Can't change back to original rules

[JBruyet]

Hey all, my network is running behind an ASA 5510. My spam filter failed last Friday and I had to redirect all of my mail traffic directly to my Exchange Server. That went fine. Now that I have my replacement spam filter going (I love Barracuda Networks) I’m unable to point the traffic back to the spam filter. I can delete and recreate my Access Rules (Configuration > Features > Security Policy > Access Rules) without any problem but I’m unable to delete my Translation Rules (Configuration > Features > NAT > Translation Rules) so I can put new/correct ones back in. When I try to delete a Translation Rule I get the following error:

The operation you are trying to perform will result in some security rules being nullified. Please review your translation/security rules and try this operation again.

This worked last Friday and we’ve been getting our email (with a ton of spam now). Why can’t I change it back? Am I missing something really basic here? I’m not a Cisco guy so using Cisco-speak won’t do much for me. Any help here would be greatly appreciated. If I don’t get this working I’m going to have to call the local shop and have them send a Cisco tech over. At least they take Visa.

 

[unclerico]

can you post a scrubbed config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[JBruyet]

unclerico, thanks for helping. I didn't pull the config using a laptop connected to the console, I exported the running config. If this won't work let me know and I'll get the config using the laptop.

: Saved
: Written by enable_15 at 07:48:32.557 PDT Tue Aug 17 2010

ASA Version 7.0(2)
names
name xxx.xxx.xx.143 External Domain1
name xxx.xx.x.22 External Domain1
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address xxx.xxx.xxx.67 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address xxx.xxx.x.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address xxx.xxx.x.1 255.255.255.0
management-only
!
enable password encrypted
passwd encrypted
hostname ASA5510
domain-name domain.com
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns retries 2
dns timeout 2
dns domain-lookup Inside
dns name-server xxx.xxx.10.82
dns name-server xxx.xxx.10.83
access-list Outside_access_in remark Deny Gnutella/Limewire
access-list Outside_access_in extended deny tcp any any eq 6346
access-list Outside_access_in remark Deny Gnutella/Limewire
access-list Outside_access_in extended deny udp any any eq 6346
access-list Outside_access_in remark Deny Gnutella/Limewire
access-list Outside_access_in extended deny tcp any any eq 6347
access-list Outside_access_in remark Deny Gnutella/Limewire
access-list Outside_access_in extended deny udp any any eq 6347
access-list Outside_access_in remark MDC traffic to our MDS server
access-list Outside_access_in extended permit udp any interface Outside eq 3001
access-list Outside_access_in remark Redirect for the security DVR
access-list Outside_access_in extended permit tcp any interface Outside eq 8234
access-list Outside_access_in remark Redirect for security DVR
access-list Outside_access_in extended permit udp any interface Outside eq 8234
access-list Outside_access_in remark Redirect for security DVR
access-list Outside_access_in extended permit tcp any interface Outside eq 8235
access-list Outside_access_in remark Internet redirect to security DVR
access-list Outside_access_in extended permit tcp any interface Outside eq 2376
access-list Outside_access_in remark Internet redirect to security DVR
access-list Outside_access_in extended permit udp any interface Outside eq 2376
access-list Outside_access_in extended permit tcp any interface Outside eq www
access-list Outside_access_in extended permit tcp any interface Outside eq https
access-list Outside_access_in extended permit tcp any interface Outside eq smtp
access-list Outside_access_in extended permit tcp any interface Outside eq pop3
access-list Outside_access_in extended permit tcp any host my.external.ip.address eq imap4
access-list Inside_nat0_outbound extended permit ip xxx.xxx.10.0 255.255.255.0 host xxx.xxx.10.253
access-list Inside_nat0_outbound extended permit ip any xxx.xxx.10.192 255.255.255.192
access-list Inside_nat0_outbound extended permit ip any xxx.xxx.102.0 255.255.255.128
access-list Outside_cryptomap_dyn_100 extended permit ip any xxx.xxx.102.0 255.255.255.128
access-list link_splitTunnelAcl standard permit xxx.xxx.10.0 255.255.255.0
access-list Outside_cryptomap_dyn_120 extended permit ip any xxx.xxx.102.0 255.255.255.128
access-list Outside_access_out remark Blocking Break.com from inside.
access-list Outside_access_out remark Blocking Break.com from inside.
pager lines 24
logging enable
logging buffered warnings
logging asdm warnings
logging from-address ASA5510@domain.com
logging recipient-address cell-phone@txt.att.net level errors
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool Pool1-ipsec xxx.xxx.102.1-xxx.xxx.102.100 mask 255.255.255.255
ip local pool Pool2local xxx.xxx.10.89-xxx.xxx.10.99 mask 255.255.255.255
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm502.bin
asdm location AudioRecorder 255.255.255.255 Inside
asdm location Barracuda 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 xxx.xxx.10.0 255.255.255.0
static (Inside,Outside) udp interface 3001 xxx.xxx.10.37 3001 netmask 255.255.255.255
static (Inside,Outside) tcp interface 2376 xxx.xxx.10.51 2376 netmask 255.255.255.255
static (Inside,Outside) udp interface 2376 xxx.xxx.10.51 2376 netmask 255.255.255.255
static (Inside,Outside) tcp interface 8234 xxx.xxx.10.51 8234 netmask 255.255.255.255
static (Inside,Outside) udp interface 8234 xxx.xxx.10.51 8234 netmask 255.255.255.255
static (Inside,Outside) tcp interface 8235 xxx.xxx.10.51 8235 netmask 255.255.255.255
static (Inside,Outside) tcp interface

