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 68.x.x.150 smtp 10.x.x.150 smtp netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.200 smtp 10.x.x.200 smtp netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.210 smtp 10.x.x.210 smtp netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.205 smtp 10.x.x.205 smtp netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.220 smtp 10.x.x.220 smtp netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.230 smtp 10.x.x.230 smtp netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.200 255.255.255.255
static (inside,outside) tcp 68.x.x.210 255.255.255.255
static (inside,outside) tcp 68.x.x.220 255.255.255.255
static (inside,outside) tcp 68.x.x.205 255.255.255.255
static (inside,outside) tcp 68.x.x.205 pop3 10.x.x.205 pop3 netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.200 pop3 10.x.x.200 pop3 netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.210 pop3 10.x.x.210 pop3 netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.220 pop3 10.x.x.220 pop3 netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.230 pop3 10.x.x.230 pop3 netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.235 pop3 10.x.x.235 pop3 netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.145 255.255.255.255
static (inside,outside) tcp 68.x.x.250 domain 10.x.x.250 domain netmask 255.255.255.255
static (inside,outside) udp 68.x.x.250 domain 10.x.x.250 domain netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.150 ssh 10.x.x.150 ssh netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.150 https 10.x.x.150 https netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.205 ftp 10.x.x.205 ftp netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.205 81 10.x.x.205 81 netmask 255.255.255.255
static (inside,outside) tcp 68.x.x.205 444 10.x.x.205 444 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.x.x.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 68.x.x.175 255.255.255.255 outside
http 207.x.x.16 255.255.255.255 outside
http 10.x.x.0 255.255.255.0 inside
http 10.x.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh 10.x.x.0 255.255.255.0 inside
ssh 10.x.x.0 255.255.255.0 inside
ssh 207.x.x.13 255.255.255.255 outside
ssh 207.x.x.16 255.255.255.255 outside
ssh 68.x.x.175 255.255.255.255 outside
ssh timeout 30
console timeout 0

threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect snmp
!
service-policy global_policy global
ssl encryption des-sha1
smtp-server 68.x.x.150 10.x.x.150
prompt hostname context
Cryptochecksum:dfcd1da404b9d91e2dd6260e6170f4cd
: end
CoxASA#
CoxASA#


Thanks for your help
 
Sort by date Sort by votes
Yeah, it looks good to me. What do your logs say??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
i guess i need to put it back in production to test it fully. i will get major calls when i swap the firewalls out.

I might have to do a late nighter to work this out with the logs. It really doesnt make sense as it should be fine.

i was hoping someone might find something dumb that i missed.



Thanks for your help
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
590
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
452
gkreg
gkreg
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
644
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
314
AllenH12
AllenH12
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
121
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top