Question

Locked

Cisco ASA5505 NAT internal access to local mail server?

By tokyogwb ·
I have setup an ASA 5505 firewall with DMZ which hosts a mail server.
From outside there is full access to the mail server and it is recieving emails.
However, I am not able to access this server from inside although I have full access to internet and other outside resources.

Here is the config.
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name domain-name.com
enable password dqNVmGv0M1aiohVM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.250 255.255.255.248
ospf cost 10
!
interface Vlan5
nameif dmz
security-level 50
ip address 192.168.123.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 5
!
interface Ethernet0/7
switchport access vlan 5
!
ftp mode passive
clock timezone JST 9
access-list Mail extended permit tcp any 192.168.123.0 255.255.255.0 eq pop3
access-list Mail extended permit tcp any 192.168.123.0 255.255.255.0 eq smtp
access-list Mail extended permit tcp any 192.168.123.0 255.255.255.0 eq 32000
access-list Mail extended permit tcp any 192.168.123.0 255.255.255.0 eq 587
access-list RemoteDT extended permit tcp any 192.168.123.0 255.255.255.0 object-group RemoteDT
access-list RemoteDT extended permit tcp any xxx.xxx.xxx.248 255.255.255.248 object-group RemoteDT
access-list Radmin extended permit tcp any 192.168.123.0 255.255.255.0 object-group Radmin
access-list Radmin extended permit tcp any 192.168.1.0 255.255.255.0 object-group Radmin
access-list dmz_access_in extended permit ip xxx.xxx.xxx.248 255.255.255.248 any

access-list dmz_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any xxx.xxx.xxx.248 255.255.255.248
access-list inside_access_in extended permit ip any 192.168.123.0 255.255.255.0

access-list outside_access_in extended permit ip any host xxx.xxx.xxx.251
access-list outside_access_in extended permit ip any host xxx.xxx.xxx.252
access-list outside_access_in extended permit ip any host xxx.xxx.xxx.253
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) xxx.xxx.xxx.252 192.168.123.3 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.253 192.168.123.4 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.251 192.168.1.2 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.150 inside
dhcpd dns 192.168.1.2 211.129.14.139 interface inside
dhcpd lease 40000 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e0c4edf41a0d239705fd7a8d30e3e3b7
: end
ciscoasa#

Can anyone help me with this?

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Are you running the base license ?

by NetMan1958 In reply to Cisco ASA5505 NAT interna ...

The 5505 has a limitation on the 3rd VLAN interface under the base license. See the section labeled "Maximum Active VLAN Interfaces for Your License" in this article:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1125063

Collapse -

Reponse To Answer

by tokyogwb In reply to Are you running the base ...

No, I have the Security Plus licence

Collapse -

More

by NetMan1958 In reply to Cisco ASA5505 NAT interna ...

How are you trying to access the server in the DMZ? By it's private IP or the public IP? Try running this debug and see what it says:
"debug icmp trace"
Unless you are connected via the console cable you will need to enter "term mon" also in order to see the output. After you have that configured try to ping the web server by it's private IP from something on the LAN.

Collapse -

Reponse To Answer

by tokyogwb In reply to More

By the pubic IP.
I am not able to ping the server from the LAN and the server can not ping anthing on the LAN either

Collapse -

Try using the private IP

by NetMan1958 In reply to Cisco ASA5505 NAT interna ...

Try the ping using the private IP (192.168.123.x) and if it isn't successful, run the debug I posted above.

See this article; It refers to the PIX but is applicable to the ASA also:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800941c8.shtml

Back to Networks Forum
6 total posts (Page 1 of 1)  

Hardware Forums