Questions

Cisco ASA5505 could not be accessed from external connection

+
0 Votes
Locked

Cisco ASA5505 could not be accessed from external connection

saynedu
I have configured a cisco ASA5505 for a local, dmz and external connection. My aim is to be able to access the mail server connected through dmz from external connection. Configurations seems ok but port 25 and 3389 could not be access from external. Please any suggestions would be highly appreciated. Find below my device configurations.


GNL# show running-config
: Saved
:
ASA Version 7.2(4)
!
hostname GNL
domain-name ngrguardiannews.com
enable password HuvRIZhHtjl.AW0T encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 81.199.199.19 webserver
name 81.199.199.20 ISP
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.15 255.255.255.0
!
interface Vlan2
nameif outside-primary
security-level 0
ip address ISP 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.10.1 255.255.255.252
!
interface Vlan4
no forward interface Vlan1
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Vlan14
nameif outside-DSL
security-level 0
ip address 80.248.5.12 255.255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 5
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 4
!
ftp mode passive
dns server-group DefaultDNS
domain-name ngrguardiannews.com
access-list outside_access_in extended permit tcp any host webserver eq www
access-list 108 extended permit tcp any host 10.10.10.0 eq smtp
access-list 108 extended permit tcp any host 10.10.10.0 eq pop3
access-list 108 extended permit icmp any host webserver echo-reply
access-list 108 extended permit icmp any host webserver unreachable
access-list 108 extended permit icmp any host webserver time-exceeded
access-list 110 extended permit tcp any host webserver eq smtp
access-list 110 extended permit tcp any host webserver eq www
access-list 121 extended permit tcp any host 10.10.10.1 eq www
access-list 121 extended permit tcp any host 10.10.10.1 eq smtp
access-list 121 extended permit tcp any host 10.10.10.2 eq smtp
access-list 121 extended permit tcp any host 10.10.10.2 eq www
access-list 103 extended permit icmp any any echo
access-list 103 extended permit icmp any any echo-reply
access-list 104 extended permit tcp any any eq smtp
access-list 104 extended permit tcp any any eq 3845
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside-primary 1500
mtu dmz 1500
mtu management 1500
mtu outside-DSL 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
nat-control
global (outside-primary) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 10.10.10.0 255.255.255.0
static (dmz,outside-primary) tcp interface smtp 10.10.10.2 smtp netmask 255.255.
255.255
static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (dmz,inside) 10.10.10.2 ISP netmask 255.255.255.255
access-group outside_access_in in interface outside-primary
route outside-primary 0.0.0.0 0.0.0.0 81.199.199.18 1
route outside-DSL 0.0.0.0 0.0.0.0 80.248.5.1 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.10.15 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside-primary
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 81.199.199.19
prompt hostname context
Cryptochecksum:1c3844c9db2ad64140784b5d83f718fb
: end
  • +
    0 Votes
    NetMan1958

    the ip address of your email server on the DMZ?

    +
    0 Votes
    saynedu

    Yes 10.10.10.2 is the local ip address of mail server.

    81.199.199.20 is the public ip address provived by ISP

    192.168.10.15 is for inside interface

    i can browse from both inside and dmz interfaces but port 25 and 3389 could net be access from internet

    +
    0 Votes
    NetMan1958

    Remove this line:
    "static (dmz,inside) 10.10.10.2 ISP netmask 255.255.255.255"
    Add these lines:
    "access-list outside_access_in extended permit tcp any host 81.199.199.20 eq 25"
    "access-list outside_access_in extended permit tcp any host 81.199.199.20 eq 3389"

    Then your email server should be reachable from the internet via 81.199.199.20.

    +
    0 Votes
    saynedu

    Here is my new ASA5505 router config, i have defaaulted and reconfigured it.

    Guard# show running-config
    : Saved
    :
    ASA Version 7.2(4)
    !
    hostname Guard
    domain-name ngrguardiannews.com
    enable password HuvRIZhHtjl.AW0T encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.10.15 255.255.255.0
    !
    interface Vlan2
    nameif dmz
    security-level 50
    ip address 10.10.10.1 255.255.255.252
    !
    interface Vlan4
    no forward interface Vlan1
    nameif management
    security-level 0
    ip address 192.168.0.1 255.255.255.0
    management-only
    !
    interface Vlan14
    nameif outside-vsat
    security-level 0
    ip address 81.199.199.20 255.255.255.248
    !
    interface Vlan24
    nameif outside-dsl
    security-level 0
    ip address 80.248.5.13 255.255.255.224
    !
    interface Ethernet0/0
    switchport access vlan 14
    !
    interface Ethernet0/1
    switchport access vlan 24
    !
    interface Ethernet0/2
    switchport access vlan 2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    switchport access vlan 4
    switchport protected
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name ngrguardiannews.com
    access-list 108 extended permit tcp any host 10.10.10.0 eq smtp
    access-list 108 extended permit tcp any host 10.10.10.0 eq pop3
    access-list outside-vsat_access_in extended permit tcp any host 81.199.199.20 eq
    www
    access-list outside-vsat_access_in extended permit tcp any host 81.199.199.20 eq
    smtp
    access-list outside-vsat_access_in extended permit tcp any host 81.199.199.20 eq
    3389
    access-list 121 extended permit tcp any host 10.10.10.0 eq www
    access-list 121 extended permit tcp any host 10.10.10.0 eq smtp
    access-list 121 extended permit tcp any host 10.10.10.2 eq smtp
    access-list 121 extended permit tcp any host 10.10.10.2 eq www
    access-list 103 extended permit icmp any any echo
    access-list 103 extended permit icmp any any echo-reply
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu dmz 1500
    mtu management 1500
    mtu outside-vsat 1500
    mtu outside-dsl 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    asdm history enable
    arp timeout 14400
    global (outside-vsat) 101 interface
    nat (inside) 101 0.0.0.0 0.0.0.0
    nat (dmz) 101 10.10.10.0 255.255.255.252
    static (dmz,outside-vsat) tcp interface www 10.10.10.2 www netmask 255.255.255.2
    55
    static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
    access-group outside-vsat_access_in in interface outside-vsat
    route outside-vsat 0.0.0.0 0.0.0.0 81.199.199.18 1
    route outside-dsl 0.0.0.0 0.0.0.0 80.248.5.1 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.0.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd ping_timeout 750
    dhcpd auto_config outside-vsat
    !
    dhcpd address 192.168.0.2-192.168.0.254 management
    dhcpd enable management
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:00b50599631afe4dcb92378ad06f8b75
    : end


    Thanks for your assistance

    +
    0 Votes
    NetMan1958

    You need to add 2 more lines to enable smtp and 3389 to 10.10.10.2:
    "static (dmz,outside-vsat) tcp interface 25 10.10.10.2 25 netmask 255.255.255.255"
    "static (dmz,outside-vsat) tcp interface 3389 10.10.10.2 3389 netmask 255.255.255.255"

    You do have the www forwarding configured but I cant open a web page on 81.199.199.20, do you have a web server running on 10.10.10.2?

    Run "show route" from the cli and post the output back here. (it might be "show ip route" if the above doesn't work).

    Also post the output from these 2 commands:
    "show interface outside-vsat" and
    "show interface outside-dsl"

    +
    0 Votes
    saynedu

    Oh thanks so much the two additional nat rule solved the problem. I am very grateful.

    +
    0 Votes
    saynedu

    One more issue, i have an exchange server on a different LAN switch with ip address 192.168.20.5 and Edge server is on ASA5505 dmz interface with ip address 10.10.10.2, right now there is no communication between the exchange and edge as i could not ping 10.10.10.2 from 192.168.20.5, what command line do i need on ASA5505 to be able to accomplish this task. Presently inside interface of ASA5505 with ip address 192.168.10.15 is patched to LAN switch Thanks so much

    +
    0 Votes
    NetMan1958

    would be to change the IP address of the exchange server to 192.168.10.5 if it is connected to a switch that is uplinked to the vlan1 interface on the ASA.

  • +
    0 Votes
    NetMan1958

    the ip address of your email server on the DMZ?

    +
    0 Votes
    saynedu

    Yes 10.10.10.2 is the local ip address of mail server.

    81.199.199.20 is the public ip address provived by ISP

    192.168.10.15 is for inside interface

    i can browse from both inside and dmz interfaces but port 25 and 3389 could net be access from internet

    +
    0 Votes
    NetMan1958

    Remove this line:
    "static (dmz,inside) 10.10.10.2 ISP netmask 255.255.255.255"
    Add these lines:
    "access-list outside_access_in extended permit tcp any host 81.199.199.20 eq 25"
    "access-list outside_access_in extended permit tcp any host 81.199.199.20 eq 3389"

    Then your email server should be reachable from the internet via 81.199.199.20.

