01-30-2009 02:06 AM - edited 03-11-2019 07:44 AM
Hi all,
I have a problem with inbound traffic. I have setup my firewall to allow traffic on http, imap4 and smtp ports. But I can't get through. Am I missing anything? Or did I do something wrong? My SSL VPN works no problem. Any help will be appreciated.
Thank you in advance.
Here is a part of config.
name 192.168.2.101 Server
name 192.168.2.103 Mail
name 192.168.2.102 Spam
!
interface Ethernet0/0
description Internet
nameif Outside
security-level 0
ip address *.*.*.* 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
description Intranet
nameif Inside
security-level 100
ip address 192.168.2.104 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name *****************
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any interface Outside eq imap4
access-list outside_access_in extended permit tcp any interface Outside eq smtp
access-list outside_access_in extended permit tcp any interface Outside eq www
access-list inside_outbound_nat0_acl extended permit ip 192.168.2.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list VPN-Split-Tunnel standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool AnyConnect 192.168.15.100-192.168.15.150 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list inside_outbound_nat0_acl
nat (Inside) 1 192.168.2.0 255.255.255.0
static (Inside,Outside) tcp interface smtp Spam smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface imap4 Mail imap4 netmask 255.255.255.255
static (Inside,Outside) tcp interface www Server www netmask 255.255.255.255
access-group outside_access_in in interface Outside
access-group inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server AnyConnect protocol radius
aaa-server AnyConnect (Inside) host Server
key ************************
radius-common-pw **********************
http server enable
http 192.168.2.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
01-30-2009 02:32 AM
Hi
Could you please rewrite your outside_access_in in the following way.
access-list outside_access_in extended permit tcp any host
access-list outside_access_in extended permit tcp any host
access-list outside_access_in extended permit tcp any host
Please replace
Hope this will solve the issue.
Regards
Jithesh
01-30-2009 03:47 AM
Hi,
access-list outside_access_in extended permit tcp any interface Outside eq imap4
access-list outside_access_in extended permit tcp any interface Outside eq smtp
access-list outside_access_in extended permit tcp any interface Outside eq www
These access rules are allowing imap4, SMTP and HTTP access to the outside interface of the firewall. Why do you want to do this?
"interface Outside" needs to be replaced with the public IP addresses of the corresponding servers. For example, for assuming your webserver has 1.1.1.1 as its public IP, repalce "interface Outside" with "host 1.1.1.1"
And please do not forget to do the same for the other servers as well.
Cheers,
Muath
01-30-2009 09:03 AM
Thanks for help guys.
My web server doesn't have a public IP. I'm using NAT. This is the reason I'm using interface Outside as it is a public IP address.
I think what I'm missing is the statement when it says all http traffic should go to web server. Is that right?
01-30-2009 11:05 AM
Your posted configuration looks correct to me. Are you sure that 192.168.2.101 is the correct IP for your web server and it is listening on port 80?
I would try enabling the logging buffer and see if there are any messages being generated during inbound connection attempts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide