ASA 5510 config questions

**Iphone** · 12-Apr-2007, 10:12 PM

Long time lurker, first time asking.

I was recently given an asa 5510 to deploy which will replace our citrix server as well as our linux iptables firewall.
I have most things working correctly but I'll be the first to admit I've got some mighty fat fingers on this console and I know there are alot of things that are now unnecessary in the config but unsure really. I guess I could reset it all and start from scratch too.

My topology is as follows;

Managed router: 66.43.xxx.25 (Cloud)
|
Interface e0/0 'outside': 66.43.xxx.24
|__vpn subnet: 192.168.3.0 (Remote workers about 20)
Interface e0/1 'inside': 192.168.0.253 (LAN - about 100 folks, mailserver, dns, http/s
|
Interface e0/2 'dmz': 192.168.2.1 (Lserv and Citrix until I get the vpn squared away)

The major concerns,

First how does one handle the NAT for your MX boxes?
I've got a machine on the inside 192.168.0.2 that handles all mail and a static in place on the outside to forward all inbound smtp to it. That's working great.
My problem is with the outbound smtp data. Since it is being NAT'd to outside (.24) some mail servers reject the mail because the PTR's don't resolve or mismatch.
All of my A records point to 66.43.xxx.30
Is there a way I can have all outbound smtp from 192.168.0.2 appear as coming from 66.43.xxx.30?
It can't be as easy as changing the outside interface on ASA to be .30 can it? Will that then affect the inbound smtp dst .30 or will the static to 192.168.0.2 still work?

Secondly,
The vpn is up and running but I'm not able to access all resources on the inside net 192.168.0.0 (such as IMAP)
I must have the access borked somehow.

Third,
I know that Citrix is going away once the VPN is correct but until that gets rolled out the clients have to use Citrix.
They can connect just fine and are able to log in to the samba server on 192.168.0.2 but the asa syslog starts throwing portmap translation errors from inside to dmz port 137.

I have certainly asked a lot of questions in one, I hope that's legal and wish I could award 2000 points instead of 500. I'm really trying to understand this hardware as it does seem extremely robust, but the lack of genuine examples and tutorials makes for a steep learning curve if left to just the Cisco docs. Thanks to anyone who has the time and expertise to help me stand this thing up tall.

Kind Regards,
Aaron

Current config:
hostname asa
domain-name nonprofit.org
enable password .Sxfpty8I0qvTh6R encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 66.43.xxx.24 255.255.255.242
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.253 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd .Sxfpty8I0qvTh6R encrypted
banner login Authorized $(domain) users only.
banner login if you are unauthorized, disconnect immediately.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring

access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0
access-list pfa_splitTunnelAcl standard permit any

access-list outside_in extended permit tcp any host 66.43.xxx.18 eq https
access-list outside_in extended permit tcp any eq www host 66.43.xxx.18
access-list outside_in extended permit tcp any eq https host 66.43.xxx.18
access-list outside_in extended permit tcp any eq smtp host 66.43.xxx.30
access-list outside_in extended permit tcp any eq 2598 host 66.43.xxx.28
access-list outside_in extended permit tcp any host 66.43.xxx.18 eq www
access-list outside_in extended permit tcp any host 66.43.xxx.28 eq citrix-ica
access-list outside_in extended permit tcp any host 66.43.xxx.28 eq 2598
access-list outside_in extended permit tcp any host 66.43.xxx.20 eq www
access-list outside_in extended permit tcp any host 66.43.xxx.20 eq https
access-list outside_in extended permit tcp any host 66.43.xxx.21 eq www
access-list outside_in extended permit tcp any host 66.43.xxx.21 eq https
access-list outside_in extended permit tcp any host 66.43.xxx.22 eq www
access-list outside_in extended permit tcp any host 66.43.xxx.17 eq www
access-list outside_in extended permit tcp any host 66.43.xxx.18 eq domain
access-list outside_in extended permit udp any host 66.43.xxx.18 eq domain
access-list outside_in extended permit tcp any host 66.43.xxx.17 eq https
access-list outside_in extended permit tcp host 66.179.16.205 eq https host 66.43.xxx.24
access-list outside_in extended permit tcp any eq https any eq https
access-list outside_in extended permit tcp any eq https any
access-list outside_in extended permit tcp any eq www any
access-list outside_in extended permit tcp any host 66.43.xxx.24 eq smtp
access-list outside_in extended permit tcp any host 66.43.xxx.30 eq smtp

access-list split standard permit 192.168.0.0 255.255.255.0
access-list split standard permit 192.168.2.0 255.255.255.0
access-list split standard permit 192.168.1.0 255.255.255.0

access-list dmz_access_in extended permit tcp interface dmz interface outside
access-list dmz_access_in extended permit tcp any host 66.43.xxx.30 eq smtp
access-list dmz_access_in extended permit tcp any interface inside
access-list dmz_access_in extended permit udp interface dmz interface inside
access-list dmz_access_in extended permit tcp any interface outside

access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any

pager lines 24
logging enable
logging trap errors
logging asdm warnings
mtu management 1500
mtu inside 1500
mtu dmz 1500
mtu outside 1500
ip local pool vpnpool 192.168.3.1-192.168.3.100 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
asdm image disk0:/asdm506.bin
asdm location 66.43.xxx.17 255.255.255.255 outside
asdm location 66.43.xxx.18 255.255.255.255 outside
asdm location 66.43.xxx.21 255.255.255.255 outside
asdm location 66.43.xxx.22 255.255.255.255 outside
asdm location 66.43.xxx.27 255.255.255.255 outside
asdm location 192.168.3.0 255.255.255.0 outside
asdm location 66.43.xxx.30 255.255.255.255 outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 1 192.168.2.0 255.255.255.0

static (dmz,outside) tcp 66.43.xxx.28 citrix-ica 192.168.2.3 citrix-ica netmask 255.255.255.255
static (dmz,outside) tcp 66.43.xxx.28 2598 192.168.2.3 2598 netmask 255.255.255.255
static (inside,outside) tcp 66.43.xxx.17 www 192.168.0.2 www netmask 255.255.255.255
static (inside,outside) tcp 66.43.xxx.17 https 192.168.0.2 https netmask 255.255.255.255
static (inside,outside) tcp 66.43.xxx.20 www 192.168.0.7 www netmask 255.255.255.255
static (inside,outside) tcp 66.43.xxx.20 https 192.168.0.7 https netmask 255.255.255.255
static (inside,outside) udp 66.43.xxx.18 domain 192.168.0.252 domain netmask 255.255.255.255
static (inside,outside) tcp 66.43.xxx.18 domain 192.168.0.252 domain netmask 255.255.255.255
static (dmz,outside) tcp 66.43.xxx.22 www 192.168.2.2 www netmask 255.255.255.255
static (inside,outside) tcp 66.43.xxx.30 smtp 192.168.0.2 smtp netmask 255.255.255.255

access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 66.43.xxx.25 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

group-policy asa internal
group-policy asa attributes
wins-server value 192.168.0.4
dns-server value 192.168.0.254
split-tunnel-policy tunnelspecified
split-tunnel-network-list value pfa_splitTunnelAcl
default-domain value nonprofit.org
webvpn
group-policy pfa internal
group-policy pfa attributes
wins-server value 192.168.0.4
dns-server value 192.168.0.254
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
webvpn
http server enable
http 192.168.1.0 255.255.255.0 management

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group pfa type ipsec-ra
tunnel-group pfa general-attributes
address-pool vpnpool
default-group-policy pfa
tunnel-group pfa ipsec-attributes
pre-shared-key mytextkey
telnet timeout 5
ssh 192.168.0.2 255.255.255.255 inside
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd address 192.168.0.20-192.168.0.220 inside
dhcpd dns 192.168.0.254 66.43.xxx.27
dhcpd wins 192.168.0.4
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain nonprofit.org
dhcpd auto_config inside
dhcpd enable management
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect icmp
!
service-policy global_policy global
tftp-server inside 192.168.0.254 /tftpboot
smtp-server 192.168.0.2
Cryptochecksum:e41fb54da3719da6faba58d2b7ea9724
: end

**Iphone** · 12-Apr-2007, 10:12 PM

>My problem is with the outbound smtp data. Since it is being NAT'd to outside (.24)
Understand. Easy solution is a 1-1 static NAT instead of just a port forward.

no static (inside,outside) tcp 66.43.xxx.30 smtp 192.168.0.2 smtp netmask 255.255.255.255
static (inside,outside) 66.43.xxx.30 192.168.0.2 netmask 255.255.255.255

But, that'll screw up your www/https that come in a different public IP to the same server...
Personally, I'd change the DNS records for www/https to .30 instead of .17

>It can't be as easy as changing the outside interface on ASA to be .30 can it?
Actually - given everthing else that you have, this is a perfectly viable solution.

Or, you can try a conditional nat with an acl, keeping the static port xlate that you already have:
access-list outbound_smtp permit tcp host 192.168.0.2 any eq smtp
global (outside) 2 interface
global (outside) 1 66.43.xxx.30
nat (inside) 2 192.168.0.0 255.255.255.0
nat (dmz) 2 192.168.2.0 255.255.255.0
nat (inside) 1 access-list outbound_smtp

Note that I re-arranged the priority sequence number so that the conditional nat will be evaluated first (1) vs all normal outbound traffic (2)

>The vpn is up and running but I'm not able to access all resources on the inside net 192.168.0.0 (such as IMAP)
If you can access some resources but not others, we need more information. What IP is IMAP? Where is it? Inside, or DMZ?

>They can connect just fine and are able to log in to the samba server on 192.168.0.2 but the asa syslog starts throwing portmap translation errors from inside to dmz port 137.
If clients can log in and do what they need, simply disble this syslog message number so they don't fill up your logs. These are Netbios broacasts that the ASA drops anyway.

