ASA5510 dmz mail server forwarding to lan mail server

Hello Everyone,
I am trying to bring up a new mail server in the dmz. I would like dmz
mail server to receive mail for our domain, store messages in users'
mailboxes, then forward messages inward to inside mail server. Below
is an example of my running-config. I believe i need to include this
line:
static (inside,dmz) 10.1.1.1 inside_mail netmask 255.255.255.255
However when I do I receive:
INFO: Global address overlaps w/ NAT exempt configuration
I feel like there may be more ways than one to make this work, but
need a little help. Communication is up between internal subnets - my
problem lies within the ASA configuration.
I am open to any advice or suggestions and appreciate your time,
David.

ASA Version 7.0(6)
!
hostname hostname
domain-name domain.org
enable password password encrypted
names
name 192.168.1.0 lan1 description lan1 network
name 192.168.2.8 inside_mail description inside_mail mail server
name 192.168.2.0 lan2 description lan2 network
name 192.168.3.0 lan3 description lan3 network
name 10.1.1.1 dmz_mail description dmz_mail mail server
dns-guard
!
interface Ethernet0/0
speed 100
nameif outside
security-level 0
ip address 200.200.200.2 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif dmz
security-level 50
ip address 10.1.1.1 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.200.1 255.255.255.0
management-only
!
passwd password encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list outside_access_in remark outside access in to imap server
access-list outside_access_in extended permit tcp any host
200.200.200.10 eq imap4
access-list outside_access_in remark outside access in to https server
access-list outside_access_in extended permit tcp any host
200.200.200.10 eq https
access-list outside_access_in remark outside access in to smtp server
(dmz)
access-list outside_access_in extended permit tcp any host
200.200.200.11 eq smtp
access-list inside_out_smtp remark inside access out for smtp server
access-list inside_out_smtp extended permit tcp host inside_mail any
eq smtp
access-list inside_out_smtp remark block all outbound smtp traffic
except server
access-list inside_out_smtp extended deny tcp any any eq smtp
access-list inside_out_smtp remark allow all outbound traffic
access-list inside_out_smtp extended permit ip any any
access-list inside_outbound_nat0_acl extended permit ip any lan1
255.255.255.0
access-list vpn_splitTunnelAcl standard permit any
access-list dmz_access_in remark allow dmz smtp server inbound traffic
access-list dmz_access_in extended permit ip host dmz_mail host
inside_mail
pager lines 24
logging from-address
logging recipient-address level errors
logging host inside 192.168.1.5
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
ip local pool vpn 192.168.1.200-192.168.1.209 mask 255.255.255.0
ip verify reverse-path interface outside
asdm image disk0:/asdm506.bin
asdm location workstation 255.255.255.255 inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) 200.200.200.10 inside_mail netmask
255.255.255.255
static (dmz,outside) 200.200.200.11 dmz_mail netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_out_smtp in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 200.200.200.1 1
route inside lan3 255.255.255.0 192.168.1.3 1
route inside lan2 255.255.255.0 192.168.1.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

 

The above ACL should allow traffic inbound to your inside mail server
from DMZ, however you may want to minimize the traffic you allow,
currently you have any IP packet you may want to rewrite the ACL to
limit just SMTP:

access-list dmz_access_in permit tcp host dmz_mail host inside_mail eq 25

Try this command:

static (inside,DMZ)tcp 192.168.2.8 SMTP 192.168.2.8 SMTP netmask
255.255.255.255

 

This is the exact line I started with, but I couldn't get any traffic
to go inbound from dmz; that's when I changed it to all ip. Once I get
some kind of communication between the 2, I will fine tune with the
line you have suggested.

I feel like the problem lies somewhere in the NAT exemption rule.
Thanks for your time, and I appreciate your response, Dave.

 

Your nat 0 access list is being applied to traffic of any IP source
on the inside lan, for traffic destined to 192.168.1.* -- which is
the IP address range of the inside lan. Your nat 0 access list
thus appears to be redundant.