Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

More ASA 5505 Help 1

Status
Not open for further replies.

scott0011

Technical User
Dec 1, 2008
22
US
I guess using a SOHO3 has seriously atrophied how i under setting up a firewall, I cannot seem to get any of the rules right. I am not able to receive email or access my secure OWA website. The two error messages i get are:

1) For email: Deny tcp src outside:93.173.83.174/4234 dst inside:209.33.xxx.xxx/25 by access-group "outside" [0x0, 0x0]

2) For OWA: No translation group found for tcp src inside:172.16.6.84/52626 dst outside:209.33.xxx.xxx/443
Here is my config

: Saved
: Written by enable_15 at 22:27:51.210 UTC Thu Dec 4 2008
!
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name
enable password
passwd
names
name 192.168.168.0 uk-network
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.6.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.33.xxx.xxx 255.255.255.248
!
interface Vlan3
no nameif
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
retries 10
name-server 209.253.xxx.xxx
name-server 209.253.xxx.xxx
domain-name bosanova.net
object-group service email tcp
description email
port-object eq pop3
port-object eq smtp
object-group service https tcp
port-object eq https
access-list inside_nat0_outbound extended permit ip 172.16.6.0 255.255.255.0 uk-network 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.16.6.0 255.255.255.0 uk-network 255.255.255.0
access-list outside_nat_static extended permit tcp host 209.33.xxx.xxx eq pop3 any
access-list outside_nat0_outbound extended permit ip host 209.33.xxx.xxx host 172.16.6.169
access-list outside extended permit tcp any host 209.33.xxx.xxx eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
asdm location uk-network 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,outside) tcp 209.33.xxx.xxx smtp 172.16.6.169 smtp netmask 255.255.255.255 tcp 20 0
static (outside,inside) tcp 172.16.6.169 pop3 access-list outside_nat_static tcp 40 40 udp 40
static (outside,inside) tcp 172.16.6.169 https 209.33.xxx.xxx https netmask 255.255.255.255 tcp 40 40 udp 40
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 209.33.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.xxx.xxx 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 81.178.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

tunnel-group 81.178.xxx.xxx type ipsec-l2l
tunnel-group 81.178.xxx.xxx ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:

Thanks for any help.
 
Ok I think I know what my problem is I just don't know how to tell the ASA 5505 how to do it. The external ip of the firewall is 209.33.xxx.addr1 and the email is coming on 209.33.xxx.addr2. Since we have 5 external static IPs assigned to us from our ISP we set one for the firewall and one for the email server so somehow I need addr2 to translated(?) to addr1.

nameif outside
security-level 0
ip address 209.33.xxx.addr1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
retries 10
name-server 209.253.xxx.xxx
name-server 209.253.xxx.xxx
domain-name bosanova.net
object-group service email tcp
description email
port-object eq pop3
port-object eq smtp
object-group service https tcp
port-object eq https
access-list inside_nat0_outbound extended permit ip 172.16.6.0 255.255.255.0 uk-network 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 209.33.xxx.addr2 host 172.16.6.169
access-list outside_1_cryptomap extended permit ip 172.16.6.0 255.255.255.0 uk-network 255.255.255.0
access-list outside_nat_static extended permit tcp host 209.33.xxx.addr2 eq pop3 any
access-list outside_nat0_outbound extended permit ip host 209.33.xxx.addr2 host 172.16.6.169
access-list outside extended permit tcp any host 209.33.xxx.addr2 eq https
access-list 100 extended permit tcp any host 209.33.xxx.addr2 eq https
access-list 100 extended permit tcp any host 209.33.xxx.addr2 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
static (outside,inside) tcp 172.16.6.169 pop3 access-list outside_nat_static tcp 40 40 udp 40
static (outside,inside) tcp 172.16.6.169 https 209.33.xxx.addr2 https netmask 255.255.255.255 tcp 40 40 udp 40
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 209.33.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.16.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 81.178.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

tunnel-group 81.178.xxx.xxx type ipsec-l2l
tunnel-group 81.178.xxx.xxx ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2
 
add this
static (outside,inside) tcp 172.16.6.169 smtp 209.33.xxx.addr2 smtp netmask 255.255.255.255



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Hi Brent, thanks for all the help but I still cannot get the email to come through nor access my OWA from the outside world, and after 2 weeks of fighting with this device and Cisco tech support over the phone I've decided to return it and get a Sonicwall PRO1260 since I have experience with their hardware and configuring them is a breeze. Thanks again for all the assistance.

Scott
 
I hate for this to leave a bad taste in your mouth for cisco.

I just noticed that you didn't have esmtp inspection on. That should fix it.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Ok going to try one more time to see if I can figure out how to work a Cisco. We have from our ISP 6 external ip addresses. We'll say, 1.1.1.1 to 1.1.1.6, and 1.1.1.1 is the ip assigned to vlan1 (outside), that's all fine. Now ip 1.1.1.4 is for our mail server, and it is routed to out internal ip of 172.1.6.169 where we need access SMTP and HTTPS for the outside world to inside email server. Now from what I can see or not see depending is that the ASA 5505 has no idea what to do with outside address 1.1.1.2 to 1.1.1.6 and I ma not able to find anywhere to define these on the ASA 5505. The Sonicwall its easy there is a little section to define a sort of fake intranet for the other external ips and I can NAT to then no problem either through Access rules or straight one-to-one NATing. I need to be able to do something like that. Is it possible.
 
Do the following (note some of this is needed to remove the lines that are causing this to fail and some of this is just to clean up):
Code:
ASA(config)# no access-group 100 in interface outside
ASA(config)# no static (outside,inside) tcp 172.16.6.169 pop3 access-list outside_nat_static tcp 40 40 udp 40
ASA(config)# no static (outside,inside) tcp 172.16.6.169 https 209.33.xxx.addr2 https netmask 255.255.255.255 tcp 40 40 udp 40
ASA(config)# no nat (outside) 0 access-list outside_nat0_outbound
ASA(config)# no access-list outside extended permit tcp any host 209.33.xxx.addr2 eq https
ASA(config)# no access-list 100 extended permit tcp any host 209.33.xxx.addr2 eq https 
ASA(config)# no access-list 100 extended permit tcp any host 209.33.xxx.addr2 eq smtp
ASA(config)# no access-list outside_nat_static extended permit tcp host 209.33.xxx.addr2 eq pop3 any 
ASA(config)# no access-list inside_nat0_outbound line 2 extended permit ip host 209.33.xxx.addr2 host 172.16.6.169

Add these:
Code:
ASA(config)# access-list outside_access_in extended permit tcp any host 1.1.1.4 eq https
ASA(config)# access-list outside_access_in extended permit tcp any host 1.1.1.4 eq smtp
ASA(config)# static (inside,outside) tcp 1.1.1.4 smtp 172.1.6.169 smtp netmask 255.255.255.255
ASA(config)# static (inside,outside) tcp 1.1.1.4 https 172.1.6.169 https netmask 255.255.255.255
ASA(config)# access-group outside_access_in interface outside

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
OK, I think I get it now. The ASA won't respond on those addresses without a static applied.
You need a static for each external IP/port combination then you will need an ACL entry for each of those.

What is your final goal here? I can post a mock-up of the code.

Here is the basic formula for outside in access-

Build Access List to allow the traffic in (one line for each port)-
access-list outside_access_in permit [TCP/UDP] any [host ExternalIP/interface outside] eq [Port#]

Apply the ACL to the outside interface -
access-group outside_access_in in interface outside

Map incoming port to an IP and port on the inside (one line for each port)-
static (inside,outside) [TCP/UDP] [ExternalIP/interface] [Port#] [InteralIP] [Port#] netmask 255.255.255.255


Anything in brackets needs to be replaced for your specific config. Bold means you have to enter a value (either a port # or IP address)


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Thanks for the assists guys but still no luck, now I get IP spoof messages between 1.1.1.1 and 1.1.1.4 when attempting to access https. I'm done it's going back.

