ASA5510 dmz mail server forwarding to lan mail server

Discussion in 'Cisco' started by drhopkins, Apr 25, 2007.

  1. drhopkins

    drhopkins Guest

    Hello Everyone,
    I am trying to bring up a new mail server in the dmz. I would like dmz
    mail server to receive mail for our domain, store messages in users'
    mailboxes, then forward messages inward to inside mail server. Below
    is an example of my running-config. I believe i need to include this
    static (inside,dmz) inside_mail netmask
    However when I do I receive:
    INFO: Global address overlaps w/ NAT exempt configuration
    I feel like there may be more ways than one to make this work, but
    need a little help. Communication is up between internal subnets - my
    problem lies within the ASA configuration.
    I am open to any advice or suggestions and appreciate your time,

    ASA Version 7.0(6)
    hostname hostname
    enable password password encrypted
    name lan1 description lan1 network
    name inside_mail description inside_mail mail server
    name lan2 description lan2 network
    name lan3 description lan3 network
    name dmz_mail description dmz_mail mail server
    interface Ethernet0/0
    speed 100
    nameif outside
    security-level 0
    ip address
    interface Ethernet0/1
    speed 100
    duplex full
    nameif inside
    security-level 100
    ip address
    interface Ethernet0/2
    speed 100
    duplex full
    nameif dmz
    security-level 50
    ip address
    interface Management0/0
    nameif management
    security-level 100
    ip address
    passwd password encrypted
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    access-list outside_access_in remark outside access in to imap server
    access-list outside_access_in extended permit tcp any host eq imap4
    access-list outside_access_in remark outside access in to https server
    access-list outside_access_in extended permit tcp any host eq https
    access-list outside_access_in remark outside access in to smtp server
    access-list outside_access_in extended permit tcp any host eq smtp
    access-list inside_out_smtp remark inside access out for smtp server
    access-list inside_out_smtp extended permit tcp host inside_mail any
    eq smtp
    access-list inside_out_smtp remark block all outbound smtp traffic
    except server
    access-list inside_out_smtp extended deny tcp any any eq smtp
    access-list inside_out_smtp remark allow all outbound traffic
    access-list inside_out_smtp extended permit ip any any
    access-list inside_outbound_nat0_acl extended permit ip any lan1
    access-list vpn_splitTunnelAcl standard permit any
    access-list dmz_access_in remark allow dmz smtp server inbound traffic
    access-list dmz_access_in extended permit ip host dmz_mail host
    pager lines 24
    logging from-address
    logging recipient-address level errors
    logging host inside
    logging permit-hostdown
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    mtu dmz 1500
    ip local pool vpn mask
    ip verify reverse-path interface outside
    asdm image disk0:/asdm506.bin
    asdm location workstation inside
    no asdm history enable
    arp timeout 14400
    global (outside) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10
    static (inside,outside) inside_mail netmask
    static (dmz,outside) dmz_mail netmask
    access-group outside_access_in in interface outside
    access-group inside_out_smtp in interface inside
    access-group dmz_access_in in interface dmz
    route outside 1
    route inside lan3 1
    route inside lan2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    drhopkins, Apr 25, 2007
    1. Advertisements

  2. drhopkins

    Smokey Guest

    The above ACL should allow traffic inbound to your inside mail server
    from DMZ, however you may want to minimize the traffic you allow,
    currently you have any IP packet you may want to rewrite the ACL to
    limit just SMTP:

    access-list dmz_access_in permit tcp host dmz_mail host inside_mail eq 25
    Try this command:

    static (inside,DMZ)tcp SMTP SMTP netmask
    Smokey, Apr 25, 2007
    1. Advertisements

  3. drhopkins

    dave Guest

    This is the exact line I started with, but I couldn't get any traffic
    to go inbound from dmz; that's when I changed it to all ip. Once I get
    some kind of communication between the 2, I will fine tune with the
    line you have suggested.

    I feel like the problem lies somewhere in the NAT exemption rule.
    Thanks for your time, and I appreciate your response, Dave.
    dave, Apr 26, 2007
  4. Your nat 0 access list is being applied to traffic of any IP source
    on the inside lan, for traffic destined to 192.168.1.* -- which is
    the IP address range of the inside lan. Your nat 0 access list
    thus appears to be redundant.
    Walter Roberson, Apr 27, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.