01-12-2011 12:05 PM - edited 03-11-2019 12:34 PM
My company recently deployed a new mail server last month. Since then, every hour or so, one user will be unable to recieve mail. It's an Ubuntu 10.04 server running Zimbra mail, and all clients are configured for POP access. Most of the errors will say the the connection has been interrupted. From the workstation, I will try to ping the mail server at 192.168.1.26 and get no reply. If I go to the mail server and ping the workstation, after a couple seconds, there is data flow. If I check the workstation again, it is now able to ping the server, and now, able to receive mail.
We have another linux mail server in place (192.168.1.25) that works without any problems. We are getting rid of this old mail server in a couple months. My concern is that when I modified the firewall (Cisco ASA 5505, 8.2(2)), I might not have done everything correctly or may have missed a step. Is there anyone out there that can look at a show run log or give me some idea what to do? I'm not well versed at Cisco stuff. I administer this firewall using the ASDM software version 6.2(5). What would be my first step at troubleshooting this strange behaviour?
01-12-2011 12:56 PM
Kyle,
From your description it's clear to me that the behavior you describe is something stateful.
My first guess would be to check xlates.
Can you please confirm for me if there is static NAT entry for IP address of server between interface where server resides and the interface where client resides?
Marcin
01-12-2011 01:02 PM
Can you tell me specifically how to provide this information to you using the ASDM GUI? I can also use the "Command Line Interface" from the GUI to enter a command.
01-13-2011 06:54 AM
To reply to Marcin, when I run my ASDM GUI, under configuration/firewall/access rules/IPv4 Network Objects, I do have 2 IP addresses set for the mail server. ADDON-INT points to 192.168.1.26 and ADDON-EXT points to the public IP address. What other info do you need?
01-12-2011 04:07 PM
From your description, it kind of sounds like this problem workstation and the mail server are both on the inside network.If that is the case, the firewall has no role in these issues.Regardless of that detail, anytime one client workstation presents a problem while others are happy, focus on that one workstation.
Maybe it has an old network card and/or driver. Maybe the network cable is bad or loose at either end. Maybe the drop is bad. Maybe the OS isn't patched. Maybe it's full of spyware and malware and is degraded or compromised.
As a general troubleshooting technique, a centralized resource like a firewall is more likely to exhibit behavior that affects more than one client, since all clients traffic pass through it.
Hope that helps.
01-13-2011 06:31 AM
The problem is happening at random intervals throughout the day on random workstations. The only common link is the mail server or the gateway/firewall. I've done my due dilligence on troubleshooting the mail server and have found no problems with the softtware or hardware. Could it be that xlates that the other guy was talking about? Whatever xlates are....
01-13-2011 06:53 AM
To reply to Marcin, when I run my ASDM GUI, under configuration/firewall/access rules/IPv4 Network Objects, I do have 2 IP addresses set for the mail server. ADDON-INT points to 192.168.1.26 and ADDON-EXT points to the public IP address. What other info do you need?
01-13-2011 08:29 AM
Kyle,
Can you attach running config? feel free to mask any information you don't want public to see (IP addresses on WAN, hashes of password).
Marcin
01-13-2011 09:08 AM
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(2)
!
hostname AIM-ASA-FW
domain-name aim-cc.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd mZkiFXWaEb.AkII6 encrypted
names
name 192.168.1.25 ACCMX-INT
name 192.168.1.44 ACCSUN-INT
name 192.168.1.28 ACCIRON-INT
name 192.168.1.43 HRMS-INT
name 69.130.7.116 ACCIRON-EXT
name 69.130.7.115 ACCMX-EXT
name 69.130.7.117 ACCSUN-EXT
name 69.130.7.118 FacileHR-EXT
name 69.130.7.119 HRMS-EXT
name 192.168.1.42 FacileHR-INT
name 69.130.7.120 NRIYP-EXT
name 192.168.1.27 NRIYP-INT
name 69.130.7.126 ADDON-EXT
name 192.168.1.26 ADDON-INT
name 192.168.1.21 Kyle
!
