07-15-2011 11:16 AM
Hi Every one,
This is my first post in CSC. I have two issues with ASA 5505. I have configured ASA to use Easy vpn (ASA as RA server). Users are able to connect to vpn with out any issue and there is no diconnections with VPN. But when the users are trying to RDP to server it connects and disconnect as soon as login. some time it connect for 2 mins then it fades out for some time then it reconnects again. I guess I have give correct access-lists. Please find the Running configuration in the below.
2). we have a Email server in DMZ zone and it users are able to connect to the email server and they can see the emails. But when they try to send any emails it just stuck in the email server queue and does not deliver to the destination.
Could some one look into these issues and please help me to fix them. I really appriciate your help on this. Please find the running configuration as below:
ASA Version 7.2(3)
!
!
interface Vlan1
nameif inside
security-level 100
ip address intinside 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address Outside-Network 255.255.255.248
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.50.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 3
shutdown
!
ftp mode passive
clock timezone clt -6
clock summer-time CDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
domain-namehttp://div-dmz-ent.com/
dns server-group defaultdns
name-server 4.4.4.4
dns-group defaultdns
same-security-traffic permit intra-interface
object-group network Email
network-object host Barracuda
object-group service TcprestrictedserviceGroup tcp
description TCp Restricted Service Group
port-object eq aol
port-object eq daytime
port-object eq echo
port-object eq exec
port-object eq finger
port-object eq gopher
port-object eq hostname
port-object eq ident
port-object eq kshell
port-object eq ldap
port-object eq ldaps
port-object eq lotusnotes
port-object eq pcanywhere-data
port-object eq pim-auto-rp
port-object eq pop2
port-object eq pop3
port-object eq pptp
port-object eq tacacs
port-object eq talk
port-object eq whois
object-group service Agility tcp
description Agility RDP Group
port-object range 3389 3389
object-group network AgilityRemote
description AgilityRemote
network-object host AgilityChicago
object-group network JohnDev
description JohnDev
network-object host JohnDev
object-group network JohnHome
description JohnHome
network-object JohnHome 255.255.255.0
object-group network HPnetwork
description HP internal network
network-object 192.168.1.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service SqlServer tcp
description Sql Server
port-object range 1433 1434
access-list dmz_access_in extended permit ip any host ExternalWeb
access-list dmz_access_in extended permit ip any host ExternalMail
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host OutsideWebAddress eq www
access-list outside_access_in extended permit tcp any host OutsideWebAddress eq https
access-list outside_access_in extended permit tcp any host OutsideMailAddress eq www
access-list outside_access_in extended permit tcp any host OutsideMailAddress eq https
access-list outside_access_in extended permit ip any host Outside-Network
access-list outside_access_in extended permit tcp Reflectionip1 255.255.255.224 host OutsideMailAddress eq pop3
access-list outside_access_in extended permit tcp Reflectionip2 255.255.255.224 host OutsideMailAddress eq smtp
access-list outside_access_in extended permit tcp Reflectionip2 255.255.255.224 host OutsideMailAddress eq pop3
access-list outside_access_in extended permit tcp 69.84.129.224 255.255.255.224 host OutsideMailAddress eq 587
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip audit name Dave attack action alarm drop
ip audit interface outside Dave
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.35.0 255.255.255.0
static (dmz,outside) OutsideWebAddress ExternalWeb netmask 255.255.255.255
static (dmz,outside) OutsideMailAddress ExternalMail netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route dmz ExternalMail 255.255.255.255 OutsideMailAddress 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRST esp-3des esp-sha-hmac
crypto dynamic-map RVPN-MAP 10 set transform-set TRST
crypto dynamic-map RVPN-MAP 10 set reverse-route
crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP
crypto map DIV-MAP 20 match address S2S
crypto map DIV-MAP 20 set peer 99.76.209.61
crypto map DIV-MAP 20 set transform-set TRST
crypto map DIV-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-session-limit 25
telnet 192.168.35.0 255.255.255.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
!
class-map class_rsh
match port tcp eq exec
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 ras
inspect http
inspect rtsp
inspect skinny
inspect tftp
inspect h323 h225
inspect rsh
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
class class_rsh
inspect rsh
prompt hostname context
07-16-2011 05:51 AM
1) RDP issue:
Try to lower the MSS value:
sysopt connection tcpmss 1300
2) Email issue:
This is incorrect route, please remove it:
route dmz ExternalMail 255.255.255.255 OutsideMailAddress 1
The following is also incorrect:
access-list dmz_access_in extended permit ip any host ExternalWeb
access-list dmz_access_in extended permit ip any host ExternalMail
It should be as follows:
access-list dmz_access_in extended permit ip host ExternalWeb any
access-list dmz_access_in extended permit ip host ExternalMail any
Because you are applying it to the DMZ interface, the ACL should have source of the DMZ subnet/host towards the Internet to allow traffic from DMZ going outbound.
07-19-2011 01:11 PM
Hi Jennifer,
Thank you for your response. I have changed the settings that you have provided. Now I am able to receive emails. But due to some reasons when I try to reply to the emails, Emails are not getting delivered. Able to receive the emails but not able to send reply.
Regards,
Rajesh.Yadla
07-20-2011 01:28 AM
I believe that you have Baracuda server, to filter spam.
Can you please advise where it is actually failing when trying to send reply?
Here is my understanding of the email flow when you send a reply:
Host --> send to internal mail server --> baracuda --> external mail server
Can you please check at which step on the above flow, it's failing?
07-22-2011 12:57 PM
SOrry for the late reply.
when users are trying to access email server it will be redirected to 3rd parth reflections server for spam filtering and come to the actual server in the dmz zone. The Burracuda is no more in the network we haver removed it.
Emails are getting delivered to the users. But when they try to reply to any mail, it is not working.
07-26-2011 02:41 PM
Hi,
This Issue has been fixed as we have searched and came to know that the SMTP functions are not to 100% when we keep the mail server in DMZ. We have moved the mail server to Inside network and every thing seems to be working fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide