Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1938
Views
0
Helpful
5
Replies

Cisco ASA 5505 Issues with VPN and SMTP

rajesh.yadla
Level 1
Level 1

‎07-15-2011 11:16 AM

Hi Every one,

This is my first post in CSC. I have two issues with ASA 5505. I have configured ASA to use Easy vpn (ASA as RA server). Users are able to connect to vpn with out any issue and there is no diconnections with VPN. But when the users are trying to RDP to server it connects and disconnect as soon as login. some time it connect for 2 mins then it fades out for some time then it reconnects again. I guess I have give correct access-lists. Please find the Running configuration in the below.

2). we have a Email  server in DMZ zone and it users are able to connect to the email server and they can see the emails. But when they try to send any emails it just stuck in the email server queue and does not deliver to the destination.

Could some one look into these issues and please help me to fix them. I really appriciate your help on this. Please find the running configuration as below:

ASA Version 7.2(3)

!

!

interface Vlan1

nameif inside

security-level 100

ip address intinside 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address Outside-Network 255.255.255.248

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.50.1 255.255.255.0

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport access vlan 3

shutdown

!

ftp mode passive

clock timezone clt -6

clock summer-time CDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

domain-namehttp://div-dmz-ent.com/

dns server-group defaultdns

name-server 4.4.4.4

dns-group defaultdns

same-security-traffic permit intra-interface

object-group network Email

network-object host Barracuda

object-group service TcprestrictedserviceGroup  tcp

description TCp Restricted Service  Group

port-object eq aol

port-object eq daytime

port-object eq echo

port-object eq exec

port-object eq finger

port-object eq gopher

port-object eq hostname

port-object eq ident

port-object eq kshell

port-object eq ldap

port-object eq ldaps

port-object eq lotusnotes

port-object eq pcanywhere-data

port-object eq pim-auto-rp

port-object eq pop2

port-object eq pop3

port-object eq pptp

port-object eq tacacs

port-object eq talk

port-object eq whois

object-group service Agility tcp

description Agility RDP Group

port-object range 3389 3389

object-group network AgilityRemote

description AgilityRemote

network-object host AgilityChicago

object-group network JohnDev

description JohnDev

network-object host JohnDev

object-group network JohnHome

description JohnHome

network-object JohnHome 255.255.255.0

object-group network HPnetwork

description HP internal network

network-object 192.168.1.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service SqlServer tcp

description Sql Server

port-object range 1433 1434

access-list dmz_access_in extended  permit ip any host ExternalWeb

access-list dmz_access_in extended  permit ip any host ExternalMail

access-list inside_access_in extended  permit ip any any

access-list outside_access_in extended  permit tcp any host OutsideWebAddress eq www

access-list outside_access_in extended  permit tcp any host OutsideWebAddress eq https

access-list outside_access_in extended  permit tcp any host OutsideMailAddress eq www

access-list outside_access_in extended  permit tcp any host OutsideMailAddress eq https

access-list outside_access_in extended  permit ip any host Outside-Network

access-list outside_access_in extended  permit tcp Reflectionip1  255.255.255.224 host OutsideMailAddress eq  pop3

access-list outside_access_in extended  permit tcp Reflectionip2 255.255.255.224 host OutsideMailAddress eq  smtp

access-list outside_access_in extended  permit tcp Reflectionip2 255.255.255.224 host OutsideMailAddress eq  pop3

access-list outside_access_in extended  permit tcp 69.84.129.224 255.255.255.224 host OutsideMailAddress eq  587

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside

ip verify reverse-path interface dmz

ip audit name Dave attack action alarm  drop

ip audit interface outside Dave

ip audit attack action alarm drop

no failover

icmp unreachable rate-limit 1 burst-size  1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.35.0 255.255.255.0

static (dmz,outside) OutsideWebAddress  ExternalWeb netmask 255.255.255.255

static (dmz,outside) OutsideMailAddress  ExternalMail netmask 255.255.255.255

access-group inside_access_in in interface  inside

access-group outside_access_in in  interface outside

access-group dmz_access_in in interface  dmz

route dmz ExternalMail 255.255.255.255  OutsideMailAddress 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00  udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00  h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00  sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication  linkup linkdown coldstart

crypto ipsec transform-set TRST esp-3des  esp-sha-hmac

crypto dynamic-map RVPN-MAP 10 set  transform-set TRST

crypto dynamic-map RVPN-MAP 10 set  reverse-route

crypto map DIV-MAP 10 ipsec-isakmp  dynamic RVPN-MAP

crypto map DIV-MAP 20 match address  S2S

crypto map DIV-MAP 20 set peer 99.76.209.61

crypto map DIV-MAP 20 set transform-set  TRST

crypto map DIV-MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

client-update enable

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-sessiondb max-session-limit 25

telnet 192.168.35.0 255.255.255.0  inside

telnet timeout 20

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

!

class-map class_rsh

match port tcp eq exec

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 ras

  inspect http

  inspect rtsp

  inspect skinny

  inspect tftp

  inspect h323 h225

  inspect rsh

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

class class_rsh

  inspect rsh

prompt hostname context

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-16-2011 05:51 AM

1) RDP issue:

Try to lower the MSS value:

sysopt connection tcpmss 1300

2) Email issue:

This is incorrect route, please remove it:

route dmz ExternalMail 255.255.255.255  OutsideMailAddress 1

The following is also incorrect:

access-list dmz_access_in extended  permit ip any host ExternalWeb

access-list dmz_access_in extended  permit ip any host ExternalMail

It should be as follows:

access-list dmz_access_in extended  permit ip host ExternalWeb any

access-list dmz_access_in extended  permit ip host ExternalMail any

Because you are applying it to the DMZ interface, the ACL should have source of the DMZ subnet/host towards the Internet to allow traffic from DMZ going outbound.

0 Helpful

rajesh.yadla
Level 1
Level 1
In response to Jennifer Halim

‎07-19-2011 01:11 PM

Hi Jennifer,

Thank you for your response. I have changed the settings that you have provided. Now I am able to receive emails. But due to some reasons when I try to reply to the emails, Emails are not getting delivered. Able to receive the emails but not able to send reply.

Regards,

Rajesh.Yadla

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to rajesh.yadla

‎07-20-2011 01:28 AM

I believe that you have Baracuda server, to filter spam.

Can you please advise where it is actually failing when trying to send reply?

Here is my understanding of the email flow when you send a reply:

Host --> send to internal mail server --> baracuda --> external mail server

Can you please check at which step on the above flow, it's failing?

0 Helpful

rajesh.yadla
Level 1
Level 1
In response to Jennifer Halim

‎07-22-2011 12:57 PM

SOrry for the late reply.

when users are trying to access email server it will be redirected to 3rd parth reflections server for spam filtering and come to the actual server in the dmz zone. The Burracuda is no more in the network we haver removed it.

Emails are getting delivered to the users. But when they try to reply to any mail, it is not working.

0 Helpful

rajesh.yadla
Level 1
Level 1
In response to rajesh.yadla

‎07-26-2011 02:41 PM

Hi,

This Issue has been fixed as we have searched and came to know that the SMTP functions are not to 100% when we keep the mail server in DMZ. We have moved the mail server to Inside network and every thing seems to be working fine.

0 Helpful
Customers Also Viewed These Support Documents