    +
    0 Votes
    saynedu

    Here is my new ASA5505 router config, i have defaaulted and reconfigured it.

    Guard# show running-config
    : Saved
    :
    ASA Version 7.2(4)
    !
    hostname Guard
    domain-name ngrguardiannews.com
    enable password HuvRIZhHtjl.AW0T encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.10.15 255.255.255.0
    !
    interface Vlan2
    nameif dmz
    security-level 50
    ip address 10.10.10.1 255.255.255.252
    !
    interface Vlan4
    no forward interface Vlan1
    nameif management
    security-level 0
    ip address 192.168.0.1 255.255.255.0
    management-only
    !
    interface Vlan14
    nameif outside-vsat
    security-level 0
    ip address 81.199.199.20 255.255.255.248
    !
    interface Vlan24
    nameif outside-dsl
    security-level 0
    ip address 80.248.5.13 255.255.255.224
    !
    interface Ethernet0/0
    switchport access vlan 14
    !
    interface Ethernet0/1
    switchport access vlan 24
    !
    interface Ethernet0/2
    switchport access vlan 2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    switchport access vlan 4
    switchport protected
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name ngrguardiannews.com
    access-list 108 extended permit tcp any host 10.10.10.0 eq smtp
    access-list 108 extended permit tcp any host 10.10.10.0 eq pop3
    access-list outside-vsat_access_in extended permit tcp any host 81.199.199.20 eq
    www
    access-list outside-vsat_access_in extended permit tcp any host 81.199.199.20 eq
    smtp
    access-list outside-vsat_access_in extended permit tcp any host 81.199.199.20 eq
    3389
    access-list 121 extended permit tcp any host 10.10.10.0 eq www
    access-list 121 extended permit tcp any host 10.10.10.0 eq smtp
    access-list 121 extended permit tcp any host 10.10.10.2 eq smtp
    access-list 121 extended permit tcp any host 10.10.10.2 eq www
    access-list 103 extended permit icmp any any echo
    access-list 103 extended permit icmp any any echo-reply
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu dmz 1500
    mtu management 1500
    mtu outside-vsat 1500
    mtu outside-dsl 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    asdm history enable
    arp timeout 14400
    global (outside-vsat) 101 interface
    nat (inside) 101 0.0.0.0 0.0.0.0
    nat (dmz) 101 10.10.10.0 255.255.255.252
    static (dmz,outside-vsat) tcp interface www 10.10.10.2 www netmask 255.255.255.2
    55
    static (inside,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
    access-group outside-vsat_access_in in interface outside-vsat
    route outside-vsat 0.0.0.0 0.0.0.0 81.199.199.18 1
    route outside-dsl 0.0.0.0 0.0.0.0 80.248.5.1 2
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 192.168.0.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd ping_timeout 750
    dhcpd auto_config outside-vsat
    !
    dhcpd address 192.168.0.2-192.168.0.254 management
    dhcpd enable management
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:00b50599631afe4dcb92378ad06f8b75
    : end


    Thanks for your assistance

    +
    0 Votes
    NetMan1958

    You need to add 2 more lines to enable smtp and 3389 to 10.10.10.2:
    "static (dmz,outside-vsat) tcp interface 25 10.10.10.2 25 netmask 255.255.255.255"
    "static (dmz,outside-vsat) tcp interface 3389 10.10.10.2 3389 netmask 255.255.255.255"

    You do have the www forwarding configured but I cant open a web page on 81.199.199.20, do you have a web server running on 10.10.10.2?

    Run "show route" from the cli and post the output back here. (it might be "show ip route" if the above doesn't work).

    Also post the output from these 2 commands:
    "show interface outside-vsat" and
    "show interface outside-dsl"

    +
    0 Votes
    saynedu

    Oh thanks so much the two additional nat rule solved the problem. I am very grateful.

    +
    0 Votes
    saynedu

    One more issue, i have an exchange server on a different LAN switch with ip address 192.168.20.5 and Edge server is on ASA5505 dmz interface with ip address 10.10.10.2, right now there is no communication between the exchange and edge as i could not ping 10.10.10.2 from 192.168.20.5, what command line do i need on ASA5505 to be able to accomplish this task. Presently inside interface of ASA5505 with ip address 192.168.10.15 is patched to LAN switch Thanks so much

    +
    0 Votes
    NetMan1958

    would be to change the IP address of the exchange server to 192.168.10.5 if it is connected to a switch that is uplinked to the vlan1 interface on the ASA.