Configuring a Cisco ASA 5510

**Anilrgowda** · 25-Mar-2007, 10:34 PM

Question: I am completely frustrated with this setup. I've configured an ASA5510 (I've attached the running config below) to take the place of a Netscreen 25 that's currently in place. They are running consecutively now. When I unplug the Netscreen and change the outside and inside interface of the ASA to have the IP addresses that the Netscreen has, I lose all connectivity to the internet. I've tried flushing the DNS, powering the Cisco 1700 and Motorola off and powering everything back on. I'm also attaching the log of events that takes place after the switch is done. The log is from the ASA. Just to be clear, when the ASA is plugged in, I lose all connection to the internet and no computers on the LAN / WAN can communicate with the mail server. Help!

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(1)
!
hostname MB01ASA01
domain-name corp.xxxxxxxxxxxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 172.18.24.0 02_LAN
name 172.18.31.0 11_LAN
name 172.18.29.0 08_LAN
name 172.18.65.0 04_LAN
name 172.18.25.003_LAN
name 172.18.32.0 12_LAN
name 172.18.26.0 06_LAN
name 10.10.1.48 CHECK_2
name 172.18.100.0 CHECK_1
name 172.18.27.0 05_LAN
name 172.18.23.0 01_LAN
name 172.18.28.0 07_LAN
name 172.18.23.222 MAIL description Exchange 2003 Server
name 172.18.33.0 13_LAN
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 74.231.xxx.70 255.255.255.224
ospf cost 10
!
interface Ethernet0/1
nameif Inside
security-level 0
ip address 172.18.23.241 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
nameif Inside2
security-level 0
no ip address
ospf cost 10
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name corp.xxxxxxxxxxxx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service BB tcp
port-object range 2360 2363
object-group service 53 tcp
port-object range 1996 1996
object-group service TerminalServices tcp
port-object range 3388 3389
object-group network MB_WAN
network-object 01_LAN 255.255.255.0
network-object 02_LAN 255.255.255.0
network-object 03_LAN 255.255.255.0
network-object 06_LAN 255.255.255.0
network-object 05_LAN 255.255.255.0
network-object 07_LAN 255.255.255.0
network-object 08_LAN 255.255.255.0
network-object 11_LAN 255.255.255.0
network-object 12_LAN 255.255.255.0
network-object 04_LAN 255.255.255.0
network-object 13_LAN 255.255.255.0
network-object host MAIL
object-group network CHECK_LAN
network-object CHECK_1 255.255.255.0
network-object CHECK_2 255.255.255.240
object-group network FDLN
description FDLN - 4 Addresses
network-object host 12.129.xxx.103
network-object host 206.16.xxx.211
network-object host 63.240.xxx.101
network-object host 63.241.xxx.213
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group BB any object-group BB
access-list Outside_access_out extended permit tcp object-group MB_WAN eq www any eq www
access-list Outside_access_out extended permit tcp object-group MB_WAN eq https any eq https
access-list Outside_access_out extended permit ip object-group MB_WAN any
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group FDLN
access-list Outside_access_out extended permit tcp object-group MB_WAN eq smtp any eq smtp
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group TerminalServices any object-group TerminalServices
access-list Outside_access_out extended permit icmp object-group MB_WAN any traceroute
access-list Outside_access_out extended permit udp object-group MB_WAN eq syslog any eq syslog
access-list Outside_access_out extended permit udp object-group MB_WAN eq tftp any eq tftp
access-list Outside_access_out extended permit udp object-group MB_WAN eq dnsix any eq dnsix
access-list Outside_access_out extended permit tcp object-group MB_WAN eq telnet any eq telnet
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ssh any eq ssh
access-list Outside_access_out extended permit tcp object-group MB_WAN object-group 53 any object-group 53
access-list Outside_access_out extended permit tcp object-group MB_WAN eq ftp any eq ftp
access-list Outside_access_in extended permit tcp any eq smtp host MAIL eq smtp log
access-list Outside_access_in extended permit tcp any eq www host MAIL eq www log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host MAIL object-group TerminalServices log
access-list Outside_access_in extended permit udp any eq www host MAIL eq www log
access-list Outside_access_in extended permit tcp object-group FDLN object-group MB_WAN log
access-list Outside_access_in extended permit tcp any object-group BB object-group MB_WAN object-group BB log
access-list Outside_access_in extended permit tcp any eq https host MAIL eq https log
access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.77 eq www log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq smtp log
access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.77 object-group TerminalServices log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq https log
access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq www log
access-list ACL_IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Inside2 1500
mtu management 1500
icmp deny any Outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
nat (management) 0 0.0.0.0 0.0.0.0
static (Outside,Inside) MAIL 74.231.xxx.77 netmask 255.255.255.255 dns
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route Inside 02_LAN 255.255.255.0 172.18.23.240 1
route Inside 03_LAN 255.255.255.0 172.18.23.240 1
route Inside 06_LAN 255.255.255.0 172.18.23.240 1
route Inside 05_LAN 255.255.255.0 172.18.23.240 1
route Inside 07_LAN 255.255.255.0 172.18.23.240 1
route Inside 08_LAN 255.255.255.0 172.18.23.240 1
route Inside 11_LAN 255.255.255.0 172.18.23.240 1
route Inside 12_LAN 255.255.255.0 172.18.23.240 1
route Inside 04_LAN 255.255.255.0 172.18.23.240 1
route Inside CHECK_1 255.255.255.0 172.18.23.240 1
route Inside CHECK_2 255.255.255.240 172.18.23.240 1
route Inside13_LAN 255.255.255.0 172.18.23.240 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 01_LAN 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:0c2ef9e0e604a02608a4433bf046eef2
: end

Here's PART of the log...it was lengthy so I'm just posting a few lines...

4|Nov 25 2006|17:36:26|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4367 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:25|302020|172.18.24.10|10.55.56.100|Built ICMP connection for faddr 172.18.24.10/59212 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
4|Nov 25 2006|17:36:25|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4366 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:25|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags PSH ACK on interface Inside
6|Nov 25 2006|17:36:25|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags ACK on interface Inside
6|Nov 25 2006|17:36:24|302015|172.18.29.251|10.55.56.103|Built inbound UDP connection 12356 for Inside:172.18.29.251/4075 (172.18.29.251/4075) to Outside:10.55.56.103/53 (10.55.56.103/53)
6|Nov 25 2006|17:36:23|302021|172.18.24.4|10.55.56.100|Teardown ICMP connection for faddr 172.18.24.4/37256 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
4|Nov 25 2006|17:36:23|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4367 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
4|Nov 25 2006|17:36:22|106023|66.176.54.206|MAIL|Deny tcp src Inside:66.176.54.206/4366 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0]
6|Nov 25 2006|17:36:22|302016|172.18.23.200|193.0.14.129|Teardown UDP connection 12248 for Inside:172.18.23.200/1092 to Outside:193.0.14.129/53 duration 0:02:02 bytes 45
6|Nov 25 2006|17:36:21|302020|172.18.24.4|10.55.56.100|Built ICMP connection for faddr 172.18.24.4/37256 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:20|302021|172.18.24.3|10.55.56.100|Teardown ICMP connection for faddr 172.18.24.3/40537 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:20|302021|172.18.23.200|74.231.xxx.77|Teardown ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512
6|Nov 25 2006|17:36:19|302021|172.18.23.186|12.129.203.103|Teardown ICMP connection for faddr 172.18.23.186/7476 gaddr 12.129.203.103/0 laddr 12.129.203.103/0
6|Nov 25 2006|17:36:19|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags PSH ACK on interface Inside
6|Nov 25 2006|17:36:18|106015|172.18.23.164|MAIL|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags ACK on interface Inside
6|Nov 25 2006|17:36:18|302020|172.18.24.3|10.55.56.100|Built ICMP connection for faddr 172.18.24.3/40537 gaddr 10.55.56.100/0 laddr 10.55.56.100/0
6|Nov 25 2006|17:36:18|302020|172.18.23.200|74.231.xxx.77|Built ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512
6|Nov 25 2006|17:36:18|302021|172.18.23.200|74.231.xxx.77|Teardown ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512

Circuit--Cisco1700--Switch1--------------Switch2-------------------Switch3----------------Hub
| | | | | |
NS Untrust Outside ASA Inside ASA Exchange NS Trust Web Filter Machine

**Anilrgowda** · 25-Mar-2007, 10:35 PM

Try this

its a working configuration adjusted slightly to your configuration.

Backup your configuration and wipe it and try to apply this if you can

hostname MB01ASA01
domain-name corp.xxxx.com
enable password q1HsFgy84ctrO8xK encrypted
names
name 192.168.102.11 ERP
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 74.231.xxx.70 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 99
ip address 172.18.23.241 255.255.255.0
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 10.50.45.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone BRST -3
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

pager lines 24
logging enable
logging list VPN-Events level debugging class vpn
logging buffered debugging
logging asdm VPN-Events
mtu outside 1500
mtu inside 1500
mtu management 1500

icmp deny any outside
icmp permit any inside

no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) 74.231.xxx.66 172.18.23.222 netmask 255.255.255.255 dns

access-list outside_in permit tcp any host 74.231.xxx.66 eq smtp log
access-list outside_in permit tcp any host 74.231.xxx.66 eq https log
access-group outside_in in interface outside

route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1
route inside 172.18.0.0 255.255.0.0 172.18.23.240 1
route inside 10.10.1.48 255.255.255.240 172.18.23.240 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
ssh version 2
console timeout 0
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50

25-Mar-2007, 10:34 PM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	Configuring a Cisco ASA 5510 Question: I am completely frustrated with this setup. I've configured an ASA5510 (I've attached the running config below) to take the place of a Netscreen 25 that's currently in place. They are running consecutively now. When I unplug the Netscreen and change the outside and inside interface of the ASA to have the IP addresses that the Netscreen has, I lose all connectivity to the internet. I've tried flushing the DNS, powering the Cisco 1700 and Motorola off and powering everything back on. I'm also attaching the log of events that takes place after the switch is done. The log is from the ASA. Just to be clear, when the ASA is plugged in, I lose all connection to the internet and no computers on the LAN / WAN can communicate with the mail server. Help! Result of the command: "show running-config" : Saved : ASA Version 7.2(1) ! hostname MB01ASA01 domain-name corp.xxxxxxxxxxxx.com enable password q1HsFgy84ctrO8xK encrypted names name 172.18.24.0 02_LAN name 172.18.31.0 11_LAN name 172.18.29.0 08_LAN name 172.18.65.0 04_LAN name 172.18.25.003_LAN name 172.18.32.0 12_LAN name 172.18.26.0 06_LAN name 10.10.1.48 CHECK_2 name 172.18.100.0 CHECK_1 name 172.18.27.0 05_LAN name 172.18.23.0 01_LAN name 172.18.28.0 07_LAN name 172.18.23.222 MAIL description Exchange 2003 Server name 172.18.33.0 13_LAN dns-guard ! interface Ethernet0/0 nameif Outside security-level 0 ip address 74.231.xxx.70 255.255.255.224 ospf cost 10 ! interface Ethernet0/1 nameif Inside security-level 0 ip address 172.18.23.241 255.255.255.0 ospf cost 10 ! interface Ethernet0/2 shutdown nameif Inside2 security-level 0 no ip address ospf cost 10 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ospf cost 10 management-only ! passwd 2KFQnbNIdI.2KYOU encrypted boot system disk0:/asa721-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name corp.xxxxxxxxxxxx.com same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group service BB tcp port-object range 2360 2363 object-group service 53 tcp port-object range 1996 1996 object-group service TerminalServices tcp port-object range 3388 3389 object-group network MB_WAN network-object 01_LAN 255.255.255.0 network-object 02_LAN 255.255.255.0 network-object 03_LAN 255.255.255.0 network-object 06_LAN 255.255.255.0 network-object 05_LAN 255.255.255.0 network-object 07_LAN 255.255.255.0 network-object 08_LAN 255.255.255.0 network-object 11_LAN 255.255.255.0 network-object 12_LAN 255.255.255.0 network-object 04_LAN 255.255.255.0 network-object 13_LAN 255.255.255.0 network-object host MAIL object-group network CHECK_LAN network-object CHECK_1 255.255.255.0 network-object CHECK_2 255.255.255.240 object-group network FDLN description FDLN - 4 Addresses network-object host 12.129.xxx.103 network-object host 206.16.xxx.211 network-object host 63.240.xxx.101 network-object host 63.241.xxx.213 access-list Outside_access_out extended permit tcp object-group MB_WAN object-group BB any object-group BB access-list Outside_access_out extended permit tcp object-group MB_WAN eq www any eq www access-list Outside_access_out extended permit tcp object-group MB_WAN eq https any eq https access-list Outside_access_out extended permit ip object-group MB_WAN any access-list Outside_access_out extended permit tcp object-group MB_WAN object-group FDLN access-list Outside_access_out extended permit tcp object-group MB_WAN eq smtp any eq smtp access-list Outside_access_out extended permit tcp object-group MB_WAN object-group TerminalServices any object-group TerminalServices access-list Outside_access_out extended permit icmp object-group MB_WAN any traceroute access-list Outside_access_out extended permit udp object-group MB_WAN eq syslog any eq syslog access-list Outside_access_out extended permit udp object-group MB_WAN eq tftp any eq tftp access-list Outside_access_out extended permit udp object-group MB_WAN eq dnsix any eq dnsix access-list Outside_access_out extended permit tcp object-group MB_WAN eq telnet any eq telnet access-list Outside_access_out extended permit tcp object-group MB_WAN eq ssh any eq ssh access-list Outside_access_out extended permit tcp object-group MB_WAN object-group 53 any object-group 53 access-list Outside_access_out extended permit tcp object-group MB_WAN eq ftp any eq ftp access-list Outside_access_in extended permit tcp any eq smtp host MAIL eq smtp log access-list Outside_access_in extended permit tcp any eq www host MAIL eq www log access-list Outside_access_in extended permit tcp any object-group TerminalServices host MAIL object-group TerminalServices log access-list Outside_access_in extended permit udp any eq www host MAIL eq www log access-list Outside_access_in extended permit tcp object-group FDLN object-group MB_WAN log access-list Outside_access_in extended permit tcp any object-group BB object-group MB_WAN object-group BB log access-list Outside_access_in extended permit tcp any eq https host MAIL eq https log access-list Outside_access_in extended permit udp any eq www host 74.231.xxx.77 eq www log access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq smtp log access-list Outside_access_in extended permit tcp any object-group TerminalServices host 74.231.xxx.77 object-group TerminalServices log access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq https log access-list Outside_access_in extended permit tcp any host 74.231.xxx.77 eq www log access-list ACL_IN extended permit ip any any pager lines 24 logging enable logging asdm informational mtu Outside 1500 mtu Inside 1500 mtu Inside2 1500 mtu management 1500 icmp deny any Outside asdm image disk0:/asdm521.bin no asdm history enable arp timeout 14400 nat-control nat (management) 0 0.0.0.0 0.0.0.0 static (Outside,Inside) MAIL 74.231.xxx.77 netmask 255.255.255.255 dns access-group Outside_access_in in interface Outside access-group Outside_access_out out interface Outside route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1 route Inside 02_LAN 255.255.255.0 172.18.23.240 1 route Inside 03_LAN 255.255.255.0 172.18.23.240 1 route Inside 06_LAN 255.255.255.0 172.18.23.240 1 route Inside 05_LAN 255.255.255.0 172.18.23.240 1 route Inside 07_LAN 255.255.255.0 172.18.23.240 1 route Inside 08_LAN 255.255.255.0 172.18.23.240 1 route Inside 11_LAN 255.255.255.0 172.18.23.240 1 route Inside 12_LAN 255.255.255.0 172.18.23.240 1 route Inside 04_LAN 255.255.255.0 172.18.23.240 1 route Inside CHECK_1 255.255.255.0 172.18.23.240 1 route Inside CHECK_2 255.255.255.240 172.18.23.240 1 route Inside13_LAN 255.255.255.0 172.18.23.240 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 management http 01_LAN 255.255.255.0 Inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! ! ! prompt hostname context Cryptochecksum:0c2ef9e0e604a02608a4433bf046eef2 : end Here's PART of the log...it was lengthy so I'm just posting a few lines... 4\|Nov 25 2006\|17:36:26\|106023\|66.176.54.206\|MAIL\|Deny tcp src Inside:66.176.54.206/4367 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0] 6\|Nov 25 2006\|17:36:25\|302020\|172.18.24.10\|10.55.56.100\|Built ICMP connection for faddr 172.18.24.10/59212 gaddr 10.55.56.100/0 laddr 10.55.56.100/0 4\|Nov 25 2006\|17:36:25\|106023\|66.176.54.206\|MAIL\|Deny tcp src Inside:66.176.54.206/4366 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0] 6\|Nov 25 2006\|17:36:25\|106015\|172.18.23.164\|MAIL\|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags PSH ACK on interface Inside 6\|Nov 25 2006\|17:36:25\|106015\|172.18.23.164\|MAIL\|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags ACK on interface Inside 6\|Nov 25 2006\|17:36:24\|302015\|172.18.29.251\|10.55.56.103\|Built inbound UDP connection 12356 for Inside:172.18.29.251/4075 (172.18.29.251/4075) to Outside:10.55.56.103/53 (10.55.56.103/53) 6\|Nov 25 2006\|17:36:23\|302021\|172.18.24.4\|10.55.56.100\|Teardown ICMP connection for faddr 172.18.24.4/37256 gaddr 10.55.56.100/0 laddr 10.55.56.100/0 4\|Nov 25 2006\|17:36:23\|106023\|66.176.54.206\|MAIL\|Deny tcp src Inside:66.176.54.206/4367 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0] 4\|Nov 25 2006\|17:36:22\|106023\|66.176.54.206\|MAIL\|Deny tcp src Inside:66.176.54.206/4366 dst Outside:MAIL/443 by access-group "Outside_access_out" [0x0, 0x0] 6\|Nov 25 2006\|17:36:22\|302016\|172.18.23.200\|193.0.14.129\|Teardown UDP connection 12248 for Inside:172.18.23.200/1092 to Outside:193.0.14.129/53 duration 0:02:02 bytes 45 6\|Nov 25 2006\|17:36:21\|302020\|172.18.24.4\|10.55.56.100\|Built ICMP connection for faddr 172.18.24.4/37256 gaddr 10.55.56.100/0 laddr 10.55.56.100/0 6\|Nov 25 2006\|17:36:20\|302021\|172.18.24.3\|10.55.56.100\|Teardown ICMP connection for faddr 172.18.24.3/40537 gaddr 10.55.56.100/0 laddr 10.55.56.100/0 6\|Nov 25 2006\|17:36:20\|302021\|172.18.23.200\|74.231.xxx.77\|Teardown ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512 6\|Nov 25 2006\|17:36:19\|302021\|172.18.23.186\|12.129.203.103\|Teardown ICMP connection for faddr 172.18.23.186/7476 gaddr 12.129.203.103/0 laddr 12.129.203.103/0 6\|Nov 25 2006\|17:36:19\|106015\|172.18.23.164\|MAIL\|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags PSH ACK on interface Inside 6\|Nov 25 2006\|17:36:18\|106015\|172.18.23.164\|MAIL\|Deny TCP (no connection) from 172.18.23.164/1495 to MAIL/3389 flags ACK on interface Inside 6\|Nov 25 2006\|17:36:18\|302020\|172.18.24.3\|10.55.56.100\|Built ICMP connection for faddr 172.18.24.3/40537 gaddr 10.55.56.100/0 laddr 10.55.56.100/0 6\|Nov 25 2006\|17:36:18\|302020\|172.18.23.200\|74.231.xxx.77\|Built ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512 6\|Nov 25 2006\|17:36:18\|302021\|172.18.23.200\|74.231.xxx.77\|Teardown ICMP connection for faddr 172.18.23.200/0 gaddr MAIL/512 laddr 74.231.xxx.77/512 Circuit--Cisco1700--Switch1--------------Switch2-------------------Switch3----------------Hub \| \| \| \| \| \| NS Untrust Outside ASA Inside ASA Exchange NS Trust Web Filter Machine

25-Mar-2007, 10:35 PM	#2 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	Re: Configuring a Cisco ASA 5510 Try this its a working configuration adjusted slightly to your configuration. Backup your configuration and wipe it and try to apply this if you can hostname MB01ASA01 domain-name corp.xxxx.com enable password q1HsFgy84ctrO8xK encrypted names name 192.168.102.11 ERP dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address 74.231.xxx.70 255.255.255.224 ! interface Ethernet0/1 nameif inside security-level 99 ip address 172.18.23.241 255.255.255.0 ! interface Ethernet0/2 no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address 10.50.45.1 255.255.255.0 management-only ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive clock timezone BRST -3 same-security-traffic permit inter-interface same-security-traffic permit intra-interface pager lines 24 logging enable logging list VPN-Events level debugging class vpn logging buffered debugging logging asdm VPN-Events mtu outside 1500 mtu inside 1500 mtu management 1500 icmp deny any outside icmp permit any inside no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 0.0.0.0 0.0.0.0 dns static (inside,outside) 74.231.xxx.66 172.18.23.222 netmask 255.255.255.255 dns access-list outside_in permit tcp any host 74.231.xxx.66 eq smtp log access-list outside_in permit tcp any host 74.231.xxx.66 eq https log access-group outside_in in interface outside route Outside 0.0.0.0 0.0.0.0 74.231.xxx.65 1 route inside 172.18.0.0 255.255.0.0 172.18.23.240 1 route inside 10.10.1.48 255.255.255.240 172.18.23.240 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 20 ssh version 2 console timeout 0 management-access inside dhcpd lease 3600 dhcpd ping_timeout 50

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)