Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection?

Reply
Thread Tools

Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection?

 
 
morten
Guest
Posts: n/a
 
      09-03-2007
Hi.

I have a Edge Transport Server (192.168.2.10) in my DMZ zone
(192.168.2.0) that need access Exchange 2007 Hub server (192.168.1.10)
which sits on the inside network (192.168.1.0) on port 25 (smtp). I
have tried to add the following two rules:

static (inside,DMZ) tcp 192.168.1.10 smtp 192.168.1.10 smtp netmask
255.255.255.255
access-list dmz-access-in permit tcp host 192.168.2.10 host
192.168.1.10 eq 25

The result is that the Edge Transport Server can now telnet to
192.168.1.10 on port 25 - SUCCESS. The only downside is, that the Edge
Transport Server no longer have access to the internet (outside
interface) and thereby can't send mails outside the organisation. What
am I doing wrong - it must be said that I am not an Cisco expert

Regards Morten.


------------------------------------------------------------------------------------------------------------------
ASA Version 7.2(3)
!
hostname pix1
domain-name **************
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address ****************
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 172.16.1.1 255.255.255.0
management-only
!

access-list ikke-nat extended permit ip 192.168.1.0 255.255.255.0
192.168.128.0 255.255.255.0
access-list fra-remote extended permit icmp any any echo-reply
access-list fra-remote extended permit icmp any any time-exceeded
access-list fra-remote extended permit icmp any any unreachable
access-list fra-remote extended permit ip 192.168.128.0 255.255.255.0
192.168.1.0 255.255.255.0
access-list fra-remote extended permit tcp any interface outside eq
smtp
access-list fra-remote extended permit tcp any interface outside eq
pop3
access-list fra-remote extended permit tcp any interface outside eq
https
access-list fra-remote extended permit tcp any interface outside eq
www

mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500

ip local pool vpn-scope 192.168.128.2-192.168.128.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control

global (outside) 1 interface
global (DMZ) 1 interface

nat (inside) 0 access-list ikke-nat
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface https 192.168.1.8 https netmask
255.255.255.255
static (inside,outside) tcp interface pop3 192.168.1.8 pop3 netmask
255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.8 smtp netmask
255.255.255.255
access-group fra-remote in interface outside

route outside 0.0.0.0 0.0.0.0 89.233.4.153 1
route inside 192.168.1.7 255.255.255.255 192.168.1.1 1
----------------------------------------------------------------------------------------------------

 
Reply With Quote
 
 
 
 
morten
Guest
Posts: n/a
 
      09-03-2007
Sorry, little error in the config. The following line is missing:

"nat (DMZ) 1 192.168.2.0 255.255.255.0"



On 3 Sep., 18:22, morten <(E-Mail Removed)> wrote:
> Hi.
>
> I have a Edge Transport Server (192.168.2.10) in my DMZ zone
> (192.168.2.0) that need access Exchange 2007 Hub server (192.168.1.10)
> which sits on the inside network (192.168.1.0) on port 25 (smtp). I
> have tried to add the following two rules:
>
> static (inside,DMZ) tcp 192.168.1.10 smtp 192.168.1.10 smtp netmask
> 255.255.255.255
> access-list dmz-access-in permit tcp host 192.168.2.10 host
> 192.168.1.10 eq 25
>
> The result is that the Edge Transport Server can now telnet to
> 192.168.1.10 on port 25 - SUCCESS. The only downside is, that the Edge
> Transport Server no longer have access to the internet (outside
> interface) and thereby can't send mails outside the organisation. What
> am I doing wrong - it must be said that I am not an Cisco expert
>
> Regards Morten.
>
> ---------------------------------------------------------------------------*---------------------------------------
> ASA Version 7.2(3)
> !
> hostname pix1
> domain-name **************
> names
> dns-guard
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address ****************
> !
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Ethernet0/2
> nameif DMZ
> security-level 50
> ip address 192.168.2.1 255.255.255.0
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> shutdown
> nameif management
> security-level 100
> ip address 172.16.1.1 255.255.255.0
> management-only
> !
>
> access-list ikke-nat extended permit ip 192.168.1.0 255.255.255.0
> 192.168.128.0 255.255.255.0
> access-list fra-remote extended permit icmp any any echo-reply
> access-list fra-remote extended permit icmp any any time-exceeded
> access-list fra-remote extended permit icmp any any unreachable
> access-list fra-remote extended permit ip 192.168.128.0 255.255.255.0
> 192.168.1.0 255.255.255.0
> access-list fra-remote extended permit tcp any interface outside eq
> smtp
> access-list fra-remote extended permit tcp any interface outside eq
> pop3
> access-list fra-remote extended permit tcp any interface outside eq
> https
> access-list fra-remote extended permit tcp any interface outside eq
> www
>
> mtu outside 1500
> mtu inside 1500
> mtu DMZ 1500
> mtu management 1500
>
> ip local pool vpn-scope 192.168.128.2-192.168.128.20
> icmp unreachable rate-limit 1 burst-size 1
> icmp permit any echo-reply outside
> icmp permit any unreachable outside
> asdm image disk0:/asdm-522.bin
> no asdm history enable
> arp timeout 14400
> nat-control
>
> global (outside) 1 interface
> global (DMZ) 1 interface
>
> nat (inside) 0 access-list ikke-nat
> nat (inside) 1 192.168.1.0 255.255.255.0
> static (inside,outside) tcp interface https 192.168.1.8 https netmask
> 255.255.255.255
> static (inside,outside) tcp interface pop3 192.168.1.8 pop3 netmask
> 255.255.255.255
> static (inside,outside) tcp interface smtp 192.168.1.8 smtp netmask
> 255.255.255.255
> access-group fra-remote in interface outside
>
> route outside 0.0.0.0 0.0.0.0 89.233.4.153 1
> route inside 192.168.1.7 255.255.255.255 192.168.1.1 1
> ---------------------------------------------------------------------------*-------------------------



 
Reply With Quote
 
 
 
 
morten
Guest
Posts: n/a
 
      09-03-2007
Hi.

I found the error, just do as this document says:

http://www.cisco.com/en/US/products/...806745b8.shtml

If you use Exchange 2007 remenber to run:

no fixup protocol smtp 25

This will make the ASA/PIX allow ESMTP packages.

Regards Morten.



On 3 Sep., 18:31, morten <(E-Mail Removed)> wrote:
> Sorry, little error in the config. The following line is missing:
>
> "nat (DMZ) 1 192.168.2.0 255.255.255.0"
>
> On 3 Sep., 18:22, morten <(E-Mail Removed)> wrote:
>
>
>
> > Hi.

>
> > I have a Edge Transport Server (192.168.2.10) in my DMZ zone
> > (192.168.2.0) that need access Exchange 2007 Hub server (192.168.1.10)
> > which sits on the inside network (192.168.1.0) on port 25 (smtp). I
> > have tried to add the following two rules:

>
> > static (inside,DMZ) tcp 192.168.1.10 smtp 192.168.1.10 smtp netmask
> > 255.255.255.255
> > access-list dmz-access-in permit tcp host 192.168.2.10 host
> > 192.168.1.10 eq 25

>
> > The result is that the Edge Transport Server can now telnet to
> > 192.168.1.10 on port 25 - SUCCESS. The only downside is, that the Edge
> > Transport Server no longer have access to the internet (outside
> > interface) and thereby can't send mails outside the organisation. What
> > am I doing wrong - it must be said that I am not an Cisco expert

>
> > Regards Morten.

>
> > ---------------------------------------------------------------------------**---------------------------------------
> > ASA Version 7.2(3)
> > !
> > hostname pix1
> > domain-name **************
> > names
> > dns-guard
> > !
> > interface Ethernet0/0
> > nameif outside
> > security-level 0
> > ip address ****************
> > !
> > interface Ethernet0/1
> > nameif inside
> > security-level 100
> > ip address 192.168.1.1 255.255.255.0
> > !
> > interface Ethernet0/2
> > nameif DMZ
> > security-level 50
> > ip address 192.168.2.1 255.255.255.0
> > !
> > interface Ethernet0/3
> > shutdown
> > no nameif
> > no security-level
> > no ip address
> > !
> > interface Management0/0
> > shutdown
> > nameif management
> > security-level 100
> > ip address 172.16.1.1 255.255.255.0
> > management-only
> > !

>
> > access-list ikke-nat extended permit ip 192.168.1.0 255.255.255.0
> > 192.168.128.0 255.255.255.0
> > access-list fra-remote extended permit icmp any any echo-reply
> > access-list fra-remote extended permit icmp any any time-exceeded
> > access-list fra-remote extended permit icmp any any unreachable
> > access-list fra-remote extended permit ip 192.168.128.0 255.255.255.0
> > 192.168.1.0 255.255.255.0
> > access-list fra-remote extended permit tcp any interface outside eq
> > smtp
> > access-list fra-remote extended permit tcp any interface outside eq
> > pop3
> > access-list fra-remote extended permit tcp any interface outside eq
> > https
> > access-list fra-remote extended permit tcp any interface outside eq
> > www

>
> > mtu outside 1500
> > mtu inside 1500
> > mtu DMZ 1500
> > mtu management 1500

>
> > ip local pool vpn-scope 192.168.128.2-192.168.128.20
> > icmp unreachable rate-limit 1 burst-size 1
> > icmp permit any echo-reply outside
> > icmp permit any unreachable outside
> > asdm image disk0:/asdm-522.bin
> > no asdm history enable
> > arp timeout 14400
> > nat-control

>
> > global (outside) 1 interface
> > global (DMZ) 1 interface

>
> > nat (inside) 0 access-list ikke-nat
> > nat (inside) 1 192.168.1.0 255.255.255.0
> > static (inside,outside) tcp interface https 192.168.1.8 https netmask
> > 255.255.255.255
> > static (inside,outside) tcp interface pop3 192.168.1.8 pop3 netmask
> > 255.255.255.255
> > static (inside,outside) tcp interface smtp 192.168.1.8 smtp netmask
> > 255.255.255.255
> > access-group fra-remote in interface outside

>
> > route outside 0.0.0.0 0.0.0.0 89.233.4.153 1
> > route inside 192.168.1.7 255.255.255.255 192.168.1.1 1
> > ---------------------------------------------------------------------------**-------------------------- Skjul tekst i anførselstegn -

>
> - Vis tekst i anførselstegn -



 
Reply With Quote
 
Chris
Guest
Posts: n/a
 
      09-03-2007
On Mon, 03 Sep 2007 09:22:34 -0700, morten wrote:

> Hi.
>
> I have a Edge Transport Server (192.168.2.10) in my DMZ zone
> (192.168.2.0) that need access Exchange 2007 Hub server (192.168.1.10)
> which sits on the inside network (192.168.1.0) on port 25 (smtp). I
> have tried to add the following two rules:
>
> static (inside,DMZ) tcp 192.168.1.10 smtp 192.168.1.10 smtp netmask
> 255.255.255.255
> access-list dmz-access-in permit tcp host 192.168.2.10 host
> 192.168.1.10 eq 25
>


By default with no access list traffic from the DMZ will be able to access
the outside interface, BUT .. now that you have applied an access list to
the DMZ interface to allow SMTP to the inside, the default last access list
entry is to block all other traffic. So, you now have ..

permit tcp host 192.168.2.10 host 192.168.1.10 eq 25
deny ip any any (this is default and so you don't see it)

So, you now need to permit traffic from the DMZ to the outside in your acl.

permit tcp host 192.168.2.10 host 192.168.1.10 eq 25
permit tcp any any eq 80
permit udp any any eq 53
permit udp any any eq 53

Or, you can just .. permit any from the inside to any on the outside. It's
up to you.

Chris.


 
Reply With Quote
 
Tilman Schmidt
Guest
Posts: n/a
 
      09-04-2007
morten schrieb:
> If you use Exchange 2007 remenber to run:
>
> no fixup protocol smtp 25


Not just Exchange. Apply that command if you use *any* mailserver.
The SMTP protocol fixup is broken, period.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA 5510 - Allow traffic from dmz to LAN gbottazzi Cisco 0 02-29-2012 08:23 AM
Routing Question - How to send default internet traffic to PIX and VPN traffic from router out internet Evolution Cisco 1 02-27-2007 10:00 PM
allow traffic from outside interface into DMZ will.i.am Cisco 0 08-25-2006 07:36 PM
How does typical ISP traffic shaping/bandwidth limiting work ? Do ISP's allow bursty traffic per second ? Skybuck Flying Cisco 0 01-19-2006 08:50 PM
Allow printing traffic from DMZ(Lower Security interface) to inside network on PIX 515E jywu1@hotmail.com Cisco 4 12-15-2005 11:27 AM



Advertisments