Need help with a couple of things on a ASA 5505

kmcintosh78

So, I have had some on going issues with this specific ASA. 5505, version 8.0(2).
I for the life of me can't ping from any inside device out to the internet. I can ping from PC/Switch to the firewall and vice versa.
The firewall can ping out to the internet as well and ping from the firewall to the switch.
The ICMP settings are default, and include permit Any/Any inside and outside.

Also, the reason this issue came to light, was a Xerox Printer/Copier/Scanner can't go from scan to email.
All of the SMTP info is input correctly, mirroring that of other sites I manage with a working solution. Since the firewalls not setup as restrictive in nature, there should be no issue with the connection being made.


Any help would be great.

aaron0011

Make sure

icmp deny any inside is not in your config. By default this shouldn't be there but double check for it. If you could post your config that would be helpful.

kmcintosh78

aaron0011 wrote: »

Make sure

icmp deny any inside is not in your config. By default this shouldn't be there but double check for it. If you could post your config that would be helpful.

icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit STGeorge-Inside 255.255.255.0 inside
icmp permit any outside

kmcintosh78

ASA Version 8.0(2)
!
hostname XXXXXXXXXX

names
name x.x.x.x Sandy-Site-Outside
name 10.0.3.0 Coprt-VoIP
name 10.0.3.9 Mitel500
name 10.3.14.0 STGeorge-VoIP
name 10.1.14.0 STGeorge-Inside
name x.x.x.x STGeorge-Outside
name 10.0.0.0 Sandy-Site-Inside
name 10.1.13.24 IP-Camera
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.14.1 255.255.255.0
!
interface Vlan11
nameif outside
security-level 0
ip address STGeorge-Outside 255.255.255.248
!
interface Ethernet0/0
description Connection to XXXXXXXXXX
switchport access vlan 11
!
interface Ethernet0/1
description Connection to Switch
speed 100
duplex full
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!

boot system disk0:/asa802-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service IP-Camera
service-object tcp eq 8090
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip STGeorge-Inside 255.255.255.0 STGeorge-VoIP 255.255.255.0
access-list inside_access_in extended permit ip STGeorge-VoIP 255.255.255.0 STGeorge-Inside 255.255.255.0
access-list inside_access_in extended permit ip STGeorge-VoIP 255.255.255.0 Coprt-VoIP 255.255.255.0
access-list inside_access_in extended permit ip Coprt-VoIP 255.255.255.0 STGeorge-VoIP 255.255.255.0
access-list inside_access_in extended permit ip host IP-Camera any
access-list inside_access_in extended permit tcp STGeorge-Inside 255.255.255.0 host x.x.x.x eq smtp
access-list outside_access_in extended permit ip host Sandy-Site-Outside host STGeorge-Outside
access-list outside_access_in extended permit ip host STGeorge-Outside host Sandy-Site-Outside
access-list outside_access_in extended permit tcp host x.x.x.x host STGeorge-Outside eq smtp inactive
access-list inside_nat0_outbound extended permit ip STGeorge-Inside 255.255.255.0 Sandy-Site-Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip any STGeorge-Inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip STGeorge-VoIP 255.255.255.0 Coprt-VoIP 255.255.255.0
access-list outside_1_cryptomap extended permit ip STGeorge-VoIP 255.255.255.0 Coprt-VoIP 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit STGeorge-Inside 255.255.255.0 inside
icmp permit any outside
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside STGeorge-VoIP 255.255.255.0 10.1.14.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer Sandy-Site-Outside
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:
: end

dover

I'm not going to pretend to know your setup or topology and some things in the config are confusing to me but if you want to allow pings try this....

Add ICMP inspection to your ASA global_policy

Type this into your config:

policy-map global_policy
 class inspection_default
   inspect icmp

Your pings to the outside world should work.

As for your SMTP troubles...can you try to telnet from an inside host to port 25 of your SMTP server?

Is your SMTP server at one of your VPN sites that has a NAT0 entry or is it an outside address of some sort?

I see an inbound (to the outside interface) smtp rule that is inactive?

access-list outside_access_in extended permit tcp host x.x.x.x host STGeorge-Outside eq smtp inactive

I can look at it more closely later and maybe lab it up.

kmcintosh78

That worked for Pings.
Now, I just need to get this SMTP issue resolved.

I confirmed that Putty will connect to the SMTP server we contract with, over both port 25 and 2525. I also confirmed now that the internal switch can ping to the SMTP server sourcing the Data Vlan1.

Got logging running and trying to get someone to do a test scan to email.

xXErebuS

Looks like this is pre 8.3 ASA. Try adding No Nat-control or make sure your copier NATs correctly when your trying to scan to email.

Is the email server on a DMZ link?

Kreken

Remove inspect from esmtp and it will work.

kmcintosh78

Thanks for all of the input. I have since corrected the issue.

Thanks again.