topic Re: Configuring ACL's 5520 in Network Security

Configuring ACL's 5520

kmcilvaine — Mon, 11 Mar 2019 10:26:42 GMT

I am new to Cisco firewalls and am having trouble getting the acls to work. I have a asa 5520 with version 7.2.2 software. I have it connected and can get to the internet but when I configure an acl to get my mail from the outside spam quarentine company I get no mail. I am not sure if I am doing the acl right or not.I did 1 from outside ip to inside ip allowing only port 3389 to go through.

Re: Configuring ACL's 5520

Jon Marshall — Thu, 07 Jun 2007 16:43:07 GMT

Port 3389 is for terminal services. Mail is typically on port 25. Is this a typo ?

Could you send copy of config of ASA minus any sensitive info.

HTH

Jon

Re: Configuring ACL's 5520

acomiskey — Thu, 07 Jun 2007 16:46:53 GMT

1. 3389 is rdp (remote desktop protocol)

2. You need a static translation for the destination of the mail

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

1.1.1.1=external address

192.168.1.1=internal address

3. Write the acl, this is for smtp tcp 25.

access-list outside_access_in extended permit tcp host host 1.1.1.1 eq 25

access-group outside_access_in in interface outside

Post you config if you have problems.

Re: Configuring ACL's 5520

kmcilvaine — Thu, 07 Jun 2007 17:05:17 GMT

ASA Version 7.2(2)19

hostname ciscoasa

domain-name xxxxxxxx.com

enable password xxxxxxxx encrypted

names

dns-guard

interface GigabitEthernet0/0

nameif Wan

security-level 0

ip address xx.xxx.xxx.xx 255.255.255.224

interface GigabitEthernet0/1

nameif Lan

security-level 100

ip address xx.xxx.x.xx 255.255.255.0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

passwd xxxxxxxxxxxxx encrypted

boot system disk0:/asa722-19-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name xxxxxxx.com

access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x

x eq https

access-list 110 extended permit tcp host xxx.xxx.xx.xx range 3268 3268 host xx.x

xx.x.xx range 3268 3268

access-list 110 extended permit tcp host xxx.xxx.xx.xx eq smtp host xx.xxx.x.xx

eq smtp

access-list Lan_nat_static extended permit ip interface Lan interface Wan

pager lines 24

logging enable

logging asdm informational

mtu Wan 1500

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (Wan) 1 interface

nat (Lan) 1 0.0.0.0 0.0.0.0

access-group 110 in interface Wan

route Wan 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

Re: Configuring ACL's 5520

kmcilvaine — Thu, 07 Jun 2007 17:06:35 GMT

Sorry..3268 was the port

I have these 3 in the access rules for mail

Re: Configuring ACL's 5520

acomiskey — Thu, 07 Jun 2007 17:09:01 GMT

Don't use source ports in your acl's

access-list 110 extended permit tcp host xx.xxx.xxx.xxx host xx.xxx.x.x

x eq https

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.x

xx.x.xx eq 3268

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx

eq smtp

Re: Configuring ACL's 5520

acomiskey — Thu, 07 Jun 2007 17:10:32 GMT

What ip are they forwarding your mail to? You need a static translation for this address.

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

1.1.1.1=external address

192.168.1.1=internal address

or if the address is the outside interface of ASA you need

static (inside,outside) tcp interface 25 192.168.1.1 25 netmask 255.255.255.255

192.168.1.1=internal address

Re: Configuring ACL's 5520

kmcilvaine — Thu, 07 Jun 2007 17:19:13 GMT

We first have a rule to check the global catalog for the user. then it gets pushed to the mail server internal.

I am new to the command line so I am using the gui.

would the source port be any?

Re: Configuring ACL's 5520

acomiskey — Thu, 07 Jun 2007 17:25:12 GMT

A source port would normally be a random port above 1024. You do not use these in your acl as you would have no idea what it would be.

About the mail server, I mean what is the ip address that the spam quarantine company uses to send you mail?

Re: Configuring ACL's 5520

kmcilvaine — Thu, 07 Jun 2007 17:27:00 GMT

it would be an external one

Re: Configuring ACL's 5520

acomiskey — Thu, 07 Jun 2007 17:33:21 GMT

Yes, you need a static statement for this address if you want to get the mail.

Re: Configuring ACL's 5520

kmcilvaine — Thu, 07 Jun 2007 18:04:58 GMT

I added the static and still no luck.

Re: Configuring ACL's 5520

acomiskey — Thu, 07 Jun 2007 18:06:18 GMT

Can you post what the static is? Feel free to change the address to something different.

Re: Configuring ACL's 5520

kmcilvaine — Thu, 07 Jun 2007 18:12:59 GMT

ASA Version 7.2(2)194 02 00 8086 1

hostname ciscoasa 11

domain-name xxxxxxx.com

04 03 00

enable password xxxxxxxx encrypted

namesing B

dns-guards ...

interface GigabitEthernet0/0IOS Extension to setup ROMMO

nameif Wan

security-level 0isco Systems ROMM

ip address xx.xxx.xxx.xx 255.255.255.224:08 PST 2006

interface GigabitEthernet0/1

Platform ASA552

nameif Lan

security-level 100o interrupt boot.

ip address xx.xxx.x.xx 255.255.255.0SPACE to begin boot immediately.

interface GigabitEthernet0/2

Launching BootLoader...

shutdown

no nameifguration f

no security-levely.

no ip address

interface GigabitEthe

passwd xxxxencrypted##########################

boot system disk0:/asa722-19-k8.bin

ftp mode passive################

dns server-group DefaultDNS######################

domain-name xxxxxx.com

access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x########################

7 eq https

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx range 32

512MB

68 3268

access-list Lan_nat_static extended permit ip interface Lan interface Wan2546GB rev03 Gigabit Ethernet @ irq09 dev 3 index 00 MAC: 001a.6d7c.8468

pager lines 24

logging enable

logging asdm informationalv03 Gigabit Ethernet @ irq

mtu Wan 1500x 01 MAC: 00

mtu Lan 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1 2 index 02 MAC: 001a.6d7c.846a

asdm image disk0:/asdm-522.bin

no asdm history enableit Ethernet @ irq09 de

arp timeout 14400001a.6d7c.846b

nat-control

global (Wan) 1 interface

nat (Lan) 1 0.0.0.0 0.0.0.0net @ irq11 dev 1 index 05

static (Lan,Wan) xx.xxx.xxx.xxx xx.xxx.x.xx netmask 255.255.255.

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

Re: Configuring ACL's 5520

acomiskey — Thu, 07 Jun 2007 18:19:14 GMT

1. you don't need the source port in this acl line.

access-list 110 extended permit tcp host xx.xxx.xxx.xxx eq https host xx.xxx.x.x eq https

it should be...

access-list 110 extended permit tcp host xx.xxx.xxx.xxx host xx.xxx.x.x eq https

2. There is no point to have a "range 3268 3268"

it should be...

access-list 110 extended permit tcp host xxx.xxx.xx.xx host xx.xxx.x.xx eq 3268

3. access-group 110 in interface Wan

4. Is the address in your static the same as the Wan address on the ASA?

Re: Configuring ACL's 5520

kmcilvaine — Thu, 07 Jun 2007 18:40:31 GMT

The static is different then the wan ip

the static is a 1-1 nat rule

Re: Configuring ACL's 5520

kmcilvaine — Mon, 11 Jun 2007 12:56:36 GMT

Still cannot get traffic to flow correctly. If I configure the same as my current firewall nothing works.I think I'm missing something simple but just cannot figure it out.

Re: Configuring ACL's 5520

acomiskey — Mon, 11 Jun 2007 13:24:50 GMT

Could you post latest config without all the extra characters that were included in your last one?

Also, it's ok to block out your external ip's with x's but could you just change the external addresses to something we can follow throughout the config, like 64.x.x.x? That way we know you haven't flipped your statics etc.

Re: Configuring ACL's 5520

kmcilvaine — Mon, 11 Jun 2007 14:28:57 GMT

ASA Version 7.2(2)19

hostname ciscoasa

Encryp

shun

domain-name fvxxc.comering of packets from un

enable password xnxxxsdsXC1MM encrypted

names

dns-guardconnect a

interface GigabitEthernet0/0te-MC-Boot-Cisco-1.2t_static

nameif Wan

terminal

security-level 0f syslogging to t

ip address 65.444.444.98 255.255.255.224KE microcode: CNlite-MC-IP

test

interface GigabitEthernet0/1d interfacesg asdm informati

nameif Lan

security-level 100 undebug Di

ip address 10.146.4.12 255.255.255.0

no failover

no security-levelon to memory, netw

no ip addressl.0 0.0.0.0

interface Management0/0 |||

nameif managementoasa#

cis

security-level 100.0 0

cisco

ip address 192.168.1.1 255.255.255.0-19-k8.bin

timeout xlate 3:00:00

management-only

INFO:

passwd 2KxxxxdU encrypted disk0:/asa722-19-k8.bin

boot system disk0:/asa722-19-k8.bin C i s c o S y

ciscoasa(con

ftp mode passive00:00 mgcp 0:05:

dns server-group DefaultDNSrsion 7.0(6)---------------

domain-name dsfff.com------------

domain-na

access-list Wan_access_in extended permit tcp host 205.333.33.36 host 10.146.4.3hxxxC1MM encryptedtware Version 7.2(2)19

names

time

dns-g

2 eq 3286

mtu Lan 1500local countr

mtu Wan 1500dress

no failovernterface Gi

icmp unreachable rate-limit 1 burst-size 1e

shutdown.

no nameifle timeout

asdm image disk0:/asdm-522.bin Cisc

no ip address products

no asdm history enableitEthernet0/3

arp timeout 14400m

shutdownparty

nat-controlifmport, ex

nat (Lan) 0 0.0.0.0 0.0.0.0context

no ip address

static (Lan,Wan) 65.444.444.106 10.146.4.32 netmask 255.255.255.255if management

security-level 100ors and users ar

static (Lan,Wan) 65.444.444.101 10.146.4.47 netmask 255.255.255.255

management-only and local count

passwd 2KdsdsfdsfsdfK

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

Re: Configuring ACL's 5520

acomiskey — Mon, 11 Jun 2007 15:04:20 GMT

How are you capturing your config, it's still got a lot of extra/missing words and characters. But anyway your acl is wrong, and you have no access-group command to apply it. You need to use the 65. address in the acl, not the 10. Also not sure what you are trying to allow as it's not showing up in the config. I did this one for smtp.

access-list Wan_access_in extended permit tcp host 205.333.33.36 host 65.444.444.106 eq smtp

access-group Wan_access_in in interface Wan