Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ASA5510 dmz mail server forwarding to lan mail server

Reply
Thread Tools

ASA5510 dmz mail server forwarding to lan mail server

 
 
drhopkins@cox.net
Guest
Posts: n/a
 
      04-25-2007
Hello Everyone,
I am trying to bring up a new mail server in the dmz. I would like dmz
mail server to receive mail for our domain, store messages in users'
mailboxes, then forward messages inward to inside mail server. Below
is an example of my running-config. I believe i need to include this
line:
static (inside,dmz) 10.1.1.1 inside_mail netmask 255.255.255.255
However when I do I receive:
INFO: Global address overlaps w/ NAT exempt configuration
I feel like there may be more ways than one to make this work, but
need a little help. Communication is up between internal subnets - my
problem lies within the ASA configuration.
I am open to any advice or suggestions and appreciate your time,
David.

ASA Version 7.0(6)
!
hostname hostname
domain-name domain.org
enable password password encrypted
names
name 192.168.1.0 lan1 description lan1 network
name 192.168.2.8 inside_mail description inside_mail mail server
name 192.168.2.0 lan2 description lan2 network
name 192.168.3.0 lan3 description lan3 network
name 10.1.1.1 dmz_mail description dmz_mail mail server
dns-guard
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address 200.200.200.2 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 10.1.1.1 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.200.1 255.255.255.0
management-only
!
passwd password encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list outside_access_in remark outside access in to imap server
access-list outside_access_in extended permit tcp any host
200.200.200.10 eq imap4
access-list outside_access_in remark outside access in to https server
access-list outside_access_in extended permit tcp any host
200.200.200.10 eq https
access-list outside_access_in remark outside access in to smtp server
(dmz)
access-list outside_access_in extended permit tcp any host
200.200.200.11 eq smtp
access-list inside_out_smtp remark inside access out for smtp server
access-list inside_out_smtp extended permit tcp host inside_mail any
eq smtp
access-list inside_out_smtp remark block all outbound smtp traffic
except server
access-list inside_out_smtp extended deny tcp any any eq smtp
access-list inside_out_smtp remark allow all outbound traffic
access-list inside_out_smtp extended permit ip any any
access-list inside_outbound_nat0_acl extended permit ip any lan1
255.255.255.0
access-list vpn_splitTunnelAcl standard permit any
access-list dmz_access_in remark allow dmz smtp server inbound traffic
access-list dmz_access_in extended permit ip host dmz_mail host
inside_mail
pager lines 24
logging from-address http://www.velocityreviews.com/forums/(E-Mail Removed)
logging recipient-address (E-Mail Removed) level errors
logging host inside 192.168.1.5
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
ip local pool vpn 192.168.1.200-192.168.1.209 mask 255.255.255.0
ip verify reverse-path interface outside
asdm image disk0:/asdm506.bin
asdm location workstation 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 200.200.200.10 inside_mail netmask
255.255.255.255
static (dmz,outside) 200.200.200.11 dmz_mail netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_out_smtp in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 200.200.200.1 1
route inside lan3 255.255.255.0 192.168.1.3 1
route inside lan2 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

 
Reply With Quote
 
 
 
 
Smokey
Guest
Posts: n/a
 
      04-25-2007
(E-Mail Removed) wrote:
> access-list dmz_access_in extended permit ip host dmz_mail host
> inside_mail


The above ACL should allow traffic inbound to your inside mail server
from DMZ, however you may want to minimize the traffic you allow,
currently you have any IP packet you may want to rewrite the ACL to
limit just SMTP:

access-list dmz_access_in permit tcp host dmz_mail host inside_mail eq 25

> static (inside,outside) 200.200.200.10 inside_mail netmask
> 255.255.255.255


Try this command:

static (inside,DMZ)tcp 192.168.2.8 SMTP 192.168.2.8 SMTP netmask
255.255.255.255
 
Reply With Quote
 
 
 
 
dave
Guest
Posts: n/a
 
      04-26-2007
On Apr 25, 3:21 pm, Smokey <(E-Mail Removed)> wrote:
> (E-Mail Removed) wrote:
> > access-list dmz_access_in extended permit ip host dmz_mail host
> > inside_mail

>
> The above ACL should allow traffic inbound to your inside mail server
> from DMZ, however you may want to minimize the traffic you allow,
> currently you have any IP packet you may want to rewrite the ACL to
> limit just SMTP:
>
> access-list dmz_access_in permit tcp host dmz_mail host inside_mail eq 25
>

This is the exact line I started with, but I couldn't get any traffic
to go inbound from dmz; that's when I changed it to all ip. Once I get
some kind of communication between the 2, I will fine tune with the
line you have suggested.

I feel like the problem lies somewhere in the NAT exemption rule.
Thanks for your time, and I appreciate your response, Dave.


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      04-27-2007
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
>I am trying to bring up a new mail server in the dmz. I would like dmz
>mail server to receive mail for our domain, store messages in users'
>mailboxes, then forward messages inward to inside mail server. Below
>is an example of my running-config. I believe i need to include this
>line:
>static (inside,dmz) 10.1.1.1 inside_mail netmask 255.255.255.255
>However when I do I receive:
>INFO: Global address overlaps w/ NAT exempt configuration


>ASA Version 7.0(6)


>name 192.168.1.0 lan1 description lan1 network
>interface Ethernet0/1
> nameif inside
> ip address 192.168.1.1 255.255.255.0


>access-list inside_outbound_nat0_acl extended permit ip any lan1 255.255.255.0


>nat (inside) 0 access-list inside_outbound_nat0_acl


Your nat 0 access list is being applied to traffic of any IP source
on the inside lan, for traffic destined to 192.168.1.* -- which is
the IP address range of the inside lan. Your nat 0 access list
thus appears to be redundant.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection? morten Cisco 4 09-04-2007 01:48 PM
ASA5510 IMAP Port Forwarding drhopkins@cox.net Cisco 0 02-21-2007 08:57 PM
Cisco PIX DMZ to DMZ Access Network-Guy Cisco 7 09-25-2005 08:28 PM
how to config 515-e-dmz dmz routes & ACL? JohnC Cisco 9 12-07-2004 09:14 AM



Advertisments