Interal mail domain traffic scanning through CSC/SSM.

Unanswered Question
Feb 19th, 2007

Hi,

I have a customer who has an Internet Domain (say 'mydomain.com'), and another internal domain (say 'mylocaldomain.com'). A single mail server downloads the mails from mydomain.com, working through the ASA5510. mydomain.com is being used to exchange mails with external users. For internal mails, users send/receive mails on mylocaldomain.com. Since the same mail server serves for both mydomain.com and mylocaldomain.com, my query is, how do I ensure that all the local mails headed for mylocaldomain.com are scanned etc. by CSC/SSM? Mylocaldomain.com is not published on the internet. The mail server for both the domain is common, and is located on the Internal LAN. Do I need to shift my mail server to DMZ for getting it to work the way we want it? Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mrinmoy.m Mon, 02/19/2007 - 19:51

Hi

It is better if you place the Mail Server in the DMZ zone and accordingly you have to restructure the rule base.

Since you only need to scan the internal mail traffic, only one service policy is required on the inside interface, with an access-list that matches traffics to be scanned.

access-list local_mail permit tcp eq 25

access-list local_mail permit tcp < internal_network> eq 110

ASA5510(config)# class-map mail-traffic

ASA5510(config-cmap)# match access-list local_mail

ASA5510(config)# policy-map mail-pol

ASA5510(config-pmap)# class mail-traffic

ASA5510(config-pmap-c)# set connection per-client-max

ASA5510(config-pmap-c)# csc [fail-close | fail-open]

ASA5510(config-pmap-c)# service-policy mail-pol interface inside

Hope this will serve your purpose.

Actions

This Discussion