i have a strange error on my ASA5515-X and I can not understand what can be.
I natted server-mail with services https:
object network Owa_10.0.1.4
object network Owa_10.0.1.4
nat (INSIDE,OUTSIDE) static interface service tcp https https
access-list INSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-group INSIDE_access_in in interface INSIDE
access-group OUTSIDE_access_in in interface OUTSIDE
ip address 10.0.1.254 255.255.0.0
ip address 217.5x.xxx.xxx 255.255.255.240
If i send a mail from inside to outside mail reaches the receiver, if mail is sent from outside (such as from @Gmail.com to internal mailbox) mail does not arrive. Attached there are logs with TCP Reset-O.
what could be the issue? I have something wrong in the configuration?
Thanks in advance.
Your configuration looks all right, I would say "permit ip any any"
is okay on this case for troubleshooting purposes but do not remember later change rules on outside and only allow services you need to. Besides your configuration is fine. Also in log provided connection looks okay from firewall perspective.
Here is meaning of Reset-O and Reset-I according title on this post:
- TCP Reset-I - The client tear down the connection (typical in an SMTP or IMAP exchange -I = inside interface).
- TCP Reset-O - The server was not listening on that protocol at that time (usually seen as coming from SMTP servers -O = Outside interface).
I would suggest you to check if server is listening on ports required (netstat works on this), run some captures on your server maybe using wireshark in order to confirm if server is resetting connection and check out for incoming traffic.
Run some captures on the firewall in order to confirm the reset is comming from Outside.
capture inside interface inside match tcp any host 10.0.1.4 eq 443
capture outside interface outside match tcp any host 217.5x.xxx.xxx eq 443
capture asp type asp all >>> in order to check packets firewall has dropped.
show capture asp | inc 10.0.1.4
show capture asp | inc 217.5x.xxx.xxx.443
show capture inside >>>> check for tcp reset flag (R)
thanks a lot for reply.
Sure my acl any\any is only for this stage of troubleshhoting :-)
Later i will check on server mail with "netstat" commant for listening ports.
I take this opportunity to ask you: if i nat service https server mail on same ip address of outside interface of firewall, and if i setup a vpn anyconnect it may not work right? (overlaps https anyconnect\server mail)
Paste configuration of Anyconnect Vpn:
ip address 188.8.131.52 255.255.255.240
crypto ikev2 enable OUTSIDE
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect profiles VpnAnyConnect_client_profile disk0:/VpnAnyConnect_client_profile.xml
group-policy GroupPolicy_VpnAnyConnect internal
group-policy GroupPolicy_VpnAnyConnect attributes
dns-server value 10.0.1.2 10.0.1.9
split-tunnel-network-list value Reti_Interne
default-domain value bdossf.local
anyconnect profiles value VpnAnyConnect_client_profile type user
tunnel-group VpnAnyConnect type remote-access
tunnel-group VpnAnyConnect general-attributes
tunnel-group VpnAnyConnect webvpn-attributes
group-alias VpnAnyConnect enable
I should change port of AnyConnect? or do anything else?
Yes, the Anyconnect will use port 443 (this is used as it will be open on almost any location) but if you want to forward traffc to a internal webserver while having this configuration then you are in troubles.
no enable outside