07-25-2012 06:28 PM - edited 03-11-2019 04:34 PM
I've been trying to switch out our old firewall which is a 5510 for our new 5520, but we keep running into this problem on both devices with almost the exact same configs. Currently I have the 5510 installed, and I cannot get our email server and RDP server to ping out to our internet gateway.
Attached is a sanitized config. From the config you can see the internal address of the email server is 11.2.1.29, external address is 73.13.198.211. RDP server is internal address 11.2.1.33, external 73.13.198.212. Our internet gateway is 73.13.198.209.
From another computer with a 11.2.1.X address I can ping out to the internet gateway. The other two devices drop (I believe) when they hit the firewall.
Static mappings (again from config):
static (inside,outside) 73.13.198.211 11.2.1.33 netmask 255.255.255.255
static (inside,outside) 73.13.198.212 11.2.1.29 netmask 255.255.255.255
Original access list:
access-list outside_access_in extended permit tcp 64.19.0.0 255.255.240.0 host 73.13.198.212 eq smtp
access-list outside_access_in extended permit tcp host 67.228.177.117 host 73.13.198.212 eq smtp
access-list outside_access_in extended permit tcp host 206.217.202.43 host 73.13.198.212 eq smtp
access-list outside_access_in extended permit udp host 64.154.41.100 host 73.13.198.210 eq 4569
access-list outside_access_in extended permit udp host 64.154.41.100 host 73.13.198.210 range 10000 20000
access-list outside_access_in extended permit tcp host 64.154.41.100 host 73.13.198.210 range 10000 20000
access-list outside_access_in extended permit tcp any host 72.12.198.211 eq 3389
access-list outside_access_in extended permit object-group Android_iOS_Ports interface inside any
access-list outside_access_in extended permit tcp host 222.186.17.160 any
access-list outside_access_in extended permit object-group VSP_in_Ports any host 73.13.198.214
access-list outside_access_in extended permit tcp any host 73.13.198.213 eq https
access-list outside_access_in extended permit tcp any 12.6.35.96 255.255.255.224 eq https
access-list outside_access_in extended permit udp any host 73.13.198.212 eq 990
access-list outside_access_in extended permit udp any host 73.13.198.212 eq 999
access-list outside_access_in extended permit udp any host 73.13.198.212 eq 5721
access-list outside_access_in extended permit udp any host 73.13.198.212 eq 5678
access-list outside_access_in extended permit udp any host 73.13.198.212 eq 5679
access-list outside_access_in extended permit udp any host 73.13.198.212 eq 26675
access-list outside_access_in extended permit tcp any host 73.13.198.212 eq www
access-list outside_access_in extended permit tcp any host 73.13.198.212 eq https
access-list outside_access_in extended permit icmp any any
ACL application:
access-group outside_access_in in interface outside
If I pull the static mappings, pings can get through.
I've trimmed my ACL to just the RDP and Email lines:
access-list outside_access_in extended permit tcp any host 72.12.198.211 eq 3389
access-list outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 host 72.12.198.212 eq smtp
No one can RDP in. No one can email in. Any other computer can get to the internet on our site so it's not the internet connection.
What is blocking the traffic? Any help is appreciated as this site is currently cut off from email.
Solved! Go to Solution.
07-25-2012 06:57 PM
Hi Bro
Your configuration needs to be cleaned up. Please do this for me, and let me know how it goes. Please do this exactly, do not skip a step. Just paste these configs, you can remove the static nats if you want to, issue a clear xlate command and give it a try
no static (inside,dmz) 11.1.0.0 11.1.0.0 netmask 255.0.0.0
static (inside,dmz) 11.0.0.0 11.0.0.0 netmask 255.0.0.0
no dns domain-lookup inside
no dns domain-lookup dmz
no dns domain-lookup outside
no same-security-traffic permit inter-interface
no global (dmz) 1 interface
access-list inside permit ip any any
access-group inside in interface inside
router eigrp 101
no network 173.17.1.0 255.255.255.0
no passive-interface outside
clear configure access-list no_nat
clear configure access-list no_nat_dmz
no nat (inside) 0 access-list no_nat
07-25-2012 06:55 PM
Traceroute from external email filtering site doesn't even hit our external subnet.
07-25-2012 06:57 PM
Hi Bro
Your configuration needs to be cleaned up. Please do this for me, and let me know how it goes. Please do this exactly, do not skip a step. Just paste these configs, you can remove the static nats if you want to, issue a clear xlate command and give it a try
no static (inside,dmz) 11.1.0.0 11.1.0.0 netmask 255.0.0.0
static (inside,dmz) 11.0.0.0 11.0.0.0 netmask 255.0.0.0
no dns domain-lookup inside
no dns domain-lookup dmz
no dns domain-lookup outside
no same-security-traffic permit inter-interface
no global (dmz) 1 interface
access-list inside permit ip any any
access-group inside in interface inside
router eigrp 101
no network 173.17.1.0 255.255.255.0
no passive-interface outside
clear configure access-list no_nat
clear configure access-list no_nat_dmz
no nat (inside) 0 access-list no_nat
07-25-2012 07:24 PM
Thanks! E-mail appears to working, I can ping out to the internet gateway through the email server. RDP is still not working. Still can't ping the gateway.
Cleared xlate several times
07-25-2012 07:28 PM
Last time I cleared up RDP issues by moving the RDP rule up in the ACL, but it's as high up as I want it to be right now.
07-25-2012 07:37 PM
Looks like RDP is working now. I guess it needed time to work it's way through the network?
07-25-2012 07:37 PM
Thanks so much Ramraj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide