Hi, I followed your instructions but it does not make a difference. Still get

TCP access denied by ACL from 86.xx.xx.xx/25434 to outside 62.xx.xx.xx/443

Any suggestions left? Below the config which is active now (to make sure that i did not make a mistake following your instructions)

Thanks!

: Saved

:

ASA Version 8.3(1)

!

hostname asa2

enable password i9.yhWTfK7AnxZ5r encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.131.8 sbs

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.131.152 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.xx.5 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.131.128_25

subnet 192.168.131.128 255.255.255.128

object network exchange

host 192.168.131.8

object service https

service tcp source eq https destination eq https

object-group service owa tcp

port-object eq https

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any host 192.168.131.8 eq https

access-list outside_access_in extended permit tcp any host 192.168.131.8 eq smtp

access-list outside_access_in extended permit tcp any host 192.168.131.8 eq 987

access-list inside_access_out extended permit ip any any

access-list global_access extended permit ip any any inactive

access-list inside_access_in extended permit ip any any

access-list outside_access_out extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool mediostpool 192.168.131.180-192.168.131.199 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

!

object network obj_any

nat (inside,outside) dynamic interface

object network exchange

nat (inside,outside) static interface service tcp https https

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.131.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.131.156-192.168.131.187 inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy vpn internal

group-policy vpn attributes

vpn-tunnel-protocol IPSec

username Anton password jRVOT3qxuT/xdrp5 encrypted privilege 0

username Anton attributes

vpn-group-policy vpn

tunnel-group vpn type remote-access

tunnel-group vpn general-attributes

address-pool pool

default-group-policy vpn

tunnel-group vpn ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:53e129163a76121621f3ecb761a94331

: end

asdm location sbs 255.255.255.255 inside

no asdm history enable

Sorry i found what was wrong the NAT sequence (i think an beginner mistake ).

Now i get:

Teardown TCP connection 75321 for outside:xx.xx.xx.218/25990 to inside:sbs/443 duration 0:00:30 bytes 0 SYN Timeout

and i am not getting the OWA inlogscreen.... Any suggestions left.

Hi

Please remove this highlighted line, as it overlaps.

nat (inside,outside) source dynamic any interface

the above overlaps with below.

object network obj_any

   subnet 0.0.0.0 0.0.0.0

   nat (inside,outside) dynamic interface

Please remove this highlighted line below, as it defeats the purpose of the firewall.

access-list outside_access_in extended permit ip any any

Please copy the static nat below for smtp traffic and http, https 

object network exchange

nat (inside,outside) static interface service tcp https https

object network exchange

nat (inside,outside) static interface service tcp http http

object network exchange

nat (inside,outside) static interface service tcp smtp smtp

FYI...

You do not need these lines at all.

access-group outside_access_out out interface outside

access-group inside_access_out out interface inside

Please follow the link below, if you like to reference Cisco doc.

https://supportforums.cisco.com/docs/DOC-9129

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

Let me know, if this helps.

thakns

Hi Rizwan,

I added this NAT rule

object network server2

host 192.168.131.8

nat (inside,outside) static interface service tcp 443 443

and try to cleanup the code.

But i still get the

Teardown TCP connection 81475 for outside:xx.xx.x.xx5/38666 to inside:192.168.131.8/443 duration 0:00:30 bytes 0 SYN Timeout

Could it be the reason that i have 2 asa's in the network and that the small business server not have this asa as standard gateway?

Thanks!

For your info the code below

: Saved
:
ASA Version 8.3(1)
!
hostname asa2
enable password i9.yhWTfK7AnxZ5r encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.131.152 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.5 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.131.128_25
subnet 192.168.131.128 255.255.255.128
object service https
service tcp source eq https destination eq https
object network server
host 192.168.181.8
object network server2
host 192.168.131.8
object-group service owa tcp
port-object eq https
access-list outside_access_in extended permit tcp any object server2 eq https
access-list outside_access_in extended permit tcp any object server2 eq smtp
access-list outside_access_in extended permit tcp any object server2 eq 987
access-list inside_access_out extended permit ip any any
access-list global_access extended permit ip any any inactive
access-list inside_access_in extended permit ip any any
access-list outside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool 192.168.131.180-192.168.131.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network server2
nat (inside,outside) static interface service tcp https https
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.131.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.131.156-192.168.131.187 inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
username Anton password jRVOT3qxuT/xdrp5 encrypted privilege 0
username Anton attributes
vpn-group-policy vpn
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool pool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:490c669c4f87ad54edd0c4da0170d052
: end
no asdm history enable

"Could  it be the reason that i have 2 asa's in the network and that the  small  business server not have this asa as standard gateway?"

In a large enterprise environment, no devices (i.e. servers) use firewall as a default-gateway address, as long as inter-vlan traffic is routed by a layer3 switch or router.

Please post a diagram of your physical connection and the devices in between and device type (i.e. layer2 or layer3) and default gateway pointed on devices (switches) and servers.

For third time I am telling you do not need these lines at all.

access-group outside_access_out out interface outside

access-group inside_access_out out interface inside

thanks.

Hi Rizwan,

It is just for a small company having currently 2 internetlines. The second asa (asa2) is added to the network and that is the one i am trying to configure. When all items working smootly the asa1 will be deleted from the network. See the network schema attached.

Thank you Rizwan. I will change the default gateway tommorrow and let you know if it worked out.

Regards,

Arnold

Hi Arnold,

Please update the thread, in any case if this issue has been resolved please rate helpful post.

thanks

Rizwan Rafeek