interface Vlan1
description LAN [INSIDE INTERFACE]
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description T1 LINE [EXTERNAL INTERFACE]
nameif outside
security-level 0
ip address 69.130.7.114 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name aim-cc.com
object-group service aptela udp
description for Aptela Phones
port-object range 10000 20000
port-object range sip 5061
object-group service RDP tcp-udp
port-object range 3389 3389
object-group network BLACKLIST
network-object host 190.18.107.140
network-object host 121.244.106.2
network-object host 187.11.194.28
network-object host 188.2.237.199
network-object host 190.48.38.184
network-object host 201.47.229.72
network-object host 207.155.250.20
network-object host 209.85.160.56
network-object host 209.85.222.199
network-object host 63.246.10.50
network-object host 66.77.56.84
network-object host 83.168.1.28
network-object host 124.121.68.190
network-object host 174.35.12.35
network-object host 174.37.81.160
network-object host 188.192.97.110
network-object host 188.38.164.31
network-object host 208.75.123.162
network-object host 41.131.81.19
network-object host 65.168.1.28
network-object host 74.125.83.174
network-object host 74.125.83.184
network-object host 74.208.4.191
network-object host 82.230.100.32
network-object host 89.173.0.9
network-object host 89.228.129.126
network-object host 93.86.217.140
network-object host 123.21.107.67
network-object host 178.92.126.228
network-object host 189.10.192.107
network-object host 189.55.158.40
network-object host 189.70.186.225
network-object host 201.11.0.98
network-object host 207.250.58.8
network-object host 208.75.123.163
network-object host 208.75.123.226
network-object host 209.85.211.156
network-object host 209.85.221.146
network-object host 209.85.222.159
network-object host 211.170.114.154
network-object host 24.38.18.233
network-object host 64.49.82.68
network-object host 64.50.170.80
network-object host 65.217.159.98
network-object host 68.200.154.75
network-object host 74.208.4.195
network-object host 75.146.94.187
network-object host 80.14.122.109
network-object host 92.84.207.252
network-object host 93.153.0.155
network-object host 93.73.179.61
network-object host 96.252.6.79
network-object host 99.174.113.44
network-object host 117.6.64.137
network-object host 178.93.144.158
network-object host 190.245.171.12
network-object host 195.174.128.15
network-object host 199.238.178.138
network-object host 208.75.123.228
network-object host 209.85.217.193
network-object host 24.103.215.120
network-object host 74.208.4.194
network-object host 84.24.253.217
network-object host 98.117.251.114
network-object host 12.164.54.36
network-object host 160.75.192.3
network-object host 186.87.3.225
network-object host 190.174.208.57
network-object host 190.59.189.71
network-object host 201.4.160.18
network-object host 207.155.248.47
network-object host 208.111.169.150
network-object host 208.89.132.145
network-object host 209.85.160.46
network-object host 209.85.210.163
network-object host 62.248.88.175
network-object host 64.202.189.25
network-object host 66.165.70.198
network-object host 67.132.93.114
network-object host 69.174.244.158
network-object host 69.67.52.156
network-object host 69.74.142.209
network-object host 74.125.92.25
network-object host 74.203.196.51
network-object host 79.110.128.212
network-object host 87.70.217.30
network-object host 88.146.41.234
network-object host 88.76.127.77
network-object host 93.86.37.241
network-object host 94.70.115.94
network-object host 95.168.100.87
network-object host 123.201.69.230
network-object host 186.9.50.90
network-object host 189.73.235.78
network-object host 195.2.236.11
network-object host 202.63.105.220
network-object host 205.178.146.55
network-object host 205.178.146.57
network-object host 205.178.146.58
network-object host 205.178.146.61
network-object host 209.85.160.184
network-object host 209.85.221.171
network-object host 218.147.37.219
network-object host 64.120.250.82
network-object host 66.227.62.183
network-object host 67.228.227.25
network-object host 87.109.179.247
network-object host 87.163.5.34
network-object host 89.78.170.200
network-object host 89.78.3.139
network-object host 92.29.204.146
network-object host 94.189.180.81
network-object host 95.180.64.244
network-object host 122.169.182.129
network-object host 122.169.182.213
network-object host 111.224.250.131
network-object host 115.184.136.110
network-object host 123.176.39.134
network-object host 123.237.6.173
network-object host 209.250.243.135
network-object host 216.87.164.19
network-object host 217.23.15.143
network-object host 61.49.36.166
network-object host 67.138.108.151
network-object host 67.138.109.158
network-object host 111.118.156.170
network-object host 111.224.250.132
network-object host 111.224.250.133
network-object host 117.96.18.118
network-object host 121.151.149.220
network-object host 121.183.243.205
network-object host 123.19.170.237
network-object host 125.176.14.67
network-object host 183.107.94.151
network-object host 183.97.35.5
network-object host 186.104.230.5
network-object host 187.52.232.152
network-object host 189.211.159.220
network-object host 190.102.239.219
network-object host 190.235.13.233
network-object host 190.35.206.68
network-object host 190.7.109.65
network-object host 200.87.116.58
network-object host 204.188.223.222
network-object host 204.45.2.197
network-object host 208.83.232.3
network-object host 209.250.243.107
network-object host 209.250.243.15
network-object host 209.250.243.83
network-object host 212.200.197.62
network-object host 216.1.203.94
network-object host 220.227.80.226
network-object host 41.186.0.212
network-object host 41.249.114.143
network-object host 58.26.151.196
network-object host 62.19.51.5
network-object host 64.212.196.228
network-object host 67.138.109.68
network-object host 67.138.110.68
network-object host 68.142.134.126
network-object host 70.98.204.112
network-object host 70.98.205.140
network-object host 70.98.205.165
network-object host 74.63.107.46
network-object host 78.97.189.115
network-object host 79.106.2.46
network-object host 84.22.56.50
network-object host 89.123.211.42
network-object host 89.46.84.214
network-object host 90.169.74.53
network-object host 90.185.163.176
network-object host 95.35.16.79
network-object host 95.65.253.179
object-group service SMTP-587 tcp
description SMTP 587
port-object eq 587
object-group service smtp-587 tcp
description smtp 587
port-object eq 587
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SMTP-465 tcp
port-object eq 465
object-group service TCP-993 tcp
port-object eq 993
object-group service TCP-995 tcp
port-object eq 995
object-group service TCP-7071 tcp
port-object eq 7071
object-group service TCP-10000 tcp
port-object eq 10000
object-group service TCP-8080 tcp
port-object eq 8080
object-group service TCP-8443 tcp
port-object eq 8443
object-group service TCP-23781 tcp
port-object eq 23781
access-list outside_in_inside extended deny tcp object-group BLACKLIST any eq smtp inactive
access-list outside_in_inside extended permit ip any host ACCSUN-EXT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-EXT eq www
access-list outside_in_inside extended permit ip any host FacileHR-EXT
access-list outside_in_inside extended permit tcp any eq www host FacileHR-EXT eq www
access-list outside_in_inside extended permit ip any host ACCSUN-INT
access-list outside_in_inside extended permit ip any host FacileHR-INT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-INT eq www
access-list outside_in_inside extended permit tcp any eq www host FacileHR-INT eq www
access-list outside_in_inside extended permit tcp any host ACCSUN-EXT eq ssh
access-list outside_in_inside extended permit tcp any eq ssh host FacileHR-EXT eq ssh
access-list outside_in_inside extended permit ip any host ACCMX-EXT
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq www
access-list outside_in_inside extended permit ip any host ADDON-EXT
access-list outside_in_inside extended permit ip any host ACCIRON-EXT
access-list outside_in_inside extended permit ip any host NRIYP-EXT
access-list outside_in_inside extended permit tcp any host NRIYP-EXT eq www
access-list outside_in_inside extended permit udp any any object-group aptela
access-list outside_in_inside extended permit udp any host 64.50.254.253 inactive
access-list outside_in_inside extended permit ip any host HRMS-EXT
access-list outside_in_inside extended permit tcp any host HRMS-EXT
access-list outside_in_inside extended permit ip any host HRMS-INT
access-list outside_in_inside extended permit tcp any host HRMS-INT
access-list outside_in_inside extended deny ip host 216.101.194.154 any
