- Cisco Community
- Technology and Support
- Security
- Network Security
- Accessing Exchange Server from DMZ
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2011 09:06 AM - edited 03-11-2019 02:13 PM
Good morning,
We have a ASA5510 with a webserver in the DMZ network 10.2.2.0/24. We now want this web server to be able to access the Exchange server in the Inside network 10.1.1.0/24. I researched this and it seemed straight forward according the the Cisco document below:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml
I'm looking to do this with smtp so I added these lines to the config:
static (inside,DMZ) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
The configuration line:
access-group DMZ in interface DMZ
Already existed in the configuration so didn't need to be re-entered.
ASA Version 8.0(4)
!
hostname xxxx
domain-name xxxx.com
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.141.85 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.255.254 255.255.255.248
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.2.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone MDT -7
clock summer-time MDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.1
domain-name mjfirm.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inbound extended permit tcp any host xxx.xxx.141.83 eq www
access-list inbound extended permit tcp any host xxx.xxx.141.83 eq https
access-list inbound extended permit tcp any host xxx.xxx.141.83 eq ftp
access-list inbound extended permit tcp any host xxx.xxx.141.83 eq ftp-data
access-list inbound extended permit tcp any host xxx.xxx.141.83 eq ssh
access-list inbound extended permit tcp any host xxx.xxx.141.84 eq imap4
access-list inbound extended permit tcp any host xxx.xxx.141.84 eq pop3
access-list inbound extended permit tcp any host xxx.xxx.141.84 eq www
access-list inbound extended permit tcp any host xxx.xxx.141.84 eq https
access-list inbound extended permit tcp any host xxx.xxx.141.84 eq smtp
access-list inbound extended permit icmp any any
access-list dmz extended deny ip any 10.1.0.0 255.255.0.0
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
access-list dmz extended permit ip any any
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list vpnsplit extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list encrypt_acl extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool 172.16.22.1-172.16.22.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 10 xxx.xxx.141.82 netmask 255.255.255.0
global (dmz) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 10 0.0.0.0 0.0.0.0
static (dmz,outside) xxx.xxx.141.83 10.2.2.2 netmask 255.255.255.255
static (inside,outside) xxx.xxx.141.84 10.1.1.11 netmask 255.255.255.255
static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
access-group inbound in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.141.81 1
route inside 10.1.0.0 255.255.0.0 10.1.255.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.1.1.12
key -->
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 172.16.22.0 255.255.255.0 inside
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp management
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set HQset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 20 match address encrypt_acl
crypto map outside_map 20 set peer 207.202.195.198
crypto map outside_map 20 set transform-set HQset
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 50
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy vpnclients internal
group-policy vpnclients attributes
wins-server value 10.1.1.12
dns-server value 10.1.1.12
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
default-domain value mjfirm.local
split-dns value mjfirm.local
address-pools value vpnpool
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server value 10.1.1.12
dns-server value 10.1.1.12
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
tunnel-group M&J type remote-access
tunnel-group M&J general-attributes
address-pool vpnpool
authentication-server-group vpn
default-group-policy vpnclients
tunnel-group M&J ipsec-attributes
pre-shared-key *
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
authentication-server-group vpn
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
tunnel-group xxx.xxx.195.198 type ipsec-l2l
tunnel-group xxx.xxx.195.198 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 768
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
It's not working. Below is the output form Packet-Tracer using smtp
Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
match ip inside host 10.1.1.11 dmz any
static translation to 10.2.2.30
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd5786190, priority=5, domain=nat-reverse, deny=false
hits=9, user_data=0xd627c598, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=10.1.1.11, mask=255.255.255.255, port=0, dscp=0x0
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Any assistance would be appreciated!
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2011 10:40 AM
If you have ip any any in dmz interface, let it be for testing purpose, just remove the previous static and add the new statement, along with the global.
-Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2011 11:19 AM
Varun,
Ping and telnet are working and I was able to connect to Exchange. Here is a small sample of the capture. There are hundreds of lines:
MJASA(config)# sh capture capin
1917 packets captured
1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192
2: 09:33:52.110010 10.2.2.2.25 > 10.2.2.30.25: S 1614045430:1614045430(0) win 8192
3: 11:59:13.552141 10.2.2.2 > 10.1.1.11: icmp: echo request
4: 11:59:13.552309 10.2.2.2 > 10.1.1.11: icmp: echo request
5: 11:59:13.552736 10.1.1.11 > 10.2.2.2: icmp: echo reply
6: 11:59:13.552873 10.1.1.11 > 10.2.2.2: icmp: echo reply
7: 11:59:14.544207 10.2.2.2 > 10.1.1.11: icmp: echo request
8: 11:59:14.544237 10.2.2.2 > 10.1.1.11: icmp: echo request
9: 11:59:14.544649 10.1.1.11 > 10.2.2.2: icmp: echo reply
10: 11:59:14.544664 10.1.1.11 > 10.2.2.2: icmp: echo reply
11: 11:59:15.544191 10.2.2.2 > 10.1.1.11: icmp: echo request
12: 11:59:15.544222 10.2.2.2 > 10.1.1.11: icmp: echo request
13: 11:59:15.544573 10.1.1.11 > 10.2.2.2: icmp: echo reply
14: 11:59:15.544588 10.1.1.11 > 10.2.2.2: icmp: echo reply
15: 11:59:16.544252 10.2.2.2 > 10.1.1.11: icmp: echo request
16: 11:59:16.544268 10.2.2.2 > 10.1.1.11: icmp: echo request
17: 11:59:16.544619 10.1.1.11 > 10.2.2.2: icmp: echo reply
18: 11:59:16.544634 10.1.1.11 > 10.2.2.2: icmp: echo reply
19: 11:59:24.607527 10.2.2.2.2408 > 10.1.1.11.25: S 3220685032:3220685032(0) win 65535
op,nop,sackOK>
20: 11:59:24.607726 10.2.2.2.2408 > 10.1.1.11.25: S 3606219141:3606219141(0) win 65535
op,nop,sackOK>
21: 11:59:24.608229 10.1.1.11.25 > 10.2.2.2.2408: S 735101338:735101338(0) ack 3606219142 win 8192
22: 11:59:24.608290 10.1.1.11.25 > 10.2.2.2.2408: S 1680224940:1680224940(0) ack 3220685033 win 81
92
23: 11:59:24.608382 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680224941 win 65535
24: 11:59:24.608412 10.2.2.2.2408 > 10.1.1.11.25: . ack 735101339 win 65535
25: 11:59:24.609862 10.1.1.11.25 > 10.2.2.2.2408: P 735101339:735101438(99) ack 3606219142 win 648
60
26: 11:59:24.609877 10.1.1.11.25 > 10.2.2.2.2408: P 1680224941:1680225040(99) ack 3220685033 win 6
4860
27: 11:59:24.856782 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225040 win 65436
28: 11:59:24.856812 10.2.2.2.2408 > 10.1.1.11.25: . ack 735101438 win 65436
29: 11:59:30.971827 10.2.2.2.2408 > 10.1.1.11.25: P 3220685033:3220685034(1) ack 1680225040 win 65
436
30: 11:59:30.971843 10.2.2.2.2408 > 10.1.1.11.25: P 3606219142:3606219143(1) ack 735101438 win 654
36
31: 11:59:31.174734 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219143 win 64859
32: 11:59:31.174749 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685034 win 64859
33: 11:59:31.306960 10.2.2.2.2408 > 10.1.1.11.25: P 3220685034:3220685035(1) ack 1680225040 win 65
436
34: 11:59:31.306975 10.2.2.2.2408 > 10.1.1.11.25: P 3606219143:3606219144(1) ack 735101438 win 654
36
35: 11:59:31.502278 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219144 win 64858
36: 11:59:31.502293 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685035 win 64858
37: 11:59:31.546846 10.2.2.2.2408 > 10.1.1.11.25: P 3220685035:3220685036(1) ack 1680225040 win 65
436
38: 11:59:31.546861 10.2.2.2.2408 > 10.1.1.11.25: P 3606219144:3606219145(1) ack 735101438 win 654
36
39: 11:59:31.751868 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219145 win 64857
40: 11:59:31.751898 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685036 win 64857
41: 11:59:31.754782 10.2.2.2.2408 > 10.1.1.11.25: P 3220685036:3220685037(1) ack 1680225040 win 65
436
42: 11:59:31.754813 10.2.2.2.2408 > 10.1.1.11.25: P 3606219145:3606219146(1) ack 735101438 win 654
36
43: 11:59:31.954738 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219146 win 64856
44: 11:59:31.954769 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685037 win 64856
45: 11:59:32.522617 10.2.2.2.2408 > 10.1.1.11.25: P 3220685037:3220685039(2) ack 1680225040 win 65
436
46: 11:59:32.522647 10.2.2.2.2408 > 10.1.1.11.25: P 3606219146:3606219148(2) ack 735101438 win 654
36
47: 11:59:32.523212 10.1.1.11.25 > 10.2.2.2.2408: P 735101438:735101484(46) ack 3606219148 win 648
54
48: 11:59:32.523227 10.1.1.11.25 > 10.2.2.2.2408: P 1680225040:1680225086(46) ack 3220685039 win 6
MJASA(config)# sh capture capo
965 packets captured
1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192
2: 09:33:52.110010 10.2.2.2.25 > 10.2.2.30.25: S 1614045430:1614045430(0) win 8192
3: 11:59:13.552141 10.2.2.2 > 10.1.1.11: icmp: echo request
4: 11:59:13.552873 10.1.1.11 > 10.2.2.2: icmp: echo reply
5: 11:59:14.544207 10.2.2.2 > 10.1.1.11: icmp: echo request
6: 11:59:14.544664 10.1.1.11 > 10.2.2.2: icmp: echo reply
7: 11:59:15.544207 10.2.2.2 > 10.1.1.11: icmp: echo request
8: 11:59:15.544588 10.1.1.11 > 10.2.2.2: icmp: echo reply
9: 11:59:16.544252 10.2.2.2 > 10.1.1.11: icmp: echo request
10: 11:59:16.544634 10.1.1.11 > 10.2.2.2: icmp: echo reply
11: 11:59:24.607527 10.2.2.2.2408 > 10.1.1.11.25: S 3220685032:3220685032(0) win 65535
op,nop,sackOK>
12: 11:59:24.608290 10.1.1.11.25 > 10.2.2.2.2408: S 1680224940:1680224940(0) ack 3220685033 win 81
92
13: 11:59:24.608382 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680224941 win 65535
14: 11:59:24.609877 10.1.1.11.25 > 10.2.2.2.2408: P 1680224941:1680225040(99) ack 3220685033 win 6
4860
15: 11:59:24.856782 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225040 win 65436
16: 11:59:30.971827 10.2.2.2.2408 > 10.1.1.11.25: P 3220685033:3220685034(1) ack 1680225040 win 65
436
17: 11:59:31.174765 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685034 win 64859
18: 11:59:31.306960 10.2.2.2.2408 > 10.1.1.11.25: P 3220685034:3220685035(1) ack 1680225040 win 65
436
19: 11:59:31.502293 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685035 win 64858
20: 11:59:31.546846 10.2.2.2.2408 > 10.1.1.11.25: P 3220685035:3220685036(1) ack 1680225040 win 65
436
21: 11:59:31.751898 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685036 win 64857
22: 11:59:31.754782 10.2.2.2.2408 > 10.1.1.11.25: P 3220685036:3220685037(1) ack 1680225040 win 65
436
23: 11:59:31.954769 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685037 win 64856
24: 11:59:32.522617 10.2.2.2.2408 > 10.1.1.11.25: P 3220685037:3220685039(2) ack 1680225040 win 65
436
25: 11:59:32.523227 10.1.1.11.25 > 10.2.2.2.2408: P 1680225040:1680225086(46) ack 3220685039 win 6
4854
26: 11:59:32.841173 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225086 win 65390
27: 12:01:29.930829 10.2.2.2.2408 > 10.1.1.11.25: P 3220685039:3220685040(1) ack 1680225086 win 65
390
28: 12:01:30.130867 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685040 win 64853
29: 12:01:30.131005 10.2.2.2.2408 > 10.1.1.11.25: P 3220685040:3220685041(1) ack 1680225086 win 65
390
30: 12:01:30.333738 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685041 win 64852
31: 12:01:30.333860 10.2.2.2.2408 > 10.1.1.11.25: P 3220685041:3220685042(1) ack 1680225086 win 65
390
32: 12:01:30.536486 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685042 win 64851
33: 12:01:30.536593 10.2.2.2.2408 > 10.1.1.11.25: P 3220685042:3220685043(1) ack 1680225086 win 65
390
34: 12:01:30.739234 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685043 win 64850
35: 12:01:32.763052 10.2.2.2.2408 > 10.1.1.11.25: P 3220685043:3220685044(1) ack 1680225086 win 65
390
36: 12:01:32.970195 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685044 win 64849
37: 12:01:32.970866 10.2.2.2.2408 > 10.1.1.11.25: P 3220685044:3220685045(1) ack 1680225086 win 65
MJASA(config)# sh capture capin
1917 packets captured
1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192
2: 09:33:52.110010 10.2.2.2.25 > 10.2.2.30.25: S 1614045430:1614045430(0) win 8192
3: 11:59:13.552141 10.2.2.2 > 10.1.1.11: icmp: echo request
4: 11:59:13.552309 10.2.2.2 > 10.1.1.11: icmp: echo request
5: 11:59:13.552736 10.1.1.11 > 10.2.2.2: icmp: echo reply
6: 11:59:13.552873 10.1.1.11 > 10.2.2.2: icmp: echo reply
7: 11:59:14.544207 10.2.2.2 > 10.1.1.11: icmp: echo request
8: 11:59:14.544237 10.2.2.2 > 10.1.1.11: icmp: echo request
9: 11:59:14.544649 10.1.1.11 > 10.2.2.2: icmp: echo reply
10: 11:59:14.544664 10.1.1.11 > 10.2.2.2: icmp: echo reply
11: 11:59:15.544191 10.2.2.2 > 10.1.1.11: icmp: echo request
12: 11:59:15.544222 10.2.2.2 > 10.1.1.11: icmp: echo request
13: 11:59:15.544573 10.1.1.11 > 10.2.2.2: icmp: echo reply
14: 11:59:15.544588 10.1.1.11 > 10.2.2.2: icmp: echo reply
15: 11:59:16.544252 10.2.2.2 > 10.1.1.11: icmp: echo request
16: 11:59:16.544268 10.2.2.2 > 10.1.1.11: icmp: echo request
17: 11:59:16.544619 10.1.1.11 > 10.2.2.2: icmp: echo reply
18: 11:59:16.544634 10.1.1.11 > 10.2.2.2: icmp: echo reply
19: 11:59:24.607527 10.2.2.2.2408 > 10.1.1.11.25: S 3220685032:3220685032(0) win 65535
op,nop,sackOK>
20: 11:59:24.607726 10.2.2.2.2408 > 10.1.1.11.25: S 3606219141:3606219141(0) win 65535
op,nop,sackOK>
21: 11:59:24.608229 10.1.1.11.25 > 10.2.2.2.2408: S 735101338:735101338(0) ack 3606219142 win 8192
22: 11:59:24.608290 10.1.1.11.25 > 10.2.2.2.2408: S 1680224940:1680224940(0) ack 3220685033 win 81
92
23: 11:59:24.608382 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680224941 win 65535
24: 11:59:24.608412 10.2.2.2.2408 > 10.1.1.11.25: . ack 735101339 win 65535
25: 11:59:24.609862 10.1.1.11.25 > 10.2.2.2.2408: P 735101339:735101438(99) ack 3606219142 win 648
60
26: 11:59:24.609877 10.1.1.11.25 > 10.2.2.2.2408: P 1680224941:1680225040(99) ack 3220685033 win 6
4860
27: 11:59:24.856782 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225040 win 65436
28: 11:59:24.856812 10.2.2.2.2408 > 10.1.1.11.25: . ack 735101438 win 65436
29: 11:59:30.971827 10.2.2.2.2408 > 10.1.1.11.25: P 3220685033:3220685034(1) ack 1680225040 win 65
436
30: 11:59:30.971843 10.2.2.2.2408 > 10.1.1.11.25: P 3606219142:3606219143(1) ack 735101438 win 654
36
31: 11:59:31.174734 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219143 win 64859
32: 11:59:31.174749 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685034 win 64859
33: 11:59:31.306960 10.2.2.2.2408 > 10.1.1.11.25: P 3220685034:3220685035(1) ack 1680225040 win 65
436
34: 11:59:31.306975 10.2.2.2.2408 > 10.1.1.11.25: P 3606219143:3606219144(1) ack 735101438 win 654
36
35: 11:59:31.502278 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219144 win 64858
36: 11:59:31.502293 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685035 win 64858
37: 11:59:31.546846 10.2.2.2.2408 > 10.1.1.11.25: P 3220685035:3220685036(1) ack 1680225040 win 65
436
38: 11:59:31.546861 10.2.2.2.2408 > 10.1.1.11.25: P 3606219144:3606219145(1) ack 735101438 win 654
36
39: 11:59:31.751868 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219145 win 64857
40: 11:59:31.751898 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685036 win 64857
41: 11:59:31.754782 10.2.2.2.2408 > 10.1.1.11.25: P 3220685036:3220685037(1) ack 1680225040 win 65
436
42: 11:59:31.754813 10.2.2.2.2408 > 10.1.1.11.25: P 3606219145:3606219146(1) ack 735101438 win 654
36
43: 11:59:31.954738 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219146 win 64856
44: 11:59:31.954769 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685037 win 64856
