- Posts: 2
- Thank you received: 0
ASA 5505 7.2(3)
15 years 11 months ago #28200
by gh
ASA 5505 7.2(3) was created by gh
I am having a hard time with my ASA. I am attempting to setup our exchange server. Unfortunately, I cannot seem to get the access-list and static route to work properly. When I use the packet tracer tool, it always gives me either an access list error or a NAT error. I am on a BGP connection that could be causing some of the trouble as a third party configured it and I dont have the password or the running config. However, the packet tracer failing should be independent of that which causes me concern.
In the meantime, I have have disabled the DMZ and I am only using the internal and external interfaces.
Being 5 AM, I have given up on trying stuff. If anyone can help me out, it would be much appreciated. Also, if you see any other stupid things that aren't pertinent or have any tips, they of course are welcomed.
thanks
gh
running-config:
ASA Version 7.2(3)
!
hostname XXXXX
domain-name XXXXXX
enable password XXXXXXXXXXXX encrypted
names
name 70.xxx.xxx.1 NAME description Gateway Router
name 70.xxx.xxx.230 ExternalMailServer description Webmail SMTP
name 10.xxx.xxx.230 MailServer1 description Exchange Server 1
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 10.xxx.xxx.253 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 70.xxx.xxx.4 255.255.255.240
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 70.xxx.xxx.129 255.255.255.128
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd XXXXXXXXXXXX encrypted
banner motd "********************************************************
banner motd * [ W A R N I N G ] *
banner motd * THIS IS A PRIVATE COMPUTER SYSTEM *
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name DOMAINNAME
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network MailServers
network-object host MailServer1
object-group service Exchange-External-Webmail tcp
description Webmail
port-object eq www
port-object eq https
object-group service Exchange-External-SMTP tcp
description SMTP services
port-object eq smtp
access-list outside_access_in remark Exchange-External-Webmail
access-list outside_access_in extended permit tcp any host ExternalMailServer object-group Exchange-External-Webmail
access-list nonat extended permit ip interface inside interface dmz
access-list outside_access_in remark Exchange-External-SMTP
access-list outside_access_in extended permit tcp any host ExternalMailServer object-group Exchange-External-SMTP
pager lines 24
logging enable
logging console debugging
logging trap debugging
logging asdm debugging
logging mail emergencies
logging from-address ciscoasa@xxxxxx.com
logging recipient-address xxxxx@xxxxx.com level emergencies
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.xxx.xxx.0 255.255.255.0
static (inside,outside) tcp ExternalMailServer https MailServer1 https netmask 255.255.255.255 tcp 0 3
static (inside,outside) tcp ExternalMailServer www MailServer1 www netmask 255.255.255.255
static (inside,outside) tcp ExternalMailServer smtp MailServer1 smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 50.xxx.xxx.169 255.255.255.255 50.xxx.xxx.168 1
route outside 0.0.0.0 0.0.0.0 NAME 1
!
router ospf 1
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server AD1 protocol radius
aaa-server AD1 host 10.xxx.xxx.231
timeout 5
key xxxxxxxxxxxx
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption des
hash sha
group 2
lifetime 86400
telnet 10.xxx.xxx.0 255.255.255.0 inside
telnet timeout 20
ssh 10.xxx.xxx.0 255.255.255.0 inside
ssh timeout 20
console timeout 10
management-access inside
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 129.xxx.xxx.xxx
group-policy VPNGroup1 internal
group-policy VPNGroup1 attributes
wins-server value 10.xxx.xxx.231 10.xxx.xxx.232
dns-server value 10.xxx.xxx.231 10.xxx.xxx.230
vpn-tunnel-protocol l2tp-ipsec
default-domain value DOMAIN
tunnel-group VPNGroup1 type ipsec-ra
tunnel-group VPNGroup1 general-attributes
address-pool Pool1
authentication-server-group AD1
default-group-policy VPNGroup1
smtp-server 10.xxx.xxx.230
prompt hostname context
Cryptochecksum:xxxxxxxxx
: end
asdm image disk0:/asdm-523.bin
asdm history enable
In the meantime, I have have disabled the DMZ and I am only using the internal and external interfaces.
Being 5 AM, I have given up on trying stuff. If anyone can help me out, it would be much appreciated. Also, if you see any other stupid things that aren't pertinent or have any tips, they of course are welcomed.
thanks
gh
running-config:
ASA Version 7.2(3)
!
hostname XXXXX
domain-name XXXXXX
enable password XXXXXXXXXXXX encrypted
names
name 70.xxx.xxx.1 NAME description Gateway Router
name 70.xxx.xxx.230 ExternalMailServer description Webmail SMTP
name 10.xxx.xxx.230 MailServer1 description Exchange Server 1
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 10.xxx.xxx.253 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 70.xxx.xxx.4 255.255.255.240
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 70.xxx.xxx.129 255.255.255.128
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd XXXXXXXXXXXX encrypted
banner motd "********************************************************
banner motd * [ W A R N I N G ] *
banner motd * THIS IS A PRIVATE COMPUTER SYSTEM *
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name DOMAINNAME
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network MailServers
network-object host MailServer1
object-group service Exchange-External-Webmail tcp
description Webmail
port-object eq www
port-object eq https
object-group service Exchange-External-SMTP tcp
description SMTP services
port-object eq smtp
access-list outside_access_in remark Exchange-External-Webmail
access-list outside_access_in extended permit tcp any host ExternalMailServer object-group Exchange-External-Webmail
access-list nonat extended permit ip interface inside interface dmz
access-list outside_access_in remark Exchange-External-SMTP
access-list outside_access_in extended permit tcp any host ExternalMailServer object-group Exchange-External-SMTP
pager lines 24
logging enable
logging console debugging
logging trap debugging
logging asdm debugging
logging mail emergencies
logging from-address ciscoasa@xxxxxx.com
logging recipient-address xxxxx@xxxxx.com level emergencies
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.xxx.xxx.0 255.255.255.0
static (inside,outside) tcp ExternalMailServer https MailServer1 https netmask 255.255.255.255 tcp 0 3
static (inside,outside) tcp ExternalMailServer www MailServer1 www netmask 255.255.255.255
static (inside,outside) tcp ExternalMailServer smtp MailServer1 smtp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 50.xxx.xxx.169 255.255.255.255 50.xxx.xxx.168 1
route outside 0.0.0.0 0.0.0.0 NAME 1
!
router ospf 1
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server AD1 protocol radius
aaa-server AD1 host 10.xxx.xxx.231
timeout 5
key xxxxxxxxxxxx
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.xxx.xxx.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption des
hash sha
group 2
lifetime 86400
telnet 10.xxx.xxx.0 255.255.255.0 inside
telnet timeout 20
ssh 10.xxx.xxx.0 255.255.255.0 inside
ssh timeout 20
console timeout 10
management-access inside
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 129.xxx.xxx.xxx
group-policy VPNGroup1 internal
group-policy VPNGroup1 attributes
wins-server value 10.xxx.xxx.231 10.xxx.xxx.232
dns-server value 10.xxx.xxx.231 10.xxx.xxx.230
vpn-tunnel-protocol l2tp-ipsec
default-domain value DOMAIN
tunnel-group VPNGroup1 type ipsec-ra
tunnel-group VPNGroup1 general-attributes
address-pool Pool1
authentication-server-group AD1
default-group-policy VPNGroup1
smtp-server 10.xxx.xxx.230
prompt hostname context
Cryptochecksum:xxxxxxxxx
: end
asdm image disk0:/asdm-523.bin
asdm history enable
15 years 11 months ago #28214
by Patiot
Replied by Patiot on topic Re: ASA 5505 7.2(3)
- could you please elaborate on the issue citing specific server and form where you want to access it .
Thanks
Patiot
Thanks
Patiot
15 years 11 months ago #28240
by gh
Replied by gh on topic Re: ASA 5505 7.2(3)
Patriot-
Thanks for your response but I think we are going to go with an open source firewall instead. To add the options we want (simple things like dmz to internal network communication and extra vlans) it was going to cost an unreasonable amount. On a side note, if anyone wants a Cisco asa 5505 with a base license, fire away!
gh
Thanks for your response but I think we are going to go with an open source firewall instead. To add the options we want (simple things like dmz to internal network communication and extra vlans) it was going to cost an unreasonable amount. On a side note, if anyone wants a Cisco asa 5505 with a base license, fire away!
gh
Time to create page: 0.116 seconds