ASA5510 dmz mail server forwarding to lan mail server

Discussion in 'Cisco' started by drhopkins@cox.net, Apr 25, 2007.

  1. Guest

    Hello Everyone,
    I am trying to bring up a new mail server in the dmz. I would like dmz
    mail server to receive mail for our domain, store messages in users'
    mailboxes, then forward messages inward to inside mail server. Below
    is an example of my running-config. I believe i need to include this
    line:
    static (inside,dmz) 10.1.1.1 inside_mail netmask 255.255.255.255
    However when I do I receive:
    INFO: Global address overlaps w/ NAT exempt configuration
    I feel like there may be more ways than one to make this work, but
    need a little help. Communication is up between internal subnets - my
    problem lies within the ASA configuration.
    I am open to any advice or suggestions and appreciate your time,
    David.

    ASA Version 7.0(6)
    !
    hostname hostname
    domain-name domain.org
    enable password password encrypted
    names
    name 192.168.1.0 lan1 description lan1 network
    name 192.168.2.8 inside_mail description inside_mail mail server
    name 192.168.2.0 lan2 description lan2 network
    name 192.168.3.0 lan3 description lan3 network
    name 10.1.1.1 dmz_mail description dmz_mail mail server
    dns-guard
    !
    interface Ethernet0/0
    speed 100
    nameif outside
    security-level 0
    ip address 200.200.200.2 255.255.255.0
    !
    interface Ethernet0/1
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/2
    speed 100
    duplex full
    nameif dmz
    security-level 50
    ip address 10.1.1.1 255.255.255.0
    !
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    ip address 192.168.200.1 255.255.255.0
    management-only
    !
    passwd password encrypted
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    access-list outside_access_in remark outside access in to imap server
    access-list outside_access_in extended permit tcp any host
    200.200.200.10 eq imap4
    access-list outside_access_in remark outside access in to https server
    access-list outside_access_in extended permit tcp any host
    200.200.200.10 eq https
    access-list outside_access_in remark outside access in to smtp server
    (dmz)
    access-list outside_access_in extended permit tcp any host
    200.200.200.11 eq smtp
    access-list inside_out_smtp remark inside access out for smtp server
    access-list inside_out_smtp extended permit tcp host inside_mail any
    eq smtp
    access-list inside_out_smtp remark block all outbound smtp traffic
    except server
    access-list inside_out_smtp extended deny tcp any any eq smtp
    access-list inside_out_smtp remark allow all outbound traffic
    access-list inside_out_smtp extended permit ip any any
    access-list inside_outbound_nat0_acl extended permit ip any lan1
    255.255.255.0
    access-list vpn_splitTunnelAcl standard permit any
    access-list dmz_access_in remark allow dmz smtp server inbound traffic
    access-list dmz_access_in extended permit ip host dmz_mail host
    inside_mail
    pager lines 24
    logging from-address
    logging recipient-address level errors
    logging host inside 192.168.1.5
    logging permit-hostdown
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    mtu dmz 1500
    ip local pool vpn 192.168.1.200-192.168.1.209 mask 255.255.255.0
    ip verify reverse-path interface outside
    asdm image disk0:/asdm506.bin
    asdm location workstation 255.255.255.255 inside
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 0.0.0.0 0.0.0.0
    static (inside,outside) 200.200.200.10 inside_mail netmask
    255.255.255.255
    static (dmz,outside) 200.200.200.11 dmz_mail netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group inside_out_smtp in interface inside
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 200.200.200.1 1
    route inside lan3 255.255.255.0 192.168.1.3 1
    route inside lan2 255.255.255.0 192.168.1.3 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    , Apr 25, 2007
    #1
    1. Advertising

  2. Smokey Guest

    wrote:
    > access-list dmz_access_in extended permit ip host dmz_mail host
    > inside_mail


    The above ACL should allow traffic inbound to your inside mail server
    from DMZ, however you may want to minimize the traffic you allow,
    currently you have any IP packet you may want to rewrite the ACL to
    limit just SMTP:

    access-list dmz_access_in permit tcp host dmz_mail host inside_mail eq 25

    > static (inside,outside) 200.200.200.10 inside_mail netmask
    > 255.255.255.255


    Try this command:

    static (inside,DMZ)tcp 192.168.2.8 SMTP 192.168.2.8 SMTP netmask
    255.255.255.255
    Smokey, Apr 25, 2007
    #2
    1. Advertising

  3. dave Guest

    On Apr 25, 3:21 pm, Smokey <> wrote:
    > wrote:
    > > access-list dmz_access_in extended permit ip host dmz_mail host
    > > inside_mail

    >
    > The above ACL should allow traffic inbound to your inside mail server
    > from DMZ, however you may want to minimize the traffic you allow,
    > currently you have any IP packet you may want to rewrite the ACL to
    > limit just SMTP:
    >
    > access-list dmz_access_in permit tcp host dmz_mail host inside_mail eq 25
    >

    This is the exact line I started with, but I couldn't get any traffic
    to go inbound from dmz; that's when I changed it to all ip. Once I get
    some kind of communication between the 2, I will fine tune with the
    line you have suggested.

    I feel like the problem lies somewhere in the NAT exemption rule.
    Thanks for your time, and I appreciate your response, Dave.
    dave, Apr 26, 2007
    #3
  4. In article <>,
    <> wrote:
    >I am trying to bring up a new mail server in the dmz. I would like dmz
    >mail server to receive mail for our domain, store messages in users'
    >mailboxes, then forward messages inward to inside mail server. Below
    >is an example of my running-config. I believe i need to include this
    >line:
    >static (inside,dmz) 10.1.1.1 inside_mail netmask 255.255.255.255
    >However when I do I receive:
    >INFO: Global address overlaps w/ NAT exempt configuration


    >ASA Version 7.0(6)


    >name 192.168.1.0 lan1 description lan1 network
    >interface Ethernet0/1
    > nameif inside
    > ip address 192.168.1.1 255.255.255.0


    >access-list inside_outbound_nat0_acl extended permit ip any lan1 255.255.255.0


    >nat (inside) 0 access-list inside_outbound_nat0_acl


    Your nat 0 access list is being applied to traffic of any IP source
    on the inside lan, for traffic destined to 192.168.1.* -- which is
    the IP address range of the inside lan. Your nat 0 access list
    thus appears to be redundant.
    Walter Roberson, Apr 27, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JohnC
    Replies:
    9
    Views:
    827
    Walter Roberson
    Dec 7, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,863
    Walter Roberson
    Sep 25, 2005
  3. Replies:
    0
    Views:
    1,079
  4. morten
    Replies:
    4
    Views:
    1,169
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    650
Loading...

Share This Page