Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: ASA 5505 7.2(3)

ASA 5505 7.2(3) 10 years 2 months ago #28200

  • gh
  • gh's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 2
  • Thank you received: 0
I am having a hard time with my ASA. I am attempting to setup our exchange server. Unfortunately, I cannot seem to get the access-list and static route to work properly. When I use the packet tracer tool, it always gives me either an access list error or a NAT error. I am on a BGP connection that could be causing some of the trouble as a third party configured it and I dont have the password or the running config. However, the packet tracer failing should be independent of that which causes me concern.

In the meantime, I have have disabled the DMZ and I am only using the internal and external interfaces.

Being 5 AM, I have given up on trying stuff. If anyone can help me out, it would be much appreciated. Also, if you see any other stupid things that aren't pertinent or have any tips, they of course are welcomed.




ASA Version 7.2(3)
hostname XXXXX
domain-name XXXXXX
enable password XXXXXXXXXXXX encrypted
name NAME description Gateway Router
name ExternalMailServer description Webmail SMTP
name MailServer1 description Exchange Server 1
interface Vlan1
nameif inside
security-level 100
ip address
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address
ospf cost 10
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd XXXXXXXXXXXX encrypted
banner motd "********************************************************
banner motd * [ W A R N I N G ] *
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name DOMAINNAME
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network MailServers
network-object host MailServer1
object-group service Exchange-External-Webmail tcp
description Webmail
port-object eq www
port-object eq https
object-group service Exchange-External-SMTP tcp
description SMTP services
port-object eq smtp
access-list outside_access_in remark Exchange-External-Webmail
access-list outside_access_in extended permit tcp any host ExternalMailServer object-group Exchange-External-Webmail
access-list nonat extended permit ip interface inside interface dmz
access-list outside_access_in remark Exchange-External-SMTP
access-list outside_access_in extended permit tcp any host ExternalMailServer object-group Exchange-External-SMTP
pager lines 24
logging enable
logging console debugging
logging trap debugging
logging asdm debugging
logging mail emergencies
logging from-address This email address is being protected from spambots. You need JavaScript enabled to view it.
logging recipient-address This email address is being protected from spambots. You need JavaScript enabled to view it. level emergencies
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1
static (inside,outside) tcp ExternalMailServer https MailServer1 https netmask tcp 0 3
static (inside,outside) tcp ExternalMailServer www MailServer1 www netmask
static (inside,outside) tcp ExternalMailServer smtp MailServer1 smtp netmask
access-group outside_access_in in interface outside
route outside 1
route outside NAME 1
router ospf 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server AD1 protocol radius
aaa-server AD1 host
timeout 5
key xxxxxxxxxxxx
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption des
hash sha
group 2
lifetime 86400
telnet inside
telnet timeout 20
ssh inside
ssh timeout 20
console timeout 10
management-access inside
dhcpd auto_config outside

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
ntp server
group-policy VPNGroup1 internal
group-policy VPNGroup1 attributes
wins-server value
dns-server value
vpn-tunnel-protocol l2tp-ipsec
default-domain value DOMAIN
tunnel-group VPNGroup1 type ipsec-ra
tunnel-group VPNGroup1 general-attributes
address-pool Pool1
authentication-server-group AD1
default-group-policy VPNGroup1
prompt hostname context
: end
asdm image disk0:/asdm-523.bin
asdm history enable

Re: ASA 5505 7.2(3) 10 years 2 months ago #28214

- could you please elaborate on the issue citing specific server and form where you want to access it .


Re: ASA 5505 7.2(3) 10 years 2 months ago #28240

  • gh
  • gh's Avatar Topic Author
  • Offline
  • New Member
  • New Member
  • Posts: 2
  • Thank you received: 0
Thanks for your response but I think we are going to go with an open source firewall instead. To add the options we want (simple things like dmz to internal network communication and extra vlans) it was going to cost an unreasonable amount. On a side note, if anyone wants a Cisco asa 5505 with a base license, fire away!

  • Page:
  • 1
Time to create page: 0.171 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup