The goal is to set up the ASA to function as the network firewall and gateway for the internal network as well as the primary VPN device. Tried to set up NAT so that the only inbound SMTP traffic to be allowed would be from the Postini SMTP servers, ( a range of addresses). That traffic was supposed to be set to go to 10.10.4.5 via NAT. When the NAT setting was applied, none of the computers on the LAN could resolve any web pages! We'd remove the rule, it'd work, we'd reinvoke it, connection would disappear. At that point we called Cisco and they said they couldn't help us unless we did it with them online in a real-time test.
Next we configured the ASA NAT so that the mail server (10.10.4.5) global address was x.x.x.x (which was the outside IP of the Firewall).
At this point DNS stopped working on 10.10.4.5 so internal PCslost connectivity outbound to the Internet.
I was wondering if I was missing something in my config? Maybe is the DNS server? Any help with the config would be great.
Cheers,
Shaka
Only the dead fish follow the stream
Next we configured the ASA NAT so that the mail server (10.10.4.5) global address was x.x.x.x (which was the outside IP of the Firewall).
At this point DNS stopped working on 10.10.4.5 so internal PCslost connectivity outbound to the Internet.
I was wondering if I was missing something in my config? Maybe is the DNS server? Any help with the config would be great.
Cheers,
Shaka
Code:
!
ASA Version 7.2(2)
!
hostname 22222222222
domain-name 222222222222.com
enable password 22222222222222 encrypted
names
name 10.10.4.3 [URL unfurl="true"]www.2222222222.com[/URL] description 22222222222 Web site
name 10.10.4.5 22222222 description 2222222222 Exchange server
name 10.10.4.2 22222222 description 222222222222 Sharepoint Server
dns-guard
!
interface Ethernet0/0
nameif public
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif private
security-level 100
ip address 10.10.4.51 255.255.252.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2222222222222 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup public
dns domain-lookup private
dns server-group DefaultDNS
name-server 22222222
domain-name 2222222222222.com
same-security-traffic permit inter-interface
object-group network asdmgroup
network-object 10.10.4.0 255.255.252.0
access-list private extended permit ip any any
access-list public extended permit tcp any host x.x.x.x eq www
access-list public extended permit tcp any host x.x.x.x eq smtp
access-list public extended permit tcp any host x.x.x.x eq smtp
access-list Nadastra-VPN-clients standard permit 10.10.4.0 255.255.252.0
access-list private_nat0_outbound extended permit ip 10.10.4.0 255.255.252.0 10.10.4.160 255.255.255.224
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu public 1500
mtu private 1500
mtu management 1500
ip local pool Global-VPN-pool 10.10.4.160-10.10.4.191 mask 255.255.252.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any private
asdm image disk0:/asdm-522.bin
asdm location 22222222222222 255.255.255.255 private
asdm location 2222222222222 255.255.255.255 private
asdm location 222222222222 255.255.255.255 private
asdm group asdmgroup private
no asdm history enable
arp timeout 14400
nat-control
global (public) 1 interface
nat (private) 0 access-list private_nat0_outbound
nat (private) 1 10.10.4.0 255.255.252.0
static (private,public) tcp x.x.x.x [URL unfurl="true"]www www.2222222222222.com[/URL] [URL unfurl="true"]www netmask[/URL] 255.255.255.255
static (private,public) x.x.x.x 2222222 netmask 255.255.255.255
access-group public in interface public
access-group private in interface private
route public 0.0.0.0 0.0.0.0 x.x.x.x 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server 2222222222 protocol nt
aaa-server 2222222222 (private) host 22222222222
nt-auth-domain-controller 2222222222
group-policy DfltGrpPolicy attributes
banner value Welcom to the 22222222222 VPN
wins-server value 10.10.4.5
dns-server value 10.10.4.5
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 60
vpn-session-timeout 86400
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth enable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 2222222222222-VPN-clients
default-domain value 222222222222.com
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value Global-VPN-pool
client-firewall none
client-access-rule none
webvpn
functions url-entry file-access file-browsing port-forward auto-download
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc required
svc keep-installer installed
svc keepalive 60
svc rekey time none
svc rekey method none
svc dpd-interval client 300
svc dpd-interval gateway 300
svc compression deflate
username admin password 222222222222 encrypted
aaa authentication ssh console LOCAL
http server enable
http 10.10.4.0 255.255.252.0 private
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set ESP-3DES-MD5
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface public
crypto isakmp enable public
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group DefaultRAGroup general-attributes
address-pool Global-VPN-pool
authentication-server-group 2222222222
authentication-server-group (public) 2222222222222
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key 2222222222222
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool Global-VPN-pool
authentication-server-group 222222222222
authentication-server-group (public) 22222222222
tunnel-group DefaultWEBVPNGroup webvpn-attributes
2222222222222 22222222222 master timeout 2 retry 2
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 10.10.4.0 255.255.252.0 private
ssh timeout 15
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
dhcprelay timeout 60
!
!
webvpn
enable public
svc image disk0:/sslclient-win-1.1.3.173.pkg 1
svc enable
prompt hostname context
Cryptochecksum:22222222222222222222222222222222222222
: end
Only the dead fish follow the stream