topic Re: Inbound traffice problem in Network Security

Inbound traffice problem

energyservices — Mon, 11 Mar 2019 14:44:08 GMT

Hi all,

I have a problem with inbound traffic. I have setup my firewall to allow traffic on http, imap4 and smtp ports. But I can't get through. Am I missing anything? Or did I do something wrong? My SSL VPN works no problem. Any help will be appreciated.

Thank you in advance.

Here is a part of config.

name 192.168.2.101 Server

name 192.168.2.103 Mail

name 192.168.2.102 Spam

interface Ethernet0/0

description Internet

nameif Outside

security-level 0

ip address *.*.*.* 255.255.255.248

ospf cost 10

interface Ethernet0/1

description Intranet

nameif Inside

security-level 100

ip address 192.168.2.104 255.255.255.0

ospf cost 10

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

management-only

boot system disk0:/asa804-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name *****************

access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any

access-list outside_access_in extended permit tcp any interface Outside eq imap4

access-list outside_access_in extended permit tcp any interface Outside eq smtp

access-list outside_access_in extended permit tcp any interface Outside eq www

access-list inside_outbound_nat0_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0

access-list VPN-Split-Tunnel standard permit 192.168.2.0 255.255.255.0

pager lines 24

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool AnyConnect 192.168.15.100-192.168.15.150 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 0 access-list inside_outbound_nat0_acl

nat (Inside) 1 192.168.2.0 255.255.255.0

static (Inside,Outside) tcp interface smtp Spam smtp netmask 255.255.255.255

static (Inside,Outside) tcp interface imap4 Mail imap4 netmask 255.255.255.255

static (Inside,Outside) tcp interface www Server www netmask 255.255.255.255

access-group outside_access_in in interface Outside

access-group inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 *.*.*.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server AnyConnect protocol radius

aaa-server AnyConnect (Inside) host Server

key ************************

radius-common-pw **********************

http server enable

http 192.168.2.0 255.255.255.0 Inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

Re: Inbound traffice problem

Jithesh K Joy — Fri, 30 Jan 2009 10:32:22 GMT

Could you please rewrite your outside_access_in in the following way.

access-list outside_access_in extended permit tcp any host eq imap4

access-list outside_access_in extended permit tcp any host eq smtp

access-list outside_access_in extended permit tcp any host eq www

Please replace with your outside IP address

Hope this will solve the issue.

Regards

Jithesh

Re: Inbound traffice problem

Mo'ath Al Rawashdeh — Fri, 30 Jan 2009 11:47:01 GMT

Hi,

access-list outside_access_in extended permit tcp any interface Outside eq imap4

access-list outside_access_in extended permit tcp any interface Outside eq smtp

access-list outside_access_in extended permit tcp any interface Outside eq www

These access rules are allowing imap4, SMTP and HTTP access to the outside interface of the firewall. Why do you want to do this?

"interface Outside" needs to be replaced with the public IP addresses of the corresponding servers. For example, for assuming your webserver has 1.1.1.1 as its public IP, repalce "interface Outside" with "host 1.1.1.1"

And please do not forget to do the same for the other servers as well.

Cheers,

Muath

Re: Inbound traffice problem

energyservices — Fri, 30 Jan 2009 17:03:09 GMT

Thanks for help guys.

My web server doesn't have a public IP. I'm using NAT. This is the reason I'm using interface Outside as it is a public IP address.

I think what I'm missing is the statement when it says all http traffic should go to web server. Is that right?

Re: Inbound traffice problem

eddie.mitchell — Fri, 30 Jan 2009 19:05:13 GMT

Your posted configuration looks correct to me. Are you sure that 192.168.2.101 is the correct IP for your web server and it is listening on port 80?

I would try enabling the logging buffer and see if there are any messages being generated during inbound connection attempts.