Skip to main content

Help needed

More
16 years 6 months ago #25886 by scorpion72
Help needed was created by scorpion72
HI All,


We just purchased ASA 5505 and vendor did configuration. There is no problem with internet connection.
But we have another connection to remote site with MPLS link to access mail server resided in remote site.
The problem is that we can not access mail server via mpls link. And we can not test to access mail at that time with live connection when vendor install ASA.
Both ASA and MPLS router are connected to a switch. We add a static route to remote site. But still can not access mail server.
Internal network use 172.16.8.x /24 and ASA ip is 172.16.8.2 and MPLS ip is 172.16.8.1 /16.
This is first time for me using ASA.
We want to access mail server. What we need to configure in ASA?
I don't whether vendor's configuration is correct or not?

Can someone give me solution for this problem?

[code:1]
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.8.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.98 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any xxx.xxx.xxx.96 255.255.255.240
access-list outside_access_in extended permit ip 192.168.113.0 255.255.255.0 172.16.8.0 255.255.255.0
access-list inside_access_in extended permit ip 172.16.8.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 172.16.8.0 255.255.255.0 any
access-list test extended permit ip 192.168.1.0 255.255.255.0 192.168.113.0 255.255.255.0 inactive
access-list split_tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.113.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 192.168.113.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_usrs 192.168.113.1-192.168.113.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.8.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 172.16.0.0 255.255.0.0 172.16.8.1 1 (172.16.8.1 is mpls router ip)
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1 (ADSL router port)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 444
http 172.16.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.16.8.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd dns 172.20.20.4 172.20.20.5 interface inside (This line is configured by vendor, we don't use these addresses)
dhcpd wins 172.20.20.4 172.20.20.5 interface inside (This line is configured by vendor, we don't use these addresses)
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value vpn_usrs
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc required
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username xxxx password xxxxxxxxxxxxxxx encrypted privilege 15
username yyyyyy password xxxxxxxxxxxxx encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn_usrs
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[/code:1]
More
16 years 6 months ago #25887 by Smurf
Replied by Smurf on topic Re: Help needed
Hi there,

What do you mean ? You want to open the mail server up from the Internet ? (i..e you cannot see it from the Internet).

So, first thing i have noticed is that your ASA is on the same network as your MPLS network ? Unless you are using some sort of LAN Extension i am not sure how this is working ?

Also, if you are trying to open up traffic from the Internet, you will need to use a Static command in order to map incoming traffic to the mail server.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
16 years 6 months ago #25891 by Elohim
Replied by Elohim on topic Re: Help needed
You need to readdress your ASA needs to be readdressed.


HI All,


We just purchased ASA 5505 and vendor did configuration. There is no problem with internet connection.
But we have another connection to remote site with MPLS link to access mail server resided in remote site.
The problem is that we can not access mail server via mpls link. And we can not test to access mail at that time with live connection when vendor install ASA.
Both ASA and MPLS router are connected to a switch. We add a static route to remote site. But still can not access mail server.
Internal network use 172.16.8.x /24 and ASA ip is 172.16.8.2 and MPLS ip is 172.16.8.1 /16.
This is first time for me using ASA.
We want to access mail server. What we need to configure in ASA?
I don't whether vendor's configuration is correct or not?

Can someone give me solution for this problem?

[code:1]
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.8.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.98 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any xxx.xxx.xxx.96 255.255.255.240
access-list outside_access_in extended permit ip 192.168.113.0 255.255.255.0 172.16.8.0 255.255.255.0
access-list inside_access_in extended permit ip 172.16.8.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 172.16.8.0 255.255.255.0 any
access-list test extended permit ip 192.168.1.0 255.255.255.0 192.168.113.0 255.255.255.0 inactive
access-list split_tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.113.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.8.0 255.255.255.0 192.168.113.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_usrs 192.168.113.1-192.168.113.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.8.0 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 172.16.0.0 255.255.0.0 172.16.8.1 1 (172.16.8.1 is mpls router ip)
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.97 1 (ADSL router port)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 444
http 172.16.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 172.16.8.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd dns 172.20.20.4 172.20.20.5 interface inside (This line is configured by vendor, we don't use these addresses)
dhcpd wins 172.20.20.4 172.20.20.5 interface inside (This line is configured by vendor, we don't use these addresses)
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value vpn_usrs
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc required
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username xxxx password xxxxxxxxxxxxxxx encrypted privilege 15
username yyyyyy password xxxxxxxxxxxxx encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpn_usrs
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[/code:1]

Time to create page: 0.120 seconds