10-09-2012 05:56 AM - edited 03-11-2019 05:06 PM
Please bear with me, as am I utter new to the a5505 and Cisco products in general.
Setup:
LAN (192.168.1.X, with .3 as gateway)
DMZ (192.168.2.X with .1 as gateway)
WAN (X.X.X.146 as primary public IP, .145 as gateway and .147-150 as additional public IPs)
I want to set it up so that X.146 is where all my outbound traffic appears to originate.
I want tcp HTTPS and SMTP to be allowed from the WAN (via the X.147 IP) to a specific server (192.168.1.11) on the LAN.
Also, HTTP traffic to X.148, X.149 and X.150 should go to DMZ and 192.168.2.8, 192.168.2.15 and 192.168.2.18 respectively, but I haven't added that to my config yet. Looking to get the HTTPS and SMTP ones working first, then I'll fix the others (one step at a time)
I've got contact with the outside world when I've configured it using the ASDMs "Public Server" interface, but it refuses to properly establish the connection, I get a "SYN timeout".
I'm sure it is a simple mistake I've made someplace, but some of this stuff is greek to me sofar, I must admit..
My config:
: Saved : ASA Version 8.2(5) ! hostname kcisco enable password X encrypted passwd X encrypted names name X.X.X.144 outside-network ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 5 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.3 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address X.X.X.146 255.255.255.248 ! interface Vlan5 description DMZ interface no forward interface Vlan1 nameif DMZ security-level 50 ip address 192.168.2.1 255.255.255.0 ! ftp mode passive clock timezone GMT 0 object-group service DM_INLINE_SERVICE_0 service-object gre service-object tcp eq pptp service-object udp eq isakmp service-object udp eq 1701 service-object udp eq 1723 service-object udp eq 4500 object-group service DM_INLINE_TCP_1 tcp port-object eq https port-object eq smtp object-group service DM_INLINE_TCP_3 tcp port-object eq https port-object eq smtp access-list outside_access extended permit tcp any object-group DM_INLINE_TCP_3 host X.X.X.147 object-group DM_INLINE_TCP_1 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu DMZ 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) X.X.X.147 192.168.1.11 netmask 255.255.255.255 access-group outside_access in interface outside route outside 0.0.0.0 0.0.0.0 X.X.X.145 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn ! ! prompt hostname context no call-home reporting anonymous Cryptochecksum:cc8458013e545e2e7ba1e2c0caa3dd6a : end no asdm history enable
Solved! Go to Solution.
10-09-2012 06:13 AM
Yup, just a small mistake...
The following ACL:
access-list outside_access extended permit tcp any object-group DM_INLINE_TCP_3 host X.X.X.147 object-group DM_INLINE_TCP_1
should be:
access-list outside_access extended permit tcp any host X.X.X.147 object-group DM_INLINE_TCP_1
10-09-2012 06:13 AM
Yup, just a small mistake...
The following ACL:
access-list outside_access extended permit tcp any object-group DM_INLINE_TCP_3 host X.X.X.147 object-group DM_INLINE_TCP_1
should be:
access-list outside_access extended permit tcp any host X.X.X.147 object-group DM_INLINE_TCP_1
10-09-2012 06:35 AM
Thanks, fixed that at least.
But still no further in getting the connection to be established.
I see this in my logs:
6 Oct 09 2012 15:29:22 Z.Z.Z.Z 42061 192.168.1.11 443 Built inbound TCP connection 1064 for outside:Z.Z.Z.Z/42061 (Z.Z.Z.Z/42061) to inside:192.168.1.11/443 (X.X.X.147/443)
6 Oct 09 2012 15:29:52 Z.Z.Z.Z 42061 192.168.1.11 443 Teardown TCP connection 1064 for outside:Z.Z.Z.Z/42061 to inside:192.168.1.11/443 duration 0:00:30 bytes 0 SYN Timeout
(Z.Z.Z.Z is the outside host I am testing from)
(I've connected the mailserver to the firewall and configured it to use the FW gateway (192.168.1.3)
10-09-2012 06:41 AM
SYN timeout, means the mail server is not responding.
Do you have any firewall on the mail server that might be preventing inbound access from the internet?
10-09-2012 06:59 AM
Not while it's connected to the A5505, no.
I reconnect it to the old firewall and I get access just fine (old firewall is a linux box with IpCop).
Neither SMTP or telnet port 25 goes through, both times out. The machine can access the world, so connectivity to the server is working at least outgoing..
10-09-2012 07:16 PM
I would suggest that you clear the ARP cache on the upstream device because it might still have the ARP entry with the IpCop MAC address hence it's not working when you connect it to the ASA.
Or alternatively just reload the next hop device which connect to the outside interface of the ASA/IpCop. Also assuming that you unplug the IpCop from the network once you have the ASA connected.
10-10-2012 02:45 AM
Got it working now. Is on a new unused connection, so ARPs and such upstream was not a problem.
What I did was change the internal addy to the same as the old firewall (192.168.1.4) and then things just worked, instead of trying to set it up as a new gateway addy (I had changed the IP settings on the test server to use the .3 addy, but for some reason once I put the a5505 to .4 it just worked.).
Thanks for the help
10-10-2012 03:26 AM
Great to hear it's now working. Thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide