Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection?

Discussion in 'Cisco' started by morten, Sep 3, 2007.

  1. morten

    morten Guest

    Hi.

    I have a Edge Transport Server (192.168.2.10) in my DMZ zone
    (192.168.2.0) that need access Exchange 2007 Hub server (192.168.1.10)
    which sits on the inside network (192.168.1.0) on port 25 (smtp). I
    have tried to add the following two rules:

    static (inside,DMZ) tcp 192.168.1.10 smtp 192.168.1.10 smtp netmask
    255.255.255.255
    access-list dmz-access-in permit tcp host 192.168.2.10 host
    192.168.1.10 eq 25

    The result is that the Edge Transport Server can now telnet to
    192.168.1.10 on port 25 - SUCCESS. The only downside is, that the Edge
    Transport Server no longer have access to the internet (outside
    interface) and thereby can't send mails outside the organisation. What
    am I doing wrong - it must be said that I am not an Cisco expert :)

    Regards Morten.


    ------------------------------------------------------------------------------------------------------------------
    ASA Version 7.2(3)
    !
    hostname pix1
    domain-name **************
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address ****************
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/2
    nameif DMZ
    security-level 50
    ip address 192.168.2.1 255.255.255.0
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    ip address 172.16.1.1 255.255.255.0
    management-only
    !

    access-list ikke-nat extended permit ip 192.168.1.0 255.255.255.0
    192.168.128.0 255.255.255.0
    access-list fra-remote extended permit icmp any any echo-reply
    access-list fra-remote extended permit icmp any any time-exceeded
    access-list fra-remote extended permit icmp any any unreachable
    access-list fra-remote extended permit ip 192.168.128.0 255.255.255.0
    192.168.1.0 255.255.255.0
    access-list fra-remote extended permit tcp any interface outside eq
    smtp
    access-list fra-remote extended permit tcp any interface outside eq
    pop3
    access-list fra-remote extended permit tcp any interface outside eq
    https
    access-list fra-remote extended permit tcp any interface outside eq
    www

    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    mtu management 1500

    ip local pool vpn-scope 192.168.128.2-192.168.128.20
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    nat-control

    global (outside) 1 interface
    global (DMZ) 1 interface

    nat (inside) 0 access-list ikke-nat
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) tcp interface https 192.168.1.8 https netmask
    255.255.255.255
    static (inside,outside) tcp interface pop3 192.168.1.8 pop3 netmask
    255.255.255.255
    static (inside,outside) tcp interface smtp 192.168.1.8 smtp netmask
    255.255.255.255
    access-group fra-remote in interface outside

    route outside 0.0.0.0 0.0.0.0 89.233.4.153 1
    route inside 192.168.1.7 255.255.255.255 192.168.1.1 1
    ----------------------------------------------------------------------------------------------------
     
    morten, Sep 3, 2007
    #1
    1. Advertisements

  2. morten

    morten Guest

    Sorry, little error in the config. The following line is missing:

    "nat (DMZ) 1 192.168.2.0 255.255.255.0"
     
    morten, Sep 3, 2007
    #2
    1. Advertisements

  3. morten

    morten Guest

    morten, Sep 3, 2007
    #3
  4. morten

    Chris Guest

    By default with no access list traffic from the DMZ will be able to access
    the outside interface, BUT .. now that you have applied an access list to
    the DMZ interface to allow SMTP to the inside, the default last access list
    entry is to block all other traffic. So, you now have ..

    permit tcp host 192.168.2.10 host 192.168.1.10 eq 25
    deny ip any any (this is default and so you don't see it)

    So, you now need to permit traffic from the DMZ to the outside in your acl.

    permit tcp host 192.168.2.10 host 192.168.1.10 eq 25
    permit tcp any any eq 80
    permit udp any any eq 53
    permit udp any any eq 53

    Or, you can just .. permit any from the inside to any on the outside. It's
    up to you.

    Chris.
     
    Chris, Sep 3, 2007
    #4
  5. Not just Exchange. Apply that command if you use *any* mailserver.
    The SMTP protocol fixup is broken, period.
     
    Tilman Schmidt, Sep 4, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.