access-list outside_in_inside extended deny tcp host 216.101.194.154 any
access-list outside_in_inside extended deny udp host 216.101.194.154 any
access-list outside_in_inside extended permit tcp any any eq 15250
access-list outside_in_inside extended permit tcp any eq 3389 any eq 3389
access-list outside_in_inside extended permit tcp any eq 23781 host 192.168.1.121 eq 23781
access-list outside_in_inside extended permit tcp any eq smtp any eq smtp inactive
access-list outside_in_inside extended deny ip any host 192.168.1.188
access-list outside_in_inside extended deny tcp any host 192.168.1.188
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq smtp
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq domain
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq ssh
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq https
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-587
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-465
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-993
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-995
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq imap4
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq pop3
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8443
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended deny ip host 216.101.194.154 any
access-list inside_access_in extended deny tcp host 216.101.194.154 any
access-list inside_access_in extended deny udp host 216.101.194.154 any
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-7071
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list inside_access_in extended permit tcp any host Kyle object-group TCP-23781
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any
access-list inside_access_out extended permit tcp any eq 3389 any eq 3389
access-list inside_access_out extended permit tcp any eq domain any eq domain
access-list inside_access_out extended permit udp any eq domain any eq domain
access-list inside_access_out extended permit tcp any eq www any eq www
access-list inside_access_out extended permit udp any eq www any eq www
access-list inside_access_out extended permit tcp any eq https any eq https
access-list inside_access_out extended permit udp any eq 443 any eq 443
access-list inside_access_out extended permit tcp any eq smtp any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp outside HRMS-INT 0019.d137.8533
arp inside HRMS-INT 0019.d137.8533
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) ACCMX-EXT ACCMX-INT netmask 255.255.255.255
static (inside,outside) ACCSUN-EXT ACCSUN-INT netmask 255.255.255.255
static (outside,inside) ACCSUN-INT ACCSUN-EXT netmask 255.255.255.255
static (outside,inside) ACCIRON-INT ACCIRON-EXT netmask 255.255.255.255
static (outside,inside) HRMS-INT HRMS-EXT netmask 255.255.255.255
static (outside,inside) FacileHR-INT FacileHR-EXT netmask 255.255.255.255 dns
static (inside,outside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255
static (inside,outside) HRMS-EXT HRMS-INT netmask 255.255.255.255
static (inside,outside) ACCIRON-EXT ACCIRON-INT netmask 255.255.255.255
static (inside,outside) NRIYP-EXT NRIYP-INT netmask 255.255.255.255
static (outside,inside) NRIYP-INT NRIYP-EXT netmask 255.255.255.255
static (inside,outside) ADDON-EXT ADDON-INT netmask 255.255.255.255
static (outside,inside) ADDON-INT ADDON-EXT netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_in_inside in interface outside
route outside 0.0.0.0 0.0.0.0 69.130.7.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location AIM Computer Consulting - Closet
snmp-server contact Red Level Networks - support@redlevelnetworks.com
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
dhcpd dns ACCMX-INT ADDON-INT
dhcpd domain aim-cc.com
!
dhcpd address 192.168.1.150-192.168.1.250 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
webvpn
username redlevel password OqxvfJhMsUFUOSg7 encrypted privilege 15
username aimfwadm password a87SLutMml8bG8MZ encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a7feb075228263020177238df1fe1ecb
: end
01-13-2011 10:45 AM
static (inside,outside) NRIYP-EXT NRIYP-INT netmask 255.255.255.255
static (outside,inside) NRIYP-INT NRIYP-EXT netmask 255.255.255.255
static (inside,outside) ADDON-EXT ADDON-INT netmask 255.255.255.255
static (outside,inside) ADDON-INT ADDON-EXT netmask 255.255.255.255
Thos NATs look wrong to me (and more).