http://www xxx.xxx.10.39

http://www netmask

255.255.255.255
static (Inside,Outside) tcp interface https xxx.xxx.10.39 https netmask 255.255.255.255
static (Inside,Outside) tcp interface smtp xxx.xxx.10.39 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface pop3 xxx.xxx.10.39 pop3 netmask 255.255.255.255
static (Inside,Outside) tcp interface imap4 xxx.xxx.10.39 imap4 netmask 255.255.255.255
static (Inside,Outside) External.IP.Address.Two xxx.xxx.10.31 netmask 255.255.255.255
static (Inside,Outside) External.IP.Address.Three xxx.xxx.10.32 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 206.130.131.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Policy1 internal
group-policy Policy2 attributes
dns-server value DNS.IP.Address.One DNS.IP.Address.Two
split-tunnel-policy tunnelspecified
split-tunnel-network-list value link_splitTunnelAcl
webvpn
group-policy Transit internal
group-policy Transit attributes
dns-server value DNS.IP.Address.One DNS.IP.Address.Two
split-tunnel-policy tunnelspecified
split-tunnel-network-list value link_splitTunnelAcl
webvpn
username Name1 password YOaYtNO.aT1y5rEj encrypted privilege 0
username Name2 password WVc4Sh3tF7d4UNKT encrypted privilege 0
username Name3 password PjHHdZopd1yDFY8q encrypted privilege 15
username Name4 password v2ALvHdBelGFq35u encrypted
username Name5 password px9mg5oAEzWWvM5d encrypted
username Name6 password XoVBJRA/hlZhqyqw encrypted
username Name7 password 8Pft1H2p83KYb4fU encrypted privilege 0
username Name8 password JvsCNM2csaf7baKh encrypted privilege 15
username Name9 password .UZwMNSYPkwdxykx encrypted privilege 0
username Name10 password achqqhpGat8gnhnt encrypted
username Name11 password kGtWRhKgKFOSycu3 encrypted
http server enable
http External.IP.Address.Vendor1 255.255.255.255 Outside
http ExternalDomain 255.255.255.255 Outside
http Another.External.IP.Address 255.255.255.255 Outside
http xxx.xxx.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 100 match address Outside_cryptomap_dyn_100
crypto dynamic-map Outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 120 match address Outside_cryptomap_dyn_120
crypto dynamic-map Outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh Yet.Another.External.Address 255.255.255.255 Outside
ssh timeout 5
console timeout 15
dhcpd address xxx.xxx.1.2-xxx.xxx.1.254 management
dhcpd dns xxx.xxx.10.82 xxx.xxx.10.83
dhcpd lease 3600
dhcpd ping_timeout 50
tunnel-group Group1 type ipsec-ra
tunnel-group Group1 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group1 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group2 type ipsec-ra
tunnel-group Group2 general-attributes
address-pool (Inside) Pool1-ipsec
address-pool (Inside) Worklocal
address-pool Pool1-ipsec
address-pool Pool2local
default-group-policy Policy1
tunnel-group Group2 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group3 type ipsec-ra
tunnel-group Group3 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group3 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group4 type ipsec-ra
tunnel-group Group4 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group4 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group5 type ipsec-ra
tunnel-group Group5 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
strip-realm
tunnel-group Group5 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group6 type ipsec-ra
tunnel-group Group6 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group6 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group7 type ipsec-ra
tunnel-group Group7 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group7 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group8 type ipsec-ra
tunnel-group Group8 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group8 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group9 type ipsec-ra
tunnel-group Group9 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group9 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group10 type ipsec-ra
tunnel-group Group10 general-attributes
address-pool Internal_local
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group10 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group11 type ipsec-ra
tunnel-group Group11 general-attributes
address-pool Internal_local
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group11 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group12 type ipsec-ra
tunnel-group Group12 general-attributes
address-pool (Inside) iPool1-ipsec
address-pool (Inside) iPool2local
address-pool Pool1-ipsec
address-pool Internal_local
default-group-policy Policy1
tunnel-group Group12 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group13 type ipsec-ra
tunnel-group Group13 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group13 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group14 type ipsec-ra
tunnel-group Group14 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group14 ipsec-attributes
pre-shared-key 123454321
tunnel-group RouteMatch2 type ipsec-ra
tunnel-group Group15 general-attributes
address-pool (Inside) iPool1-ipsec
address-pool (Inside) iPool2ocal
address-pool Pool1-ipsec
address-pool Internal_local
default-group-policy Policy1
tunnel-group Group15 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group16 type ipsec-ra
tunnel-group Group16 general-attributes
address-pool (Inside) iPool1-ipsec
address-pool (Inside) iPool2local
address-pool Pool1-ipsec
address-pool Internal_local
default-group-policy Policy1
tunnel-group Group16 ipsec-attributes
pre-shared-key 123454321
ntp server xxx.xxx.10.82 source Inside
tftp-server Inside xxx.xxx.10.33 /ASA5510/Config20100813
smtp-server xxx.xxx.10.39
Cryptochecksum:ceb34fd0ff1925bb835f48b5b1430cbd
: end

 

[unclerico]

is xxx.xxx.10.39 the baracuda??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[JBruyet]

10.39 is my Exchange Server.

Thanks,

Joe B

 

[unclerico]

i don't ever use the gui so i can't comment on whether what you are doing is correct or not, but if you can get to the CLI type this:

no static (Inside,Outside) tcp interface smtp xxx.xxx.10.39 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface smtp <baracuda_ip> smtp netmask 255.255.255.255

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[JBruyet]

unclerico, thanks for the help but I contacted the local Cisco shop and it's now working correctly.

Thanks,

Joe B