Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
188
Views
0
Helpful
1
Replies

Need to allow traffic to my Exchange help.

doug gilmore
Level 1
Level 1

‎03-16-2016 07:53 PM - edited ‎03-12-2019 12:30 AM

Hello,

 I can send email, but my IP is still wrong when sending and I cannot receive mail. I am an ASA newbie.

My exchange object name is colsvr03 , 192.168.12.16 , when I do show my ip it's pulling the IP from Outside-Shaw and not Outside-Email

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(5)
!
hostname COL-ASA5510-FW1
domain-name ccab.com
enable password 2222222222 encrypted
passwd 211111111111 encrypted
no names

name 192.168.16.12 COLSVR03 description Internal IP Exchange server

name 96.99.99.175 glob-COLSVR03-Exchange description Outside Email IP
dns-guard
!
interface Ethernet0/0
description The outside connection for Columbia, all traffic comes in and NAT for IP translation.
nameif Outside-Shaw
security-level 0
ip address 96.99.99.156 255.255.255.252
ospf cost 10
!
interface Ethernet0/1
description description The IP is foe Exchange MX 96.99.99.175
nameif Outside-Email
security-level 0
ip address 96.99.99.175 255.255.255.252
ospf cost 10
!
interface Ethernet0/2
shutdown
nameif DMZ
security-level 50
ip address 192.168.99.254 255.255.255.0
ospf cost 10
!
interface Ethernet0/3
speed 100
duplex full
nameif Inside
security-level 90
ip address 192.168.254.254 255.255.255.0
ospf cost 10
!
interface Management0/0
shutdown
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only

object-group service Allowed_Inside_Access_Group
description Stuff allowed to go out
service-object icmp traceroute
service-object tcp-udp eq domain
service-object tcp-udp eq echo
service-object tcp-udp eq www
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq www
service-object tcp eq https
service-object tcp eq irc
service-object tcp eq sqlnet
service-object tcp eq ssh
service-object udp eq www
service-object udp eq syslog
service-object tcp eq smtp
service-object tcp-udp eq 443
object-group service MailTest tcp
description group creation for port forwarding
port-object eq pop3
port-object eq imap4
port-object eq 465
port-object eq 993
port-object eq 995
port-object range 587 587
port-object eq smtp
object-group service Exchnage_Services tcp
description Telnet and Mail Services
port-object eq imap4
port-object eq pop3
port-object eq smtp

access-list Inside_access_out extended permit icmp any any
access-list Inside_access_out extended permit ip any any

access-list Outside-Shaw_access_in_1 remark Incoming IP for Exchange 96.99.99.175


access-list Outside-Shaw_access_in_1 remark Incoming IP for Exchange 96.99.99.175


access-list Outside-Shaw_access_in_1 remark Incoming IP for Exchange 96.99.99.175

access-list Inside_nat_outbound remark PAT outgoing sessions
access-list Inside_nat_outbound remark PAT outgoing sessions
access-list Inside_nat_outbound extended permit ip object-group grp-INTERNALNETS any
access-list Inside_nat_outbound remark PAT outgoing sessions
access-list Inside_nat_outbound remark PAT outgoing sessions
access-list Inside_nat_outbound remark PAT outgoing sessions
access-list Inside_nat_outbound remark PAT outgoing sessions
access-list Inside_nat_outbound extended permit tcp any host 96.99.99.175 eq smtp
access-list Inside_access_in remark Prohibit any machine other then COLSVR03 from sending via SMTP service
access-list Inside_access_in remark Allow COLSVR03 to send SMTP messages, while rule below denies all other computers from sending
access-list Inside_access_in extended permit tcp host 192.168.16.12 eq smtp any eq smtp
access-list Inside_access_in extended deny tcp any eq smtp any eq smtp inactive
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in remark Prohibit any machine other then COLSVR03 from sending via SMTP service
access-list Inside_access_in remark Allow COLSVR03 to send SMTP messages, while rule below denies all other computers from sending
access-list Inside_access_in remark Prohibit any machine other then COLSVR03 from sending via SMTP service


access-list Outside-Email_access_in remark Incoming IP for Exchange 96.99.99.175
access-list Outside-Email_access_in extended permit tcp host 192.168.16.12 any object-group MailTest
access-list Outside-Email_access_in extended permit tcp any any eq smtp
access-list Outside-Email_access_in extended permit ip any any log
access-list Outside-Email_access_in extended permit icmp any any
access-list Outside-Email_access_in_1 remark Incoming IP for Exchange 96.99.99.175
access-list Outside-Email_access_in_1 extended permit ip any host 96.99.99.175
access-list Outside-Email_access_in_1 extended permit tcp any any eq smtp
access-list Outside-Email_access_in_1 extended permit icmp any any
access-list Outside-Email_access_in_1 extended permit ip any any log
access-list Outside-Email_access_in_1 remark Incoming IP for Exchange 96.99.99.175
access-list Outside-Email_access_in_1 remark Incoming IP for Exchange 96.99.99.175
access-list Outside-Email_access_in_1 remark Incoming IP for Exchange 96.99.99.175
access-list Inside_nat0_outbound extended permit ip any host 192.168.16.12
access-list Inside_nat0_outbound extended permit ip any host 96.99.99.175
access-list Inside_nat0_outbound extended permit ip any 10.100.4.0 255.255.255.0
access-list tacin extended permit ip any host 192.168.16.2 inactive
access-list Inside_nat_outbound_1 extended permit ip object-group grp-ALLNETS 10.100.1.0 255.255.255.0
access-list Inside_nat_outbound_1 extended permit ip object-group grp-INTERNALNETS 10.100.2.0 255.255.255.0
access-list Inside_nat_outbound_1 extended permit ip 192.168.16.0 255.255.255.0 10.100.3.0 255.255.255.0
access-list Inside_nat_outbound_1 extended permit ip object-group grp-INTERNALNETS 10.100.4.0 255.255.255.0
access-list Inside_nat_outbound_1 remark PAT outgoing sessions
access-list Inside_nat_outbound_1 extended permit ip any any
access-list Inside_nat_outbound_1 remark PAT outgoing sessions
access-list Inside_nat_outbound_1 remark PAT outgoing sessions


nat-control
global (Outside-Shaw) 1 interface
global (Outside-Email) 1 interface
global (Inside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 access-list Inside_nat_outbound_1
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside-Email) tcp interface 997 192.168.16.12 997 netmask 255.255.255.255
static (Inside,Outside-Email) tcp interface pop3 192.168.16.12 pop3 netmask 255.255.255.255
static (Inside,Outside-Email) tcp interface 587 192.168.16.12 587 netmask 255.255.255.255
static (Inside,Outside-Email) tcp interface 993 192.168.16.12 993 netmask 255.255.255.255
static (Inside,Outside-Email) tcp interface imap4 192.168.16.12 imap4 netmask 255.255.255.255
static (Inside,Outside-Email) tcp interface kerberos 192.168.16.12 kerberos netmask 255.255.255.255
static (Inside,Outside-Email) tcp interface smtp 192.168.16.12 smtp netmask 255.255.255.255
static (Inside,Outside-Email) tcp interface 433 192.168.16.12 https netmask 255.255.255.255
static (Inside,Outside-Email) tcp interface www 192.168.16.12 www netmask 255.255.255.255
static (Inside,Outside-Shaw) tcp interface 9191 192.168.16.3 9191 netmask 255.255.255.255
static (Inside,Inside) tcp 96.99.99.156 9191 192.168.16.3 9191 netmask 255.255.255.255
access-group Outside-Shaw_access_in_1 in interface Outside-Shaw
access-group Outside-Email_access_in_1 in interface Outside-Email
access-group Inside_nat0_outbound out interface Outside-Email
access-group DMZ_access_in in interface DMZ
access-group Inside_access_in in interface Inside
route Outside-Shaw 0.0.0.0 0.0.0.0 96.99.99.155 1

policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!

Labels:
0 Helpful
1 Reply 1

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-16-2016 08:35 PM

Hello Doug,

I just see one route "route Outside-Shaw 0.0.0.0 0.0.0.0 96.99.99.155 1" in the configuration.
If this is the active interface, then out of these nat statements:
global (Outside-Shaw) 1 interface
global (Outside-Email) 1 interface

only the one with Outside-Shaw will be active thus the server gets the IP associated to Outside-Shaw interface.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card