45: 11:59:32.522617 10.2.2.2.2408 > 10.1.1.11.25: P 3220685037:3220685039(2) ack 1680225040 win 65
436
46: 11:59:32.522647 10.2.2.2.2408 > 10.1.1.11.25: P 3606219146:3606219148(2) ack 735101438 win 654
36
47: 11:59:32.523212 10.1.1.11.25 > 10.2.2.2.2408: P 735101438:735101484(46) ack 3606219148 win 648
54
48: 11:59:32.523227 10.1.1.11.25 > 10.2.2.2.2408: P 1680225040:1680225086(46) ack 3220685039 win 6
And here is capo:
MJASA(config)# sh capture capo
965 packets captured
1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192
2: 09:33:52.110010 10.2.2.2.25 > 10.2.2.30.25: S 1614045430:1614045430(0) win 8192
3: 11:59:13.552141 10.2.2.2 > 10.1.1.11: icmp: echo request
4: 11:59:13.552873 10.1.1.11 > 10.2.2.2: icmp: echo reply
5: 11:59:14.544207 10.2.2.2 > 10.1.1.11: icmp: echo request
6: 11:59:14.544664 10.1.1.11 > 10.2.2.2: icmp: echo reply
7: 11:59:15.544207 10.2.2.2 > 10.1.1.11: icmp: echo request
8: 11:59:15.544588 10.1.1.11 > 10.2.2.2: icmp: echo reply
9: 11:59:16.544252 10.2.2.2 > 10.1.1.11: icmp: echo request
10: 11:59:16.544634 10.1.1.11 > 10.2.2.2: icmp: echo reply
11: 11:59:24.607527 10.2.2.2.2408 > 10.1.1.11.25: S 3220685032:3220685032(0) win 65535
12: 11:59:24.608290 10.1.1.11.25 > 10.2.2.2.2408: S 1680224940:1680224940(0) ack 3220685033 win 81
92
13: 11:59:24.608382 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680224941 win 65535
14: 11:59:24.609877 10.1.1.11.25 > 10.2.2.2.2408: P 1680224941:1680225040(99) ack 3220685033 win 6
4860
15: 11:59:24.856782 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225040 win 65436
16: 11:59:30.971827 10.2.2.2.2408 > 10.1.1.11.25: P 3220685033:3220685034(1) ack 1680225040 win 65
436
17: 11:59:31.174765 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685034 win 64859
18: 11:59:31.306960 10.2.2.2.2408 > 10.1.1.11.25: P 3220685034:3220685035(1) ack 1680225040 win 65
436
19: 11:59:31.502293 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685035 win 64858
20: 11:59:31.546846 10.2.2.2.2408 > 10.1.1.11.25: P 3220685035:3220685036(1) ack 1680225040 win 65
436
21: 11:59:31.751898 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685036 win 64857
22: 11:59:31.754782 10.2.2.2.2408 > 10.1.1.11.25: P 3220685036:3220685037(1) ack 1680225040 win 65
436
23: 11:59:31.954769 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685037 win 64856
24: 11:59:32.522617 10.2.2.2.2408 > 10.1.1.11.25: P 3220685037:3220685039(2) ack 1680225040 win 65
436
25: 11:59:32.523227 10.1.1.11.25 > 10.2.2.2.2408: P 1680225040:1680225086(46) ack 3220685039 win 6
4854
26: 11:59:32.841173 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225086 win 65390
27: 12:01:29.930829 10.2.2.2.2408 > 10.1.1.11.25: P 3220685039:3220685040(1) ack 1680225086 win 65
390
28: 12:01:30.130867 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685040 win 64853
29: 12:01:30.131005 10.2.2.2.2408 > 10.1.1.11.25: P 3220685040:3220685041(1) ack 1680225086 win 65
390
30: 12:01:30.333738 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685041 win 64852
31: 12:01:30.333860 10.2.2.2.2408 > 10.1.1.11.25: P 3220685041:3220685042(1) ack 1680225086 win 65
390
32: 12:01:30.536486 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685042 win 64851
33: 12:01:30.536593 10.2.2.2.2408 > 10.1.1.11.25: P 3220685042:3220685043(1) ack 1680225086 win 65
390
34: 12:01:30.739234 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685043 win 64850
35: 12:01:32.763052 10.2.2.2.2408 > 10.1.1.11.25: P 3220685043:3220685044(1) ack 1680225086 win 65
390
36: 12:01:32.970195 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685044 win 64849
37: 12:01:32.970866 10.2.2.2.2408 > 10.1.1.11.25: P 3220685044:3220685045(1) ack 1680225086 win 65
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2011 11:22 AM
Hey thats great Scott, so wats the next worry for us???
-Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2011 11:35 AM
I was curious why there are hundreds of packets passing through now. Does that point to someone on the outside trying to get in or something? I only created two test emails.
Oh and by the way thanks for all your help.
I still have the access list:
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
in the config and not one pointing to 10.1.1.11. Do I need to add that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2011 11:39 AM
Hi Scott,
Y it is still working is because, you have the access-list:
access-list dmz extended permit ip any any
so all the traffic would hit this rule, so yes, you can delete the acl:
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
from the config.
I have seen the captures, don't worry its all legitimate traffic if you look at the ip addresses in there.
Please mark the thread as answered if all your queries have been resolved.
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2011 11:59 AM
Thanks again I just have two more questions. This acl "access-list dmz extended permit ip any any" was there before, how come it wasn't helping me before?
Was the magic entry this one?:
static (inside,dmz) 10.1.1.11 10.1.1.11
Also do you suggest I get rid of the "access-list dmz extended permit ip any any" and add
access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq smtp
in it's place?
Finally can I post the current config and have you tell me how I can clean it up? Removing the stuff we added just for test and anything else that might have been there before that is not secure?
Like I can get rid of all the cap and test access lists and the ones pointing to 10.2.2.30 right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2011 12:33 PM
Varun,
Can I get rid of these:
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq telnet
access-list dmz extended permit icmp host 10.2.2.2 host 10.2.2.30 echo
access-list dmz extended permit icmp host 10.2.2.2 host 10.2.2.30 echo-reply
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
access-list dmz extended permit ip any any
access-list cap extended permit ip host 10.2.2.2 host 10.2.2.30
access-list cap extended permit ip host 10.2.2.30 host 10.2.2.2
access-list cap extended permit ip host 10.1.1.11 host 10.2.2.2
access-list cap extended permit ip host 10.2.2.2 host 10.1.1.11
access-list test extended permit ip host 10.1.1.11 host 10.2.2.2
access-list test extended permit ip host 10.2.2.2 host 10.1.1.11
and add this line:
access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq smtp
Thanks again!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2011 09:17 PM
Hi Scott,
Yes, you can can now get rid of the redundant config, you can delete the following:
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq telnet
access-list dmz extended permit icmp host 10.2.2.2 host 10.2.2.30 echo
access-list dmz extended permit icmp host 10.2.2.2 host 10.2.2.30 echo-reply
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
access-list dmz extended permit ip any any
access-list cap extended permit ip host 10.2.2.2 host 10.2.2.30
access-list cap extended permit ip host 10.2.2.30 host 10.2.2.2
access-list cap extended permit ip host 10.1.1.11 host 10.2.2.2
access-list cap extended permit ip host 10.2.2.2 host 10.1.1.11
access-list test extended permit ip host 10.1.1.11 host 10.2.2.2
access-list test extended permit ip host 10.2.2.2 host 10.1.1.11
And you need to add:
access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq smtp
access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq telnet
access-list dmz extended permit icmp host 10.2.2.2 host 10.1.1.11
This should be enough.
Glad we resolved the issue, if you have any other concerns, do let me know.
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2011 09:42 PM
Yes Scott, you can provide me the configuration and I can tell you a more secure and sanitized config that you would need.
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2011 08:03 AM
Thanks Varun. I've appreciated all your help. Here it is. I only wanted telnet and ICMP from DMZ to Inside so I've deleted those entries as well. Here it is!:
MJASA# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ASA
domain-name XXXXX.com
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXX encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.141.85 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.255.254 255.255.255.248
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.2.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone MDT -7
clock summer-time MDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.1
domain-name XXXX.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inbound extended permit tcp any host XXX.XXX.141.83 eq www
access-list inbound extended permit tcp any host XXX.XXX.141.83 eq https
access-list inbound extended permit tcp any host XXX.XXX.141.83 eq ftp
access-list inbound extended permit tcp any host XXX.XXX.141.83 eq ftp-data
access-list inbound extended permit tcp any host XXX.XXX.141.83 eq ssh
access-list inbound extended permit tcp any host XXX.XXX.141.84 eq imap4
access-list inbound extended permit tcp any host XXX.XXX.141.84 eq pop3
access-list inbound extended permit tcp any host XXX.XXX.141.84 eq www
access-list inbound extended permit tcp any host XXX.XXX.141.84 eq https
access-list inbound extended permit tcp any host XXX.XXX.141.84 eq smtp
access-list inbound extended permit icmp any any
access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq smtp
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list vpnsplit extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list encrypt_acl extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool 172.16.22.1-172.16.22.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 10 XXX.XXX.141.82 netmask 255.255.255.0
global (inside) 10 interface
global (dmz) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 10 0.0.0.0 0.0.0.0
static (dmz,outside) XXX.XXX.141.83 10.2.2.2 netmask 255.255.255.255
static (inside,outside) XXX.XXX.141.84 10.1.1.11 netmask 255.255.255.255
static (dmz,inside) 10.2.2.2 10.2.2.2 netmask 255.255.255.255
static (inside,dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
access-group inbound in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 XXX.XXX.141.81 1
route inside 10.1.0.0 255.255.0.0 10.1.255.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.1.1.12
key -->XXXXXXX
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 172.16.22.0 255.255.255.0 inside
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp management
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set HQset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 20 match address encrypt_acl
crypto map outside_map 20 set peer XXX.XXX.195.198
crypto map outside_map 20 set transform-set HQset
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 50
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy vpnclients internal
group-policy vpnclients attributes
wins-server value 10.1.1.12
dns-server value 10.1.1.12
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
default-domain value XXXXX.local
split-dns value XXXXX.local
address-pools value vpnpool
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server value 10.1.1.12
dns-server value 10.1.1.12
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
username ssluser1 password 0BF9omj8n5A90KxJ encrypted
username bcurtis password vNiKAcEWjHC7TrpX encrypted privilege 0
username gtri password gBhZB8pZ4/QjvH/s encrypted privilege 15
username admin password PM0xX4GwWjdoKH43 encrypted privilege 15
username snguyen password WJQ/.EQK5Agk2bHt encrypted privilege 0
tunnel-group XXX type remote-access
tunnel-group XXX general-attributes
address-pool vpnpool
authentication-server-group vpn
default-group-policy vpnclients
tunnel-group XXX ipsec-attributes
pre-shared-key *
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
authentication-server-group vpn
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
tunnel-group XXX.XXX.195.198 type ipsec-l2l
tunnel-group XXX.XXX.195.198 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 768
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXXXXXXXXXXXXXX
: end
MJASA# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ASA
domain-name XXXXX.com
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXX encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.141.85 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.255.254 255.255.255.248
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.2.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone MDT -7
clock summer-time MDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.1
