Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't change back to original rules

Status
Not open for further replies.
JBruyet

JBruyet

IS-IT--Management
Apr 6, 2001
1,200
0
0
US
Hey all, my network is running behind an ASA 5510. My spam filter failed last Friday and I had to redirect all of my mail traffic directly to my Exchange Server. That went fine. Now that I have my replacement spam filter going (I love Barracuda Networks) I’m unable to point the traffic back to the spam filter. I can delete and recreate my Access Rules (Configuration > Features > Security Policy > Access Rules) without any problem but I’m unable to delete my Translation Rules (Configuration > Features > NAT > Translation Rules) so I can put new/correct ones back in. When I try to delete a Translation Rule I get the following error:

The operation you are trying to perform will result in some security rules being nullified. Please review your translation/security rules and try this operation again.

This worked last Friday and we’ve been getting our email (with a ton of spam now). Why can’t I change it back? Am I missing something really basic here? I’m not a Cisco guy so using Cisco-speak won’t do much for me. Any help here would be greatly appreciated. If I don’t get this working I’m going to have to call the local shop and have them send a Cisco tech over. At least they take Visa.
 
Sort by date Sort by votes
can you post a scrubbed config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
unclerico, thanks for helping. I didn't pull the config using a laptop connected to the console, I exported the running config. If this won't work let me know and I'll get the config using the laptop.