You only need to have static (inside,outside) EXTERNAL_IP INTERNAL_IP most of the time. Creating static NAT the other way ... well not needed and probably asking for trouble, unless some particular functionality is intended with this?
Please remove unnecessary outside,inside NAT statments (and remember that you need to do "clear xlate" after doing any chnages to static config - some traffic might be lost)
Marcin
01-13-2011 11:16 AM
All 4 of those entries are incorrect? Or just number 2 and 4? Can you instruct me on how to remove those two using the ASDM graphical interface? Would I find those entries under Configuration/Firewall/NAT Rules? There, I have 2 sections, inside and outside. Inside has 7 static rules, outside has 6 static rules. Am I removing 2 entries from this table?
01-13-2011 01:04 PM
Okay, I removed those entries. Here's what my SH RUN looks like now.
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(2)
!
hostname AIM-ASA-FW
domain-name aim-cc.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd mZkiFXWaEb.AkII6 encrypted
names
name 192.168.1.25 ACCMX-INT
name 192.168.1.44 ACCSUN-INT
name 192.168.1.28 ACCIRON-INT
name 192.168.1.43 HRMS-INT
name 69.130.7.116 ACCIRON-EXT
name 69.130.7.115 ACCMX-EXT
name 69.130.7.117 ACCSUN-EXT
name 69.130.7.118 FacileHR-EXT
name 69.130.7.119 HRMS-EXT
name 192.168.1.42 FacileHR-INT
name 69.130.7.120 NRIYP-EXT
name 69.130.7.126 ADDON-EXT
name 192.168.1.26 ADDON-INT
name 192.168.1.21 Kyle
name 192.168.1.30 NRIYP-INT
!
interface Vlan1
description LAN [INSIDE INTERFACE]
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description T1 LINE [EXTERNAL INTERFACE]
nameif outside
security-level 0
ip address 69.130.7.114 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name aim-cc.com
object-group service aptela udp
description for Aptela Phones
port-object range 10000 20000
port-object range sip 5061
object-group service RDP tcp-udp
port-object range 3389 3389
object-group network BLACKLIST
network-object host 190.18.107.140
network-object host 121.244.106.2
network-object host 187.11.194.28
network-object host 188.2.237.199
network-object host 190.48.38.184
network-object host 201.47.229.72
network-object host 207.155.250.20
network-object host 209.85.160.56
network-object host 209.85.222.199
network-object host 63.246.10.50
network-object host 66.77.56.84
network-object host 83.168.1.28
network-object host 124.121.68.190
network-object host 174.35.12.35
network-object host 174.37.81.160
network-object host 188.192.97.110
network-object host 188.38.164.31
network-object host 208.75.123.162
network-object host 41.131.81.19
network-object host 65.168.1.28
network-object host 74.125.83.174
network-object host 74.125.83.184
network-object host 74.208.4.191
network-object host 82.230.100.32
network-object host 89.173.0.9
network-object host 89.228.129.126
network-object host 93.86.217.140
network-object host 123.21.107.67
network-object host 178.92.126.228
network-object host 189.10.192.107
network-object host 189.55.158.40
network-object host 189.70.186.225
network-object host 201.11.0.98
network-object host 207.250.58.8
network-object host 208.75.123.163
network-object host 208.75.123.226
network-object host 209.85.211.156
network-object host 209.85.221.146
network-object host 209.85.222.159
network-object host 211.170.114.154
network-object host 24.38.18.233
network-object host 64.49.82.68
network-object host 64.50.170.80
network-object host 65.217.159.98
network-object host 68.200.154.75
network-object host 74.208.4.195
network-object host 75.146.94.187
network-object host 80.14.122.109
network-object host 92.84.207.252
network-object host 93.153.0.155
network-object host 93.73.179.61
network-object host 96.252.6.79
network-object host 99.174.113.44
network-object host 117.6.64.137
network-object host 178.93.144.158
network-object host 190.245.171.12
network-object host 195.174.128.15
network-object host 199.238.178.138
network-object host 208.75.123.228
network-object host 209.85.217.193
network-object host 24.103.215.120
network-object host 74.208.4.194
network-object host 84.24.253.217
network-object host 98.117.251.114
network-object host 12.164.54.36
network-object host 160.75.192.3
network-object host 186.87.3.225
network-object host 190.174.208.57
network-object host 190.59.189.71
network-object host 201.4.160.18
network-object host 207.155.248.47
network-object host 208.111.169.150
network-object host 208.89.132.145
network-object host 209.85.160.46
network-object host 209.85.210.163
network-object host 62.248.88.175
network-object host 64.202.189.25
network-object host 66.165.70.198
network-object host 67.132.93.114
network-object host 69.174.244.158
network-object host 69.67.52.156
network-object host 69.74.142.209
network-object host 74.125.92.25
network-object host 74.203.196.51
network-object host 79.110.128.212
network-object host 87.70.217.30
network-object host 88.146.41.234
network-object host 88.76.127.77
network-object host 93.86.37.241
network-object host 94.70.115.94
network-object host 95.168.100.87
network-object host 123.201.69.230
network-object host 186.9.50.90
network-object host 189.73.235.78
network-object host 195.2.236.11
network-object host 202.63.105.220
network-object host 205.178.146.55
network-object host 205.178.146.57
network-object host 205.178.146.58
network-object host 205.178.146.61
network-object host 209.85.160.184
network-object host 209.85.221.171
network-object host 218.147.37.219
network-object host 64.120.250.82
network-object host 66.227.62.183
network-object host 67.228.227.25
network-object host 87.109.179.247
network-object host 87.163.5.34
network-object host 89.78.170.200
network-object host 89.78.3.139
network-object host 92.29.204.146
network-object host 94.189.180.81
network-object host 95.180.64.244
network-object host 122.169.182.129
network-object host 122.169.182.213
network-object host 111.224.250.131
network-object host 115.184.136.110
network-object host 123.176.39.134
network-object host 123.237.6.173
network-object host 209.250.243.135
network-object host 216.87.164.19
network-object host 217.23.15.143
network-object host 61.49.36.166
network-object host 67.138.108.151
network-object host 67.138.109.158
network-object host 111.118.156.170
network-object host 111.224.250.132
network-object host 111.224.250.133
network-object host 117.96.18.118
network-object host 121.151.149.220
network-object host 121.183.243.205
network-object host 123.19.170.237
network-object host 125.176.14.67
network-object host 183.107.94.151
network-object host 183.97.35.5
network-object host 186.104.230.5
network-object host 187.52.232.152
network-object host 189.211.159.220
network-object host 190.102.239.219
network-object host 190.235.13.233
network-object host 190.35.206.68
network-object host 190.7.109.65
network-object host 200.87.116.58
network-object host 204.188.223.222
network-object host 204.45.2.197
network-object host 208.83.232.3
network-object host 209.250.243.107
network-object host 209.250.243.15
network-object host 209.250.243.83
network-object host 212.200.197.62
network-object host 216.1.203.94
network-object host 220.227.80.226
network-object host 41.186.0.212
network-object host 41.249.114.143
network-object host 58.26.151.196
network-object host 62.19.51.5
network-object host 64.212.196.228
network-object host 67.138.109.68
network-object host 67.138.110.68
network-object host 68.142.134.126
network-object host 70.98.204.112
network-object host 70.98.205.140
network-object host 70.98.205.165
network-object host 74.63.107.46
network-object host 78.97.189.115
network-object host 79.106.2.46
network-object host 84.22.56.50
network-object host 89.123.211.42
network-object host 89.46.84.214
network-object host 90.169.74.53
network-object host 90.185.163.176
network-object host 95.35.16.79
network-object host 95.65.253.179
object-group service SMTP-587 tcp
description SMTP 587
port-object eq 587
object-group service smtp-587 tcp
description smtp 587
port-object eq 587
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SMTP-465 tcp
port-object eq 465
object-group service TCP-993 tcp