Scott
 
Post what you want to have working and a rough topology - mask the 2 middle octets of the public ip addresses. We'll get you working.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Ok just an update, I was able to get it to see the outside, and according to Cisco tech support my NATed stuff is setup correctly but the internal servers that I'm trying to reach from the outside world are rejecting the packets from the ASA 5505, keep getting a SYN timeout on stuff coming on the SMTP port. So now more research is needed, of course Cisco's response to that little problem was that I need to call Microsoft (yeah that ain't happenin').
 
Have you added the esmtp inspection?

policy-map global_policy
class inspection_default
inspect esmtp


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
No, and the Cisco tech just sent me an email asking me to disable it.
 
You don't have it in your config above. Try it and see if it fixes anything. The ASA's now do esmtp inspection and not smtp like the old PIX. The smtp alone would mess up exchange server as it used esmtp.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
It appears to make no difference the inspect esmtp on or off still get a SYN timeout when trying to receive email. Another odd thing after restarting the ASA I can no longer get to the outside world again, and tons of messages in the logging about suddenly blocking all sorts of tcp traffic even though no rule changes were made.

Current config:

ASA Version 7.2(4)
!
hostname ciscoasa
domain-name
enable password
passwd
no names
name 192.168.168.0 bosanova-uk
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.6.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.33.xxx.addr1 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 209.253.xxx.dns1
name-server 209.253.xxx.dns2
domain-name
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any host 209.33.xxx.addr4 eq htt
ps
access-list outside_access_in extended permit tcp any host 209.33.xxx.addr4 eq smt
p
access-list outside_access_in extended permit ip any host 209.33.xxx.addr4
access-list outside_1_cryptomap extended permit ip 172.16.6.0 255.255.255.0 192.
168.168.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.6.0 255.255.255.0 192
.168.168.0 255.255.255.0
access-list inside_access_in extended permit ip host 209.33.xxx.addr4 host 172.1.6
.169
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 209.33.xxx.addr4 smtp 172.1.6.169 smtp netmask 255.255
.255.255
static (inside,outside) tcp 209.33.xxx.addr4 https 172.1.6.169 https netmask 255.2
55.255.255
static (outside,inside) tcp 172.1.6.169 smtp 209.33.xxx.addr4 smtp netmask 255.255
.255.255
static (outside,inside) tcp 172.1.6.169 https 209.33.xxx.addr4 https netmask 255.2
55.255.255
static (inside,inside) 172.16.6.0 172.16.6.0 netmask 255.255.255.0 norandomseq n
ailed
static (inside,outside) 209.33.xxx.addr4 172.1.6.169 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.33.xxx.router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 209.33.xxx.netid 255.255.255.248 outside
http 172.16.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 87.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet 172.16.6.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 172.16.6.170 172.16.6.170
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward fil
ter http-proxy auto-download citrix
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc enable
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username cisco password ****** encrypted privilege 15
tunnel-group 0006B1xxxxxx type ipsec-l2l
tunnel-group 0006B1xxxxxx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
 
Ok, Take out all of these -

static (outside,inside) tcp 172.1.6.169 smtp 209.33.xxx.addr4 smtp netmask 255.255
.255.255
static (outside,inside) tcp 172.1.6.169 https 209.33.xxx.addr4 https netmask 255.2
55.255.255
static (inside,inside) 172.16.6.0 172.16.6.0 netmask 255.255.255.0 norandomseq n
ailed
static (inside,outside) 209.33.xxx.addr4 172.1.6.169 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip host 209.33.xxx.addr4 host 172.1.6
.169

access-list outside_access_in extended permit ip any host 209.33.xxx.addr4

save the config and do a reboot and check



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top