domain-name XXXX.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inbound extended permit tcp any host XXX.XXX.141.83 eq www
access-list inbound extended permit tcp any host XXX.XXX.141.83 eq https
access-list inbound extended permit tcp any host XXX.XXX.141.83 eq ftp
access-list inbound extended permit tcp any host XXX.XXX.141.83 eq ftp-data
access-list inbound extended permit tcp any host XXX.XXX.141.83 eq ssh
access-list inbound extended permit tcp any host XXX.XXX.141.84 eq imap4
access-list inbound extended permit tcp any host XXX.XXX.141.84 eq pop3
access-list inbound extended permit tcp any host XXX.XXX.141.84 eq www
access-list inbound extended permit tcp any host XXX.XXX.141.84 eq https
access-list inbound extended permit tcp any host XXX.XXX.141.84 eq smtp
access-list inbound extended permit icmp any any
access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq smtp
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list vpnsplit extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0
access-list encrypt_acl extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool vpnpool 172.16.22.1-172.16.22.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 10 XXX.XXX.141.82 netmask 255.255.255.0
global (inside) 10 interface
global (dmz) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 10 0.0.0.0 0.0.0.0
static (dmz,outside) XXX.XXX.141.83 10.2.2.2 netmask 255.255.255.255
static (inside,outside) XXX.XXX.141.84 10.1.1.11 netmask 255.255.255.255
static (dmz,inside) 10.2.2.2 10.2.2.2 netmask 255.255.255.255
static (inside,dmz) 10.1.1.11 10.1.1.11 netmask 255.255.255.255
access-group inbound in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 XXX.XXX.141.81 1
route inside 10.1.0.0 255.255.0.0 10.1.255.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server vpn protocol radius
aaa-server vpn (inside) host 10.1.1.12
key -->XXXXXXX
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 172.16.22.0 255.255.255.0 inside
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp management
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set HQset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 20 match address encrypt_acl
crypto map outside_map 20 set peer XXX.XXX.195.198
crypto map outside_map 20 set transform-set HQset
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 50
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy vpnclients internal
group-policy vpnclients attributes
wins-server value 10.1.1.12
dns-server value 10.1.1.12
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplit
default-domain value XXXXX.local
split-dns value XXXXX.local
address-pools value vpnpool
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server value 10.1.1.12
dns-server value 10.1.1.12
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
username ssluser1 password 0BF9omj8n5A90KxJ encrypted
username bcurtis password vNiKAcEWjHC7TrpX encrypted privilege 0
username gtri password gBhZB8pZ4/QjvH/s encrypted privilege 15
username admin password PM0xX4GwWjdoKH43 encrypted privilege 15
username snguyen password WJQ/.EQK5Agk2bHt encrypted privilege 0
tunnel-group XXX type remote-access
tunnel-group XXX general-attributes
address-pool vpnpool
authentication-server-group vpn
default-group-policy vpnclients
tunnel-group XXX ipsec-attributes
pre-shared-key *
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
authentication-server-group vpn
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
tunnel-group XXX.XXX.195.198 type ipsec-l2l
tunnel-group XXX.XXX.195.198 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 768
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXXXXXXXXXXXXXX
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2011 08:19 AM
Hi Scott,
How are you doing? Do you need telnet and icmp access?
Scott Holiday wrote:
I only wanted telnet and ICMP from DMZ to Inside so I've deleted those entries as well. Here it is!:
Because I do not see them in the config, I only see smtp port opened.
If you need telnet and icmp access, you need these ACL's:
access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq telnet
access-list dmz extended permit icmp host 10.2.2.2 host 10.1.1.11
If you don't need them then the config looks perfectly fine.
Let me know if this resoves your query.
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2011 08:28 AM
Ooops sorry I meant to say I only needed ICMP and Telnet for testing temporarily while working on this new configuration. Good to hear the configuration looks good from a security standpoint.
Again, thanks for spending all this time on my project.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-19-2011 08:30 AM
Your Welcome Scott...it was very nice working with you as well
-Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-18-2011 10:25 AM
Varun,
Here is the output from sh xlate detail:
MJASA# sh xlate detail
NAT from inside:10.1.1.11 to dmz:10.2.2.30 flags s
NAT from dmz:10.2.2.2 to inside:10.2.2.2 flags s
NAT from dmz:10.2.2.2 to outside:xxx.xxx.141.83 flags s
- « Previous
-
- 1
- 2
- Next »
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