port-object eq 993
object-group service TCP-995 tcp
port-object eq 995
object-group service TCP-7071 tcp
port-object eq 7071
object-group service TCP-10000 tcp
port-object eq 10000
object-group service TCP-8080 tcp
port-object eq 8080
object-group service TCP-8443 tcp
port-object eq 8443
object-group service TCP-23781 tcp
port-object eq 23781
access-list outside_in_inside extended deny tcp object-group BLACKLIST any eq smtp inactive
access-list outside_in_inside extended permit ip any host ACCSUN-EXT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-EXT eq www
access-list outside_in_inside extended permit ip any host FacileHR-EXT
access-list outside_in_inside extended permit tcp any eq www host FacileHR-EXT eq www
access-list outside_in_inside extended permit ip any host ACCSUN-INT
access-list outside_in_inside extended permit ip any host FacileHR-INT
access-list outside_in_inside extended permit tcp any eq www host ACCSUN-INT eq www
access-list outside_in_inside extended permit tcp any eq www host FacileHR-INT eq www
access-list outside_in_inside extended permit tcp any host ACCSUN-EXT eq ssh
access-list outside_in_inside extended permit tcp any eq ssh host FacileHR-EXT eq ssh
access-list outside_in_inside extended permit ip any host ACCMX-EXT
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq www
access-list outside_in_inside extended permit ip any host ADDON-EXT
access-list outside_in_inside extended permit ip any host ACCIRON-EXT
access-list outside_in_inside extended permit ip any host NRIYP-EXT
access-list outside_in_inside extended permit tcp any host NRIYP-EXT eq www
access-list outside_in_inside extended permit udp any any object-group aptela
access-list outside_in_inside extended permit udp any host 64.50.254.253 inactive
access-list outside_in_inside extended permit ip any host HRMS-EXT
access-list outside_in_inside extended permit tcp any host HRMS-EXT
access-list outside_in_inside extended permit ip any host HRMS-INT
access-list outside_in_inside extended permit tcp any host HRMS-INT
access-list outside_in_inside extended deny ip host 216.101.194.154 any
access-list outside_in_inside extended deny tcp host 216.101.194.154 any
access-list outside_in_inside extended deny udp host 216.101.194.154 any
access-list outside_in_inside extended permit tcp any any eq 15250
access-list outside_in_inside extended permit tcp any eq 3389 any eq 3389
access-list outside_in_inside extended permit tcp any eq 23781 host 192.168.1.121 eq 23781
access-list outside_in_inside extended permit tcp any eq smtp any eq smtp inactive
access-list outside_in_inside extended deny ip any host 192.168.1.188
access-list outside_in_inside extended deny tcp any host 192.168.1.188
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq smtp
access-list outside_in_inside extended permit object-group TCPUDP any host ADDON-EXT eq domain
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq ssh
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq https
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-587
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group SMTP-465
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-993
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-995
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq imap4
access-list outside_in_inside extended permit tcp any host ADDON-EXT eq pop3
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list outside_in_inside extended permit tcp any host ADDON-EXT object-group TCP-8443
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended deny ip host 216.101.194.154 any
access-list inside_access_in extended deny tcp host 216.101.194.154 any
access-list inside_access_in extended deny udp host 216.101.194.154 any
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-7071
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-10000
access-list inside_access_in extended permit tcp any host ADDON-EXT object-group TCP-8080
access-list inside_access_in extended permit tcp any host Kyle object-group TCP-23781
