Need help with a couple of things on a ASA 5505

kmcintosh78kmcintosh78 Member Posts: 195
So, I have had some on going issues with this specific ASA. 5505, version 8.0(2).
I for the life of me can't ping from any inside device out to the internet. I can ping from PC/Switch to the firewall and vice versa.
The firewall can ping out to the internet as well and ping from the firewall to the switch.
The ICMP settings are default, and include permit Any/Any inside and outside.

Also, the reason this issue came to light, was a Xerox Printer/Copier/Scanner can't go from scan to email.
All of the SMTP info is input correctly, mirroring that of other sites I manage with a working solution. Since the firewalls not setup as restrictive in nature, there should be no issue with the connection being made.


Any help would be great.
What I am working on
CCNP Route (Currently) 80% done
CCNP Switch (Next Year)
CCNP TShoot (Next Year)

Comments

  • aaron0011aaron0011 Member Posts: 330
    Make sure
    icmp deny any inside is not in your config. By default this shouldn't be there but double check for it. If you could post your config that would be helpful.
  • kmcintosh78kmcintosh78 Member Posts: 195
    aaron0011 wrote: »
    Make sure
    icmp deny any inside is not in your config. By default this shouldn't be there but double check for it. If you could post your config that would be helpful.

    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit STGeorge-Inside 255.255.255.0 inside
    icmp permit any outside
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • kmcintosh78kmcintosh78 Member Posts: 195
    ASA Version 8.0(2)
    !
    hostname XXXXXXXXXX

    names
    name x.x.x.x Sandy-Site-Outside
    name 10.0.3.0 Coprt-VoIP
    name 10.0.3.9 Mitel500
    name 10.3.14.0 STGeorge-VoIP
    name 10.1.14.0 STGeorge-Inside
    name x.x.x.x STGeorge-Outside
    name 10.0.0.0 Sandy-Site-Inside
    name 10.1.13.24 IP-Camera
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.1.14.1 255.255.255.0
    !
    interface Vlan11
    nameif outside
    security-level 0
    ip address STGeorge-Outside 255.255.255.248
    !
    interface Ethernet0/0
    description Connection to XXXXXXXXXX
    switchport access vlan 11
    !
    interface Ethernet0/1
    description Connection to Switch
    speed 100
    duplex full
    !
    interface Ethernet0/2
    shutdown
    !
    interface Ethernet0/3
    shutdown
    !
    interface Ethernet0/4
    shutdown
    !
    interface Ethernet0/5
    shutdown
    !
    interface Ethernet0/6
    shutdown
    !
    interface Ethernet0/7
    shutdown
    !

    boot system disk0:/asa802-k8.bin
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service IP-Camera
    service-object tcp eq 8090
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit ip STGeorge-Inside 255.255.255.0 STGeorge-VoIP 255.255.255.0
    access-list inside_access_in extended permit ip STGeorge-VoIP 255.255.255.0 STGeorge-Inside 255.255.255.0
    access-list inside_access_in extended permit ip STGeorge-VoIP 255.255.255.0 Coprt-VoIP 255.255.255.0
    access-list inside_access_in extended permit ip Coprt-VoIP 255.255.255.0 STGeorge-VoIP 255.255.255.0
    access-list inside_access_in extended permit ip host IP-Camera any
    access-list inside_access_in extended permit tcp STGeorge-Inside 255.255.255.0 host x.x.x.x eq smtp
    access-list outside_access_in extended permit ip host Sandy-Site-Outside host STGeorge-Outside
    access-list outside_access_in extended permit ip host STGeorge-Outside host Sandy-Site-Outside
    access-list outside_access_in extended permit tcp host x.x.x.x host STGeorge-Outside eq smtp inactive
    access-list inside_nat0_outbound extended permit ip STGeorge-Inside 255.255.255.0 Sandy-Site-Inside 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any STGeorge-Inside 255.255.255.0
    access-list inside_nat0_outbound extended permit ip STGeorge-VoIP 255.255.255.0 Coprt-VoIP 255.255.255.0
    access-list outside_1_cryptomap extended permit ip STGeorge-VoIP 255.255.255.0 Coprt-VoIP 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit STGeorge-Inside 255.255.255.0 inside
    icmp permit any outside
    asdm image disk0:/asdm-647.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
    route inside STGeorge-VoIP 255.255.255.0 10.1.14.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication http console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs group1
    crypto map outside_map 1 set peer Sandy-Site-Outside
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    message-length maximum client auto
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global

    tunnel-group x.x.x.x type ipsec-l2l
    tunnel-group x.x.x.x ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:
    : end
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • doverdover Member Posts: 184 ■■■■□□□□□□
    I'm not going to pretend to know your setup or topology and some things in the config are confusing to me but if you want to allow pings try this....

    Add ICMP inspection to your ASA global_policy

    Type this into your config:
    policy-map global_policy
     class inspection_default
       inspect icmp
    

    Your pings to the outside world should work.

    As for your SMTP troubles...can you try to telnet from an inside host to port 25 of your SMTP server?

    Is your SMTP server at one of your VPN sites that has a NAT0 entry or is it an outside address of some sort?

    I see an inbound (to the outside interface) smtp rule that is inactive?

    access-list outside_access_in extended permit tcp host x.x.x.x host STGeorge-Outside eq smtp inactive

    I can look at it more closely later and maybe lab it up.
  • kmcintosh78kmcintosh78 Member Posts: 195
    That worked for Pings.
    Now, I just need to get this SMTP issue resolved.

    I confirmed that Putty will connect to the SMTP server we contract with, over both port 25 and 2525. I also confirmed now that the internal switch can ping to the SMTP server sourcing the Data Vlan1.

    Got logging running and trying to get someone to do a test scan to email.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
  • xXErebuSxXErebuS Member Posts: 230
    Looks like this is pre 8.3 ASA. Try adding No Nat-control or make sure your copier NATs correctly when your trying to scan to email.

    Is the email server on a DMZ link?
  • KrekenKreken Member Posts: 284
    Remove inspect from esmtp and it will work.
  • kmcintosh78kmcintosh78 Member Posts: 195
    Thanks for all of the input. I have since corrected the issue.

    Thanks again.
    What I am working on
    CCNP Route (Currently) 80% done
    CCNP Switch (Next Year)
    CCNP TShoot (Next Year)
Sign In or Register to comment.