Hi Marvin,

Is it possible for you to do the lines i have to put in thru the CLI-interface..   I tried a dozen of different ways but i don't seem to be able to do it..  Pretty new to this box - So trying to learn. hehe..   Here is my config file - Pretty clean as for now..  Simple config - Building it up step by step..

Please let me know how to get those three requests working with the cli-commands i have to do..  if it ain't to much work.. hehe ..  Thanks alot..  AND YES - Only one public IP to work with..  ;-)

Config file currently :

: Written by enable_15 at 21:50:51.749 UTC Sat Jul 6 2013

!

ASA Version 9.1(2)

!

hostname asa

domain-name asa

enable password XX encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd XX encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 12

switchport protected

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan12

nameif DMZ

security-level 50

ip address 192.168.2.1 255.255.255.0

!

boot system disk0:/asa912-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name asa

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Work

host 192.168.2.10

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

object network Work

nat (any,outside) static interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=brainbox

keypair

crl configure

crypto ca trustpool policy

telnet timeout 5

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.10.10-192.168.10.30 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username pascal password XX encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:XX

Something like this:

asa# conf t

asa(config)# object network host OpenVPN_Server

asa(config-network-object)# nat (inside, outside) dynamic 192.168.10.xxx service tcp 1194

asa(config-network-object)# object network host FTP_Server

asa(config-network-object)# nat (inside, outside) dynamic service tcp 31030

asa(config)# exit

asa(config)# access-list outside_access permit tcp any host OpenVPN_Server eq 1194

asa(config)# access-list outside_access permit tcp any host FTP_Server eq 31030

asa(config)# access-group outside_access interface outside

asa(config)exit

I'm not sure why your outbound email isn't working already. Are you getting a good interface address and default route on the ASA from the outside DHCP server?

Thanks for the above..  I will try it out right away and see if it works out..   I appricate your time in this.

In regards to the email..  Its my Synology-server that comes up with an error trying to send an email..  I have set it up to send mesages thru gmail for warnings etc..   It used to work on a different firewall without any settings..  But hasn't worked after installing this one..  So for me it sounds like that it won't let me send email from those ports without rules created in the box ??     I will look into the log an see what error it comes up with and copy/paste it here..

Thanks so far for the info above - I will try it out and let you know if it fixed it..

/pascal

Hey Marvin,

The email-part worked perfectly..   I can now send emails thru it.. PERFECT !!! thanks for fixing that one.. 

But the other part..   Didnt work out.. it comes with errors..  Look below :

Already at the first part it goes wrong..  

brainbox# config t

brainbox(config)# object network host OpenVPN_Server

                                      ^

ERROR: % Invalid input detected at '^' marker.

brainbox(config)#

So i believe before that one is created - The next line won't make any sense...  

nat (inside, outside) dynamic 192.168.10.xxx service tcp 1194 <-----------

Uhmm.. does this make sense to you .. what is wrong?

Great that the mail is working.

I think my syntax was a bit off - it should be object-network etc. But you might be better off trying the GUI for setting up a public server for your two public servers. The configuration guide section here should help:

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/access_public_servers.html#wp1091646

Hi Marvin,

Tried to follow the guide - But still not home free..  I'm just thinking...  How hard can it really be to make OpenVPN on port 1194 working..   Thats the only port for OpenVPN that needs access thru my firewall and i can't seem to figure out how to configure it correctly.

Anyone in the forum here that has a Synology like i do and knows how to get this working ?

I appriciate your tryings Marvin..   ;-)   

Uhmm.. it says " Question is answered" - Not 100 percent..  Please read above this post..    I still need assistance...    Thanks...

Pascal,

Did you get the "object-network host" command with its associated nat and access-list entries to take? If you could post the updated configuration with that in place, we can have a look at it some more.

Regards,

- Marvin