access-list inside_access_out extended permit tcp any any
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit udp any any
access-list inside_access_out extended permit tcp any eq 3389 any eq 3389
access-list inside_access_out extended permit tcp any eq domain any eq domain
access-list inside_access_out extended permit udp any eq domain any eq domain
access-list inside_access_out extended permit tcp any eq www any eq www
access-list inside_access_out extended permit udp any eq www any eq www
access-list inside_access_out extended permit tcp any eq https any eq https
access-list inside_access_out extended permit udp any eq 443 any eq 443
access-list inside_access_out extended permit tcp any eq smtp any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625.bin
no asdm history enable
arp outside HRMS-INT 0019.d137.8533
arp inside HRMS-INT 0019.d137.8533
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) ACCMX-EXT ACCMX-INT netmask 255.255.255.255
static (inside,outside) ACCSUN-EXT ACCSUN-INT netmask 255.255.255.255
static (outside,inside) ACCSUN-INT ACCSUN-EXT netmask 255.255.255.255
static (outside,inside) ACCIRON-INT ACCIRON-EXT netmask 255.255.255.255
static (outside,inside) HRMS-INT HRMS-EXT netmask 255.255.255.255
static (outside,inside) FacileHR-INT FacileHR-EXT netmask 255.255.255.255 dns
static (inside,outside) FacileHR-EXT FacileHR-INT netmask 255.255.255.255
static (inside,outside) HRMS-EXT HRMS-INT netmask 255.255.255.255
static (inside,outside) ACCIRON-EXT ACCIRON-INT netmask 255.255.255.255
static (inside,outside) NRIYP-EXT NRIYP-INT netmask 255.255.255.255
static (inside,outside) ADDON-EXT ADDON-INT netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_in_inside in interface outside
route outside 0.0.0.0 0.0.0.0 69.130.7.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server location AIM Computer Consulting - Closet
snmp-server contact Red Level Networks - support@redlevelnetworks.com
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
dhcpd dns ACCMX-INT ADDON-INT
dhcpd domain aim-cc.com
!
dhcpd address 192.168.1.150-192.168.1.250 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
webvpn
username redlevel password OqxvfJhMsUFUOSg7 encrypted privilege 15
username aimfwadm password a87SLutMml8bG8MZ encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class inspection_default
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dc3a634149d26ea33b9129e154015536
: end
01-13-2011 02:34 PM
Kyle,
Config looks better now
... did you clear existing xlates?
What I would like you do to is to add those lines:
logging buffer-size 1000000
logging buffered info
to the configuration.
Than execute a failing test and check:
show logg | i IP_ADDRESS_OF_CLIENT
show logg | i IP_ADDRESS_OF_SERVER
And attach all and any output you see.
Marcin
01-14-2011 07:20 AM
Yes, I did clear xlates as you instructed. Since I am using the GUI to do this, and not telnet or whatever most people use, I'm probably not seeing what you would normally see. This is my output for the lines you gave me...
Result of the command: "logging buffer-size 1000000"
The command has been sent to the device
Result of the command: "logging buffered info"
The command has been sent to the device
Result of the command: "show logg | i IP_ADDRESS_OF_CLIENT"
The command has been sent to the device
Result of the command: "show logg | i IP_ADDRESS_OF_SERVER"
The command has been sent to the device
Should I be using something else other than the ASDM GUI? I haven't seen any failures since yesterday afternoon.
01-14-2011 08:21 AM
Kyle,
Well obviously IP_ADDRESS_OF_CLIENT should be substituted with IP of client which is attempting to connect to server. ;-)
I'm not sure if the ASDM CLU access will return you the lines we need.
ASDM is probably not the best to do troubleshooting ;-)
I assume no problem since yesterday afternoon is a good sign? How often was the problem happening before ;-D
BTW xlate = translation table entry. static command introduces a static xlate into the table.. for clarity sake.
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide