12-10-2007 02:20 PM - edited 03-11-2019 04:41 AM
I tried to setup the Cisco ASA 5505 (Version 7.1(1)) @ my own office.
My overall network:
DSL modem (200.0.0.169/29), which connected ASA outside VLAN2 (200.0.0.170/29) and then it connected to ASA inside VLAN1 (192.168.1.1/24)
200.0.0.169/29 is the public IP for my DSL modem
200.0.0.170/29 is the public IP for my cisco ASA (LAN IP: 192.168.1.1/24)
200.0.0.171/29 is the public IP for my exchange and VPN - vpn.mydomain.com (LAN IP: 192.168.1.5/24)
200.0.0.172/29 is the public IP for my DNS, DHCP (LAN IP: 192.168.1.3/24)
192.168.1.9/24 is a static IP for our MAIL FILTER server
Email should go to 192.168.1.9 then pass on to 192.168.1.5 to forward the email to our internal users.
Problem:
1) Can send email out, but cannot recevie email
2) Cannot access Ootlook Web Access from internet
3) For VPN access, users can VPN into our network if they use the 200.0.0.172 instead of 200.0.0.171, and I have to change the following 2 access-list:
access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq pptp
TO
access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.172 eq pptp
access-list outside_access_in extended permit gre any host 200.0.0.171
TO
access-list outside_access_in extended permit gre any host 200.0.0.172
But we would like to allow users to VPN into the network with 200.0.0.171
12-10-2007 02:23 PM
ASA Version 7.2(1)
!
hostname mwasa5505
domain-name mydomain.com
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.0.0.170 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan25
no nameif
no security-level
no ip address
!
interface Ethernet0/0
switchport access vlan 2
no nameif
no security-level
no ip address
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/4
no nameif
no security-level
no ip address
!
interface Ethernet0/5
no nameif
no security-level
no ip address
!
interface Ethernet0/6
no nameif
no security-level
no ip address
!
interface Ethernet0/7
no nameif
no security-level
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.com
dns server-group DefaultDNSsunrpc
object-group service dynamictcp tcp
port-object range 1024 65535
object-group service timetcp udp
port-object eq ntp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit gre any host 200.0.0.171
access-list outside_access_in extended permit tcp any host 200.0.0.173 eq https
access-list outside_access_in extended permit udp any host 200.0.0.173
access-list outside_access_in extended permit tcp any host 200.0.0.173 rangepcanywhere-data 5632
access-list outside_access_in extended permit tcp any host 200.0.0.171 eq www
access-list outside_access_in extended permit tcp any host 200.0.0.171 eq https
access-list outside_access_in extended permit tcp any host 200.0.0.171 eq smtp
access-list outside_access_in extended permit tcp any host 200.0.0.171 eq pptp
pager lines 24
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 200.0.0.171 https 192.168.1.5 https netmask 255.255.255.255
static (inside,outside) tcp 200.0.0.171 www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) tcp 200.0.0.171 smtp 192.168.1.9 smtp netmask 255.255.255.255
static (inside,outside) 200.0.0.172 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 200.0.07.173 192.168.1.7netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 200.0.0.170 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
!
!
class-map inspection_
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
12-10-2007 02:34 PM
I am not sure why the VPN works for 200.0.0.173, but not 200.0.0.171, do I need the following inorder for VPN through this server??
static (inside,outside) tcp 200.0.0.171 pptp 192.168.1.5 pptp netmask 255.255.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide