Problems Configuring Cisco ASA 5510.

Hi all,

My company recently got an asa5510 and we need to integrate it into our network.

We have just 1 IP address from our ISP and our needs are.

1. Allow external access to our webserver located on the inside
2. Allow external access to our mailserver, outlook web access (OWA), via https
3. A need to get our internal mail server to send messages

All but 3 above have been successful, also, users on the inside can browse the web but cannot access the OWA and the webserver. My running config is pasted below, can anbody help??

Please note my mail server is 10.0.x.1 and my webserver is 10.0.x.2




ASA> en
Password: *****
ASA# sh run
: Saved
:
ASA Version 7.0(
!
hostname ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
description OUR WAN SIDE
nameif OUTSIDE
security-level 0
ip address x.x.72.189 255.255.255.248
!
interface Ethernet0/1
description OUR LAN SIDE
nameif INSIDE
security-level 100
ip address 10.0.x.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CET 1
same-security-traffic permit inter-interface
object-group service OFFICE1 tcp-udp
description Allowed Ports
port-object eq www
port-object range 137 139
port-object eq 123
port-object eq 5721
port-object eq 989
port-object eq 443
port-object eq 164
port-object eq 163
port-object eq 162
port-object eq 161
port-object eq 1723
port-object eq 143
port-object eq 1024
port-object eq 110
port-object eq 995
port-object eq 993
port-object eq 25
port-object eq 514
port-object eq 990
port-object eq 23
port-object eq domain
port-object eq 21
port-object eq 20
port-object eq 1434
port-object eq 1433
object-group network HTTP_SERVER
network-object host 10.0.x.2
access-list OUTSIDE_access_in extended permit tcp any any object-group OFFICE1
access-list INSIDE_access_in extended permit tcp host 10.0.x.1 eq smtp any eq smtp
access-list outside-entry extended permit tcp any host x.x.72.189 eq smtp
access-list outside-entry extended permit tcp any host x.x.72.189 eq www
access-list outside-entry extended permit tcp any host x.x.72.189 eq ftp
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 1 interface
nat (INSIDE) 1 10.0.x.0 255.255.255.0
static (INSIDE,OUTSIDE) tcp interface www 10.0.x.2 www netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp interface smtp 10.0.x.1 smtp netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp interface https 10.0.x.1 https netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 x.x.72.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:2e4a40ef975543428f023873c1ec5518
: end
ASA#

I'm assuming here that the ASA is the edge device, so it's directly placed between you and your ISP. So the outside interface with IP x.x.72.189 is the IP you got from the ISP. So external users should use this IP for reaching your internal servers.

Assuming the above is true, I can't see a clear cut problem in the config. Try temporarily NOT using object-group in your access lists, specify ports directly, like this:

access-list OUTSIDE_access_in extended permit tcp any any eq 80

or even like this:

access-list OUTSIDE_access_in permit any

This will eliminate any possibility of access list problem. So if it doesn't work, you are sure it's not an access list.

Tel us what happens.

Not at work till monday. I can access my OWA from outside and I can access the webserver from outside too. The problem is with my internal users. They cant access these servers. Also my mail server is not sending emails.

Apparently, your inside users are trying to access the server using it's DNS name or the external IP. The problem is that usual NAT (or static NAT) does not work from inside to inside (i.e from an interface to the same interface). There are several work arounds to this. First you could use some thing called DNS doctoring described by Cisco here:

www.cisco.com/en/US/products/ps6120/prod...186a00807968d1.shtml

This basically lets the ASA modify DNS replies from the DNS server to let the resolved addresses point to your internal server IP (10.0.x.2).

Another way is to use Static Nat Hairpinning (described on the document above too). Some thing like this:

[code:1]same-security-traffic permit intra-interface
static (INSIDE,INSIDE) tcp x.x.72.189 www 10.0.x.2 www netmask 255.255.255.255 [/code:1]

As you can see this would creates a static map from inside to inside. Cisco says you also need a global (inside) 1 interface for this to work. But I personally think it should work even without that.

The third way to try is to create an internal DNS server that simply maps the webserver's domain name to the internal IP. Configure it to use your original DNS server as a forwarder (for other domains). Then let the inside users use that new DNS server.

Hope some thing here works.