12-Apr-2007, 10:12 PM	#1 (permalink)
Iphone Fixed Error! Posts: 4,202 Join Date: Mar 2007 Rep Power: 6 IM:	ASA 5510 config questions Long time lurker, first time asking. I was recently given an asa 5510 to deploy which will replace our citrix server as well as our linux iptables firewall. I have most things working correctly but I'll be the first to admit I've got some mighty fat fingers on this console and I know there are alot of things that are now unnecessary in the config but unsure really. I guess I could reset it all and start from scratch too. My topology is as follows; Managed router: 66.43.xxx.25 (Cloud) \| Interface e0/0 'outside': 66.43.xxx.24 \|__vpn subnet: 192.168.3.0 (Remote workers about 20) Interface e0/1 'inside': 192.168.0.253 (LAN - about 100 folks, mailserver, dns, http/s \| Interface e0/2 'dmz': 192.168.2.1 (Lserv and Citrix until I get the vpn squared away) The major concerns, First how does one handle the NAT for your MX boxes? I've got a machine on the inside 192.168.0.2 that handles all mail and a static in place on the outside to forward all inbound smtp to it. That's working great. My problem is with the outbound smtp data. Since it is being NAT'd to outside (.24) some mail servers reject the mail because the PTR's don't resolve or mismatch. All of my A records point to 66.43.xxx.30 Is there a way I can have all outbound smtp from 192.168.0.2 appear as coming from 66.43.xxx.30? It can't be as easy as changing the outside interface on ASA to be .30 can it? Will that then affect the inbound smtp dst .30 or will the static to 192.168.0.2 still work? Secondly, The vpn is up and running but I'm not able to access all resources on the inside net 192.168.0.0 (such as IMAP) I must have the access borked somehow. Third, I know that Citrix is going away once the VPN is correct but until that gets rolled out the clients have to use Citrix. They can connect just fine and are able to log in to the samba server on 192.168.0.2 but the asa syslog starts throwing portmap translation errors from inside to dmz port 137. I have certainly asked a lot of questions in one, I hope that's legal and wish I could award 2000 points instead of 500. I'm really trying to understand this hardware as it does seem extremely robust, but the lack of genuine examples and tutorials makes for a steep learning curve if left to just the Cisco docs. Thanks to anyone who has the time and expertise to help me stand this thing up tall. Kind Regards, Aaron Current config: hostname asa domain-name nonprofit.org enable password .Sxfpty8I0qvTh6R encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 66.43.xxx.24 255.255.255.242 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.0.253 255.255.255.0 ! interface Ethernet0/2 nameif dmz security-level 50 ip address 192.168.2.1 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd .Sxfpty8I0qvTh6R encrypted banner login Authorized $(domain) users only. banner login if you are unauthorized, disconnect immediately. ftp mode passive clock timezone EST -5 clock summer-time EDT recurring access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.0 access-list pfa_splitTunnelAcl standard permit any access-list outside_in extended permit tcp any host 66.43.xxx.18 eq https access-list outside_in extended permit tcp any eq www host 66.43.xxx.18 access-list outside_in extended permit tcp any eq https host 66.43.xxx.18 access-list outside_in extended permit tcp any eq smtp host 66.43.xxx.30 access-list outside_in extended permit tcp any eq 2598 host 66.43.xxx.28 access-list outside_in extended permit tcp any host 66.43.xxx.18 eq www access-list outside_in extended permit tcp any host 66.43.xxx.28 eq citrix-ica access-list outside_in extended permit tcp any host 66.43.xxx.28 eq 2598 access-list outside_in extended permit tcp any host 66.43.xxx.20 eq www access-list outside_in extended permit tcp any host 66.43.xxx.20 eq https access-list outside_in extended permit tcp any host 66.43.xxx.21 eq www access-list outside_in extended permit tcp any host 66.43.xxx.21 eq https access-list outside_in extended permit tcp any host 66.43.xxx.22 eq www access-list outside_in extended permit tcp any host 66.43.xxx.17 eq www access-list outside_in extended permit tcp any host 66.43.xxx.18 eq domain access-list outside_in extended permit udp any host 66.43.xxx.18 eq domain access-list outside_in extended permit tcp any host 66.43.xxx.17 eq https access-list outside_in extended permit tcp host 66.179.16.205 eq https host 66.43.xxx.24 access-list outside_in extended permit tcp any eq https any eq https access-list outside_in extended permit tcp any eq https any access-list outside_in extended permit tcp any eq www any access-list outside_in extended permit tcp any host 66.43.xxx.24 eq smtp access-list outside_in extended permit tcp any host 66.43.xxx.30 eq smtp access-list split standard permit 192.168.0.0 255.255.255.0 access-list split standard permit 192.168.2.0 255.255.255.0 access-list split standard permit 192.168.1.0 255.255.255.0 access-list dmz_access_in extended permit tcp interface dmz interface outside access-list dmz_access_in extended permit tcp any host 66.43.xxx.30 eq smtp access-list dmz_access_in extended permit tcp any interface inside access-list dmz_access_in extended permit udp interface dmz interface inside access-list dmz_access_in extended permit tcp any interface outside access-list inside_access_in extended permit udp any any access-list inside_access_in extended permit tcp any any pager lines 24 logging enable logging trap errors logging asdm warnings mtu management 1500 mtu inside 1500 mtu dmz 1500 mtu outside 1500 ip local pool vpnpool 192.168.3.1-192.168.3.100 mask 255.255.255.0 ip verify reverse-path interface outside no failover asdm image disk0:/asdm506.bin asdm location 66.43.xxx.17 255.255.255.255 outside asdm location 66.43.xxx.18 255.255.255.255 outside asdm location 66.43.xxx.21 255.255.255.255 outside asdm location 66.43.xxx.22 255.255.255.255 outside asdm location 66.43.xxx.27 255.255.255.255 outside asdm location 192.168.3.0 255.255.255.0 outside asdm location 66.43.xxx.30 255.255.255.255 outside no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.0.0 255.255.255.0 nat (dmz) 1 192.168.2.0 255.255.255.0 static (dmz,outside) tcp 66.43.xxx.28 citrix-ica 192.168.2.3 citrix-ica netmask 255.255.255.255 static (dmz,outside) tcp 66.43.xxx.28 2598 192.168.2.3 2598 netmask 255.255.255.255 static (inside,outside) tcp 66.43.xxx.17 www 192.168.0.2 www netmask 255.255.255.255 static (inside,outside) tcp 66.43.xxx.17 https 192.168.0.2 https netmask 255.255.255.255 static (inside,outside) tcp 66.43.xxx.20 www 192.168.0.7 www netmask 255.255.255.255 static (inside,outside) tcp 66.43.xxx.20 https 192.168.0.7 https netmask 255.255.255.255 static (inside,outside) udp 66.43.xxx.18 domain 192.168.0.252 domain netmask 255.255.255.255 static (inside,outside) tcp 66.43.xxx.18 domain 192.168.0.252 domain netmask 255.255.255.255 static (dmz,outside) tcp 66.43.xxx.22 www 192.168.2.2 www netmask 255.255.255.255 static (inside,outside) tcp 66.43.xxx.30 smtp 192.168.0.2 smtp netmask 255.255.255.255 access-group inside_access_in in interface inside access-group dmz_access_in in interface dmz access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 66.43.xxx.25 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy asa internal group-policy asa attributes wins-server value 192.168.0.4 dns-server value 192.168.0.254 split-tunnel-policy tunnelspecified split-tunnel-network-list value pfa_splitTunnelAcl default-domain value nonprofit.org webvpn group-policy pfa internal group-policy pfa attributes wins-server value 192.168.0.4 dns-server value 192.168.0.254 split-tunnel-policy tunnelspecified split-tunnel-network-list value split webvpn http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group pfa type ipsec-ra tunnel-group pfa general-attributes address-pool vpnpool default-group-policy pfa tunnel-group pfa ipsec-attributes pre-shared-key mytextkey telnet timeout 5 ssh 192.168.0.2 255.255.255.255 inside ssh timeout 60 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd address 192.168.0.20-192.168.0.220 inside dhcpd dns 192.168.0.254 66.43.xxx.27 dhcpd wins 192.168.0.4 dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd domain nonprofit.org dhcpd auto_config inside dhcpd enable management dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect ftp inspect icmp ! service-policy global_policy global tftp-server inside 192.168.0.254 /tftpboot smtp-server 192.168.0.2 Cryptochecksum:e41fb54da3719da6faba58d2b7ea9724 : end

12-Apr-2007, 10:12 PM	#2 (permalink)
Iphone Fixed Error! Posts: 4,202 Join Date: Mar 2007 Rep Power: 6 IM:	Re: ASA 5510 config questions >My problem is with the outbound smtp data. Since it is being NAT'd to outside (.24) Understand. Easy solution is a 1-1 static NAT instead of just a port forward. no static (inside,outside) tcp 66.43.xxx.30 smtp 192.168.0.2 smtp netmask 255.255.255.255 static (inside,outside) 66.43.xxx.30 192.168.0.2 netmask 255.255.255.255 But, that'll screw up your www/https that come in a different public IP to the same server... Personally, I'd change the DNS records for www/https to .30 instead of .17 >It can't be as easy as changing the outside interface on ASA to be .30 can it? Actually - given everthing else that you have, this is a perfectly viable solution. Or, you can try a conditional nat with an acl, keeping the static port xlate that you already have: access-list outbound_smtp permit tcp host 192.168.0.2 any eq smtp global (outside) 2 interface global (outside) 1 66.43.xxx.30 nat (inside) 2 192.168.0.0 255.255.255.0 nat (dmz) 2 192.168.2.0 255.255.255.0 nat (inside) 1 access-list outbound_smtp Note that I re-arranged the priority sequence number so that the conditional nat will be evaluated first (1) vs all normal outbound traffic (2) >The vpn is up and running but I'm not able to access all resources on the inside net 192.168.0.0 (such as IMAP) If you can access some resources but not others, we need more information. What IP is IMAP? Where is it? Inside, or DMZ? >They can connect just fine and are able to log in to the samba server on 192.168.0.2 but the asa syslog starts throwing portmap translation errors from inside to dmz port 137. If clients can log in and do what they need, simply disble this syslog message number so they don't fill up your logs. These are Netbios broacasts that the ASA drops anyway.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)