: Saved
: Written by enable_15 at 07:48:32.557 PDT Tue Aug 17 2010

ASA Version 7.0(2)
names
name xxx.xxx.xx.143 External Domain1
name xxx.xx.x.22 External Domain1
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address xxx.xxx.xxx.67 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address xxx.xxx.x.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address xxx.xxx.x.1 255.255.255.0
management-only
!
enable password encrypted
passwd encrypted
hostname ASA5510
domain-name domain.com
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns retries 2
dns timeout 2
dns domain-lookup Inside
dns name-server xxx.xxx.10.82
dns name-server xxx.xxx.10.83
access-list Outside_access_in remark Deny Gnutella/Limewire
access-list Outside_access_in extended deny tcp any any eq 6346
access-list Outside_access_in remark Deny Gnutella/Limewire
access-list Outside_access_in extended deny udp any any eq 6346
access-list Outside_access_in remark Deny Gnutella/Limewire
access-list Outside_access_in extended deny tcp any any eq 6347
access-list Outside_access_in remark Deny Gnutella/Limewire
access-list Outside_access_in extended deny udp any any eq 6347
access-list Outside_access_in remark MDC traffic to our MDS server
access-list Outside_access_in extended permit udp any interface Outside eq 3001
access-list Outside_access_in remark Redirect for the security DVR
access-list Outside_access_in extended permit tcp any interface Outside eq 8234
access-list Outside_access_in remark Redirect for security DVR
access-list Outside_access_in extended permit udp any interface Outside eq 8234
access-list Outside_access_in remark Redirect for security DVR
access-list Outside_access_in extended permit tcp any interface Outside eq 8235
access-list Outside_access_in remark Internet redirect to security DVR
access-list Outside_access_in extended permit tcp any interface Outside eq 2376
access-list Outside_access_in remark Internet redirect to security DVR
access-list Outside_access_in extended permit udp any interface Outside eq 2376
access-list Outside_access_in extended permit tcp any interface Outside eq www
access-list Outside_access_in extended permit tcp any interface Outside eq https
access-list Outside_access_in extended permit tcp any interface Outside eq smtp
access-list Outside_access_in extended permit tcp any interface Outside eq pop3
access-list Outside_access_in extended permit tcp any host my.external.ip.address eq imap4
access-list Inside_nat0_outbound extended permit ip xxx.xxx.10.0 255.255.255.0 host xxx.xxx.10.253
access-list Inside_nat0_outbound extended permit ip any xxx.xxx.10.192 255.255.255.192
access-list Inside_nat0_outbound extended permit ip any xxx.xxx.102.0 255.255.255.128
access-list Outside_cryptomap_dyn_100 extended permit ip any xxx.xxx.102.0 255.255.255.128
access-list link_splitTunnelAcl standard permit xxx.xxx.10.0 255.255.255.0
access-list Outside_cryptomap_dyn_120 extended permit ip any xxx.xxx.102.0 255.255.255.128
access-list Outside_access_out remark Blocking Break.com from inside.
access-list Outside_access_out remark Blocking Break.com from inside.
pager lines 24
logging enable
logging buffered warnings
logging asdm warnings
logging from-address ASA5510@domain.com
logging recipient-address cell-phone@txt.att.net level errors
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool Pool1-ipsec xxx.xxx.102.1-xxx.xxx.102.100 mask 255.255.255.255
ip local pool Pool2local xxx.xxx.10.89-xxx.xxx.10.99 mask 255.255.255.255
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm502.bin
asdm location AudioRecorder 255.255.255.255 Inside
asdm location Barracuda 255.255.255.255 Inside
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 xxx.xxx.10.0 255.255.255.0
static (Inside,Outside) udp interface 3001 xxx.xxx.10.37 3001 netmask 255.255.255.255
static (Inside,Outside) tcp interface 2376 xxx.xxx.10.51 2376 netmask 255.255.255.255
static (Inside,Outside) udp interface 2376 xxx.xxx.10.51 2376 netmask 255.255.255.255
static (Inside,Outside) tcp interface 8234 xxx.xxx.10.51 8234 netmask 255.255.255.255
static (Inside,Outside) udp interface 8234 xxx.xxx.10.51 8234 netmask 255.255.255.255
static (Inside,Outside) tcp interface 8235 xxx.xxx.10.51 8235 netmask 255.255.255.255
static (Inside,Outside) tcp interface 255.255.255.255
static (Inside,Outside) tcp interface https xxx.xxx.10.39 https netmask 255.255.255.255
static (Inside,Outside) tcp interface smtp xxx.xxx.10.39 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface pop3 xxx.xxx.10.39 pop3 netmask 255.255.255.255
static (Inside,Outside) tcp interface imap4 xxx.xxx.10.39 imap4 netmask 255.255.255.255
static (Inside,Outside) External.IP.Address.Two xxx.xxx.10.31 netmask 255.255.255.255
static (Inside,Outside) External.IP.Address.Three xxx.xxx.10.32 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 206.130.131.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Policy1 internal
group-policy Policy2 attributes
dns-server value DNS.IP.Address.One DNS.IP.Address.Two
split-tunnel-policy tunnelspecified
split-tunnel-network-list value link_splitTunnelAcl
webvpn
group-policy Transit internal
group-policy Transit attributes
dns-server value DNS.IP.Address.One DNS.IP.Address.Two
split-tunnel-policy tunnelspecified
split-tunnel-network-list value link_splitTunnelAcl
webvpn
username Name1 password YOaYtNO.aT1y5rEj encrypted privilege 0
username Name2 password WVc4Sh3tF7d4UNKT encrypted privilege 0
username Name3 password PjHHdZopd1yDFY8q encrypted privilege 15
username Name4 password v2ALvHdBelGFq35u encrypted
username Name5 password px9mg5oAEzWWvM5d encrypted
username Name6 password XoVBJRA/hlZhqyqw encrypted
username Name7 password 8Pft1H2p83KYb4fU encrypted privilege 0
username Name8 password JvsCNM2csaf7baKh encrypted privilege 15
username Name9 password .UZwMNSYPkwdxykx encrypted privilege 0
username Name10 password achqqhpGat8gnhnt encrypted
username Name11 password kGtWRhKgKFOSycu3 encrypted
http server enable
http External.IP.Address.Vendor1 255.255.255.255 Outside
http ExternalDomain 255.255.255.255 Outside
http Another.External.IP.Address 255.255.255.255 Outside
http xxx.xxx.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 100 match address Outside_cryptomap_dyn_100
crypto dynamic-map Outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 120 match address Outside_cryptomap_dyn_120
crypto dynamic-map Outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh Yet.Another.External.Address 255.255.255.255 Outside
ssh timeout 5
console timeout 15
dhcpd address xxx.xxx.1.2-xxx.xxx.1.254 management
dhcpd dns xxx.xxx.10.82 xxx.xxx.10.83
dhcpd lease 3600
dhcpd ping_timeout 50
tunnel-group Group1 type ipsec-ra
tunnel-group Group1 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group1 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group2 type ipsec-ra
tunnel-group Group2 general-attributes
address-pool (Inside) Pool1-ipsec
address-pool (Inside) Worklocal
address-pool Pool1-ipsec
address-pool Pool2local
default-group-policy Policy1
tunnel-group Group2 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group3 type ipsec-ra
tunnel-group Group3 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group3 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group4 type ipsec-ra
tunnel-group Group4 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group4 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group5 type ipsec-ra
tunnel-group Group5 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
strip-realm
tunnel-group Group5 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group6 type ipsec-ra
tunnel-group Group6 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group6 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group7 type ipsec-ra
tunnel-group Group7 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group7 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group8 type ipsec-ra
tunnel-group Group8 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group8 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group9 type ipsec-ra
tunnel-group Group9 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group9 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group10 type ipsec-ra
tunnel-group Group10 general-attributes
address-pool Internal_local
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group10 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group11 type ipsec-ra
tunnel-group Group11 general-attributes
address-pool Internal_local
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group11 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group12 type ipsec-ra
tunnel-group Group12 general-attributes
address-pool (Inside) iPool1-ipsec
address-pool (Inside) iPool2local
address-pool Pool1-ipsec
address-pool Internal_local
default-group-policy Policy1
tunnel-group Group12 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group13 type ipsec-ra
tunnel-group Group13 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group13 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group14 type ipsec-ra
tunnel-group Group14 general-attributes
address-pool Pool1-ipsec
default-group-policy Policy1
tunnel-group Group14 ipsec-attributes
pre-shared-key 123454321
tunnel-group RouteMatch2 type ipsec-ra
tunnel-group Group15 general-attributes
address-pool (Inside) iPool1-ipsec
address-pool (Inside) iPool2ocal
address-pool Pool1-ipsec
address-pool Internal_local
default-group-policy Policy1
tunnel-group Group15 ipsec-attributes
pre-shared-key 123454321
tunnel-group Group16 type ipsec-ra
tunnel-group Group16 general-attributes
address-pool (Inside) iPool1-ipsec
address-pool (Inside) iPool2local
address-pool Pool1-ipsec
address-pool Internal_local
default-group-policy Policy1
tunnel-group Group16 ipsec-attributes
pre-shared-key 123454321
ntp server xxx.xxx.10.82 source Inside
tftp-server Inside xxx.xxx.10.33 /ASA5510/Config20100813
smtp-server xxx.xxx.10.39
Cryptochecksum:ceb34fd0ff1925bb835f48b5b1430cbd
: end
 
Upvote 0 Downvote
is xxx.xxx.10.39 the baracuda??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
10.39 is my Exchange Server.

Thanks,

Joe B
 
Upvote 0 Downvote
i don't ever use the gui so i can't comment on whether what you are doing is correct or not, but if you can get to the CLI type this:
Code: 
no static (Inside,Outside) tcp interface smtp xxx.xxx.10.39 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface smtp <baracuda_ip> smtp netmask 255.255.255.255

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
unclerico, thanks for the help but I contacted the local Cisco shop and it's now working correctly.

Thanks,

Joe B
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
136
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
136
Johnkite
Johnkite
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
46
Russtoleum
Russtoleum
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
40
Garbear
Garbear
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
114
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top