Re:Strange issue on newly installed 5510

Carlomd · ‎12-11-2013

Hi all,

A couple issues came up after installing our new 5510, a couple sites that uses the same ISP as our's had issues, one where we can email them but their incoming to us wasn't working, and another site we couldn't browse on the web.

This all worked after putting back the old firewall. I was wondering and it might be a dns issue with our isp's and the asa could be blocking on the outside int, on the old firewall I have the trust to untrust allow dns outgoing, that setting is not on the asa since it's inside int has 100 rule. I also talked to the IT dept of the site that had incoming email issues, he said 2 of their Exchange servers are connected to the same isp as ours, most sites worked and email, but there might be more we just haven't tried yet. For now I have our old firewall till I figure out what's causing some sites to not work on the asa.

update - I added my object group DNS-SERVERS on the outside int, I'll test again to see if the sites in question works

here's my latest config, thanks in advanced.

crxasa# sh run

: Saved

:

ASA Version 9.1(2)8

!

hostname crxasa

domain-name cirexx.com

enable password 5wq4IltsegGVfI30 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 12.x.x.34 255.0.0.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 208.x.x.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 15

ip address 192.168.1.1 255.255.255.0

!

boot system disk0:/asa912-8-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 208.x.x.12

domain-name domain.com

same-security-traffic permit intra-interface

object network obj-LAN

subnet 0.0.0.0 0.0.0.0

object network cirexxintldc

host 208.x.x.12

object network sharks

host 208.x.x.5

object network cirexxintl

host 208.x.x.85

object network crxmail

host 208.x.x.3

object network svr-sales

host 208.x.x.94

object network randy

host 208.x.x.84

object network jana

host 208.x.x.133

object network carlo

host 208.x.x.30

object network LAN

subnet 208.x.x.0 255.255.255.0

object network MB1

host 12.x.x.35

object network MAIL

host 12.x.x.43

object network cirexxmas90

host 208.x.x.122

object network cirexxintl2

host 208.x.x.85

object network bacon

host 208.x.x.83

object-group service TCP tcp

description domain,http,smtp services

port-object eq www

port-object eq https

port-object eq domain

port-object eq smtp

port-object eq pop3

object-group service WEBSERVER tcp

description ftp,http,https services

port-object eq www

port-object eq https

port-object eq ftp

port-object eq ftp-data

object-group network MAILSERVERS

network-object host 208.x.x.12

network-object host 208.x.x.3

object-group network DNS-SERVERS

network-object host 208.x.x.12

network-object host 208.x.x.5

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network REMOTEUSERS

network-object host 208.x.x.133

network-object host 208.x.x.84

network-object host 208.x.x.30

access-list ACL_OUT extended permit tcp any host 208.x.x.85 object-group WEBSERVER

access-list ACL_OUT extended permit tcp any host 208.x.x.94 eq 3389

access-list ACL_OUT extended permit tcp any object-group MAILSERVERS object-group TCP

access-list ACL_OUT extended permit icmp any any echo-reply

access-list ACL_OUT extended permit icmp any any unreachable

access-list ACL_OUT extended permit icmp any any time-exceeded

access-list ACL_OUT extended permit tcp object-group MAILSERVERS object-group TCP any

access-list ACL_OUT extended permit tcp any object-group REMOTEUSERS eq 3389

access-list ACL_OUT extended permit tcp any host 208.x.x.122 eq 3389

access-list ACL_OUT extended permit tcp any host 208.x.x.85 eq 51000

access-list ACL_OUT extended permit tcp any host 208.x.x.83 eq 6272

access-list ACL_OUT extended permit tcp any host 208.x.x.83 eq www

access-list ACL_OUT extended permit tcp any object-group DNS-SERVERS eq domain

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,inside) source dynamic LAN interface destination static MB1 cirexxintldc

nat (inside,inside) source dynamic LAN interface destination static MAIL crxmail

!

object network obj-LAN

nat (inside,outside) dynamic interface

object network cirexxintldc

nat (inside,outside) static 12.x.x.35

object network sharks

nat (inside,outside) static 12.x.x.37

object network cirexxintl

nat (inside,outside) static 12.x.x.36

object network crxmail

nat (inside,outside) static 12.x.x.43

object network svr-sales

nat (inside,outside) static 12.x.x.49

object network randy

nat (inside,outside) static 12.x.x.54

object network jana

nat (inside,outside) static 12.x.x.44

object network carlo

nat (inside,outside) static 12.x.x.53

object network cirexxmas90

nat (inside,outside) static 12.x.x.40

object network cirexxintl2

nat (inside,outside) static 12.x.x.38

object network bacon

nat (inside,outside) static 12.x.x.41

access-group ACL_OUT in interface outside

route outside 0.0.0.0 0.0.0.0 12.x.x.33 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 30

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

username admin password zULPhOeRwWoy3VJE encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect ip-options

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:bd0acd7effe0144b539caefb6c517e30

: end

crxasa#

Message was edited by: CARLO DOMINGUEZ

Julio Carvajal · ‎12-11-2013

Hello Carlo,

So u can email but u do not receive them.

Can U provide us

Packet-tracer input outside 4.2.2.2 1025 x.x.x.x eq 25

Where x.x.x.x is the public ip address of the SMTP server.

Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Carlomd · ‎12-12-2013

Hi Julio, thanks for the reply, after digging around I found out that I had the wrong subnet mask for our outside ip, when I configured the outside int I didn't manually enter the correct mask, the asa automatically put a /8 on it which gave the wrong ip range that the isp leased us.

After looking at our old firewall it had a /27, I had thought it was a dns issue at first, but I just overlooked the ip config, after setting it to /27 things started to flow like normal again.

Julio Carvajal · ‎12-12-2013

Hello Carlo,

Glad to hear that is up and running

Please mark the question as answered so future users can learn from this

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Carlomd · ‎12-12-2013

Hi Julio, actually I think I'm not out of the woods yet, one of my users say a customer can't send us email, we can send to them fine, I see it go out on the exchange console queue, but incoming somehow it just goes to nowhere, there's no logs indicating an error or an NDR to the sender, they wanted to put back the old firewall, but most of our emails in and out are ok, just one customer, I test for a ptr record and some of the free dns tools come out ok, there's one place that says our ptr fails but it's one place. I'm stumped, it all seems to happen after the new firewall.

update - looks like it's back to normal again after I redid my dns acl, I added a group object for dns tcp-udp instead of just tcp, mail seems to flow again.