Solved: Cannot get RDP and E-mail out through ASA 5510 5520

Adam Hudson · ‎07-25-2012

I've been trying to switch out our old firewall which is a 5510 for our new 5520, but we keep running into this problem on both devices with almost the exact same configs. Currently I have the 5510 installed, and I cannot get our email server and RDP server to ping out to our internet gateway.

Attached is a sanitized config. From the config you can see the internal address of the email server is 11.2.1.29, external address is 73.13.198.211. RDP server is internal address 11.2.1.33, external 73.13.198.212. Our internet gateway is 73.13.198.209.

From another computer with a 11.2.1.X address I can ping out to the internet gateway. The other two devices drop (I believe) when they hit the firewall.

Static mappings (again from config):

static (inside,outside) 73.13.198.211 11.2.1.33 netmask 255.255.255.255

static (inside,outside) 73.13.198.212 11.2.1.29 netmask 255.255.255.255

Original access list:

access-list outside_access_in extended permit tcp 64.19.0.0 255.255.240.0 host 73.13.198.212 eq smtp

access-list outside_access_in extended permit tcp host 67.228.177.117 host 73.13.198.212 eq smtp

access-list outside_access_in extended permit tcp host 206.217.202.43 host 73.13.198.212 eq smtp

access-list outside_access_in extended permit udp host 64.154.41.100 host 73.13.198.210 eq 4569

access-list outside_access_in extended permit udp host 64.154.41.100 host 73.13.198.210 range 10000 20000

access-list outside_access_in extended permit tcp host 64.154.41.100 host 73.13.198.210 range 10000 20000

access-list outside_access_in extended permit tcp any host 72.12.198.211 eq 3389

access-list outside_access_in extended permit object-group Android_iOS_Ports interface inside any

access-list outside_access_in extended permit tcp host 222.186.17.160 any

access-list outside_access_in extended permit object-group VSP_in_Ports any host 73.13.198.214

access-list outside_access_in extended permit tcp any host 73.13.198.213 eq https

access-list outside_access_in extended permit tcp any 12.6.35.96 255.255.255.224 eq https

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 990

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 999

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 5721

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 5678

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 5679

access-list outside_access_in extended permit udp any host 73.13.198.212 eq 26675

access-list outside_access_in extended permit tcp any host 73.13.198.212 eq www

access-list outside_access_in extended permit tcp any host 73.13.198.212 eq https

access-list outside_access_in extended permit icmp any any

ACL application:

access-group outside_access_in in interface outside

If I pull the static mappings, pings can get through.

I've trimmed my ACL to just the RDP and Email lines:

access-list outside_access_in extended permit tcp any host 72.12.198.211 eq 3389

access-list outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 host 72.12.198.212 eq smtp

No one can RDP in. No one can email in. Any other computer can get to the internet on our site so it's not the internet connection.

What is blocking the traffic? Any help is appreciated as this site is currently cut off from email.

Ramraj Sivagnanam Sivajanam · ‎07-25-2012

Hi Bro

Your configuration needs to be cleaned up. Please do this for me, and let me know how it goes. Please do this exactly, do not skip a step. Just paste these configs, you can remove the static nats if you want to, issue a clear xlate command and give it a try

no static (inside,dmz) 11.1.0.0 11.1.0.0 netmask 255.0.0.0
static (inside,dmz) 11.0.0.0 11.0.0.0 netmask 255.0.0.0

no dns domain-lookup inside
no dns domain-lookup dmz
no dns domain-lookup outside
no same-security-traffic permit inter-interface

no global (dmz) 1 interface

access-list inside permit ip any any
access-group inside in interface inside

router eigrp 101
no network 173.17.1.0 255.255.255.0
no passive-interface outside

clear configure access-list no_nat

clear configure access-list no_nat_dmz

no nat (inside) 0 access-list no_nat

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Adam Hudson · ‎07-25-2012

Traceroute from external email filtering site doesn't even hit our external subnet.

Ramraj Sivagnanam Sivajanam · ‎07-25-2012

Hi Bro

Your configuration needs to be cleaned up. Please do this for me, and let me know how it goes. Please do this exactly, do not skip a step. Just paste these configs, you can remove the static nats if you want to, issue a clear xlate command and give it a try

no static (inside,dmz) 11.1.0.0 11.1.0.0 netmask 255.0.0.0
static (inside,dmz) 11.0.0.0 11.0.0.0 netmask 255.0.0.0

no dns domain-lookup inside
no dns domain-lookup dmz
no dns domain-lookup outside
no same-security-traffic permit inter-interface

no global (dmz) 1 interface

access-list inside permit ip any any
access-group inside in interface inside

router eigrp 101
no network 173.17.1.0 255.255.255.0
no passive-interface outside

clear configure access-list no_nat

clear configure access-list no_nat_dmz

no nat (inside) 0 access-list no_nat

Warm regards,
Ramraj Sivagnanam Sivajanam

Adam Hudson · ‎07-25-2012

Thanks! E-mail appears to working, I can ping out to the internet gateway through the email server. RDP is still not working. Still can't ping the gateway.

Cleared xlate several times

Adam Hudson · ‎07-25-2012

Last time I cleared up RDP issues by moving the RDP rule up in the ACL, but it's as high up as I want it to be right now.

Adam Hudson · ‎07-25-2012

Looks like RDP is working now. I guess it needed time to work it's way through the network?

Adam Hudson · ‎07-25-2012

Thanks so much Ramraj