Last week, we set up a Cisco ASA 5505 firewall in one of our customers' LAN. It should replace the ISA 2000 firewall over there, because we need to create a site-to-site tunnel to a PIX 515E on a remote location.
All went fine with this ASA 5505, except that it would not pass any traffic from the internet to the LAN. From the inside out, all was OK. From the outside in, nothing would pass the firewall. The relevant config lines were as follows:
- static (inside,outside) tcp w.x.y.z 25 10.10.10.10 25 netmask 255.255.255.255
- access-list outside01 permit tcp any host w.x.y.z eq 25
- access-group outside01 in interface outside
So, here we redirect all SMTP traffic on public interface with IP w.x.y.z to private host 10.10.10.10.
Nothing much would happen. Internally, the SMTP host was listening, of course. From outside, the interface with IP w.x.y.z was pingable, of course. From the outside, configuring the ASA with SSH or HTTPS went fine. (So, traffic TO the interface went fine, traffic THROUGH the interface not.)
Spent some hours troubleshooting. Changed config, used a different port on the ASA for the public, checked syslog, did this and that. Found nothing.
Finally, started syslogging on the debug level ("logging trap debug"). Now we saw syslog entries as follows:
- TCP request discarded from a.b.c.d./1025 to outside: w.x.y.z./25
Where "a.b.c.d" was the IP address the SMTP request was coming from. So, this meant traffic was arriving at the interface, but was discarded there. Googled with that and found this post at Blindhog.net. The exact problem we had was mentioned there!
Problem was explained and solved quite easily:
- In configs with a single public IP address, use "interface' instead of the public IP in the static-statement
So, we changed the static to read as follows:
- static (inside,outside) tcp interface 25 10.10.10.10 25 netmask 255.255.255.255
All worked fine!
If anyone runs into this situation, this is your solution. Thanks, Blindhog.net!