On the icmp thing, I didn't have an acl for any inside clients but  servers only, so shouldn't the global rule for inspect icmp work then?

The ACL will take precedence over the inspect rules, so your ICMP traffic is bing dropped by the global ACL.  You need to have an ACL on the interface for ICMP traffic to work.

access-group ACL_OUT in interface outside
access-group ACL_IN out interface inside

It looks as though your ACL_IN is configured in the wrong direction.  As it is configured now traffic entering the ASA will be checked once on the ACL-OUT ACL and then again when it leaves the inside interface, it will be checked against the ACL_IN ACL.  Change it to the following:

access-group ACL_IN in interface inside

I am no email expert and am not 100% sure how the ports are sent, but as a rule you should always specify the ports on the destination and not the source.

access-list ACL_IN extended permit tcp object-group MAILSERVERS object-group TCP any
access-list ACL_IN extended permit udp object-group MAILSERVERS object-group UDP any

Normally PC and servers send using a random high number source port with a destination of a wellknown port.  The only time I have seen a server send with a source well-known source port is with Microsoft Lync.  I would try to test by changing the ACLs around so that the ports match on the destination.

Other than that the NAT for the RDP host and the ACL for RDP look fine.  I think by correcting the access-group statements that many of your issues will be solved, and that changing up the mail server ACLs to match the port on the destination should also sort that problem out.  If not let us know and well shall look at this further.

--

Please rate all helpful posts.

Hi Marius,

The object group TCP has smtp dns and http in it, I took out UDP as my old firewall didn't have it for outgoing, yeah I jacked my access-group with the wrong command syntax, I thought to tell the asa to allow outgoing is to use the out command for the outside interface. But that actually broke my incoming emails and web access, so I took it out, and it worked, but I still need to get smtp and dns from those email servers and dns servers to get out to of the asa, so it would be in int inside, I'll try it again, thanks.

Let us know how it goes

Hi Marius,

Finally back on this again, here's my latest config, incoming web, email, and rdp all works(I'll figure out how to block by ip for websites later on), only issue is accessing our OWA server from inside, I changed my acl-in group to access-group ACL_IN in interface inside like what you advised, but that didn't work.

It blocked outgoing access to websites and icmp pings(email and rdp continued to work though). As soon as I took out any outgoing access lists and group it worked again. You'll notice on the last access list, it has an outgoing rule(was thinking that would alllow access to our owa server from inside, but same results)

Is there something wrong with my config, I noticed it doesn't seem to like any outgoing access list.

crxasa# sh run
: Saved
:
ASA Version 9.1(2)8
!
hostname crxasa
domain-name domain.com
enable password 5wq4IltsegGVfI30 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.x.x.34 255.0.0.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 208.x.x.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 15
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa912-8-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.x.x.12
domain-name cirexx.com
object network obj-LAN
subnet 0.0.0.0 0.0.0.0
object network cirexxintldc
host 208.x.x.12
object network sharks
host 208.x.x.5
object network cirexxintl
host 208.x.x.85
object network crxmail
host 208.x.x.3
object network svr-sales
host 208.x.x.94
object-group service TCP tcp
description domain,http,smtp services
port-object eq www
port-object eq https
port-object eq domain
port-object eq smtp
object-group service WEBSERVER tcp
description ftp,http,https services
port-object eq www
port-object eq https
port-object eq ftp
object-group network MAILSERVERS
network-object host 208.x.x.12
network-object host 208.x.x.3
object-group network DNS-SERVERS
network-object host 208.x.x.12
network-object host 208.x.x.5
object-group service UDP udp
port-object eq domain
port-object eq www
access-list ACL_OUT extended permit tcp any host 208.x.x.85 object-group WEBSERVER
access-list ACL_OUT extended permit tcp any host 208.x.x.94 eq 3389
access-list ACL_OUT extended permit tcp any object-group MAILSERVERS object-group TCP
access-list ACL_OUT extended permit icmp any any echo-reply
access-list ACL_OUT extended permit icmp any any unreachable
access-list ACL_OUT extended permit icmp any any time-exceeded
access-list ACL_OUT extended permit tcp object-group MAILSERVERS object-group TCP any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-LAN
nat (inside,outside) dynamic interface
object network cirexxintldc
nat (inside,outside) static 12.x.x.35
object network sharks
nat (inside,outside) static 12.x.x.37
object network cirexxintl
nat (inside,outside) static 12.x.x.36
object network crxmail
nat (inside,outside) static 12.x.x.43
object network svr-sales
nat (inside,outside) static 12.x.x.49
access-group ACL_OUT in interface outside
route outside 0.0.0.0 0.0.0.0 12.x.x.33 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password zULPhOeRwWoy3VJE encrypted privilege 15
!
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e61d1c3cad33310155ac2216db60fdef
: end

When accessing the OWA site i assume you are using the URL?  What IP does the URL go to, the external IP or the actual private IP (do an nslookup mail.domain.com change the URL to match your actual url)?  It looks as though your mail servers are also located on the inside interface?

If your Mailservers are located on the inside interface along with all your hosts then your only option would be to add an A record to your DNS server that points the URL to the mailserver's private IP.

--
Please remember to rate and select a correct answer

I have split dns, when I go to my owaserver.com it points to an outside ip, my dns and mailservers are inside, I have an A record already pointing to my inside ip for the mailserver, the mailserver is nat'ed on the ASA. This all works on the old firewall by the way, I have dns outgoing, which is needed for our network to function, but I can't seem to get this to work on the ASA.

I made another change on the config to see if dns gets out(my 2 dns servers in the bottom for outgoing using tcp and udp), somehow I can't get to our OWA mailserver, all work fine from outside by the way, only from inside we can't. Thanks in advanced

access-list ACL_OUT extended permit tcp any host 208.x.x.85 object-group WEBSERVER

access-list ACL_OUT extended permit tcp any host 208.x.x.94 eq 3389

access-list ACL_OUT extended permit tcp any object-group MAILSERVERS object-group TCP

access-list ACL_OUT extended permit icmp any any echo-reply

access-list ACL_OUT extended permit icmp any any unreachable

access-list ACL_OUT extended permit icmp any any time-exceeded

access-list ACL_OUT extended permit tcp object-group MAILSERVERS object-group TCP any

access-list ACL_OUT extended permit tcp any object-group REMOTEUSERS eq 3389

access-list ACL_OUT extended permit udp object-group DNS-SERVERS any eq domain

access-list ACL_OUT extended permit tcp object-group DNS-SERVERS any eq domain

  Yes, we split it since we started with public ip's, our owaserver.com A record is an outside ip which is mip'ed to the inside real name that points to the inside ip's.

  I read and tried dns doctoring but with same results, also read about hairpinning but haven't tried yet, though I heard from another thread that it has risks, but we do have some users that use OWA, so I need to get that working. I'll give hairpinning a try. This will be it once I get it working, I can fully switch to the ASA, thanks again Marius.

  Marius, I gave it a try, it didn't work, it actually blocked access to our main website, here's the code, do you think it conflicts with the current lan nat entry?

I saw another thread that talks about hairpinning in a recent post, the forum member has this for the nat statement "nat (inside,inside) 1 source static internal interface destination static Public_Server Private_Server"

crxasa# sh run object

object network obj-LAN

subnet 0.0.0.0 0.0.0.0

object network cirexxintldc

host 208.x.x.12

object network sharks

host 208.x.x.5

object network cirexxintl

host 208.x.x.85

object network crxmail

host 208.x.x.3

object network svr-sales

host 208.x.x.94

object network randy

host 208.x.x.84

object network jana

host 208.x.x.133

object network carlo

host 208.x.x.30

object network mb1.cirexx.com

host 12.x.x.35

object network LAN

subnet 208.x.x.0 255.255.255.0

crxasa# sh run nat

nat (inside,inside) source static LAN LAN destination static mb1.cirexx.com cirexxintldc

!

object network obj-LAN

nat (inside,outside) dynamic interface

object network cirexxintldc

nat (inside,outside) static 12.x.x.35

object network sharks

nat (inside,outside) static 12.x.x.37

object network cirexxintl

nat (inside,outside) static 12.x.x.36

object network crxmail

nat (inside,outside) static 12.x.x.43

object network svr-sales

nat (inside,outside) static 12.x.x.49

object network randy

nat (inside,outside) static 12.x.x.54

object network jana

nat (inside,outside) static 12.x.x.44

object network carlo

nat (inside,outside) static 12.x.x.53

It is most likely that the new twice NAT statment interfers with the existing dynamic NAT statement.

You could try the following

nat (inside,inside) source static LAN interface destination static mb1.cirexx.com cirexxintldc

--
Please remember to rate and select a correct answer

I changed it but got this warning;

crxasa# con t

crxasa(config)# nat (inside,inside) source static LAN interface destination static mb1.cirexx.com cirexxintldc

WARNING: All traffic destined to the IP address of the inside interface is being redirected.

WARNING: Users may not be able to access any service enabled on the inside interface.

  I'm onsite, we do have remote users that could get disconnected, I found this article that has additional configs to get it right, I'll give these a try - https://supportforums.cisco.com/docs/DOC-13728