ACL Rule Problem

Unanswered Question
May 29th, 2007
User Badges:

I created a DMZ and put a mail server in there. Now for some reason no matter what I do cant get SMTP from the dmz. Even if I do a packet trace from the ASDM it says its blocked by the implicit deny at the nd of the DMZ incoming rule. I have a rule set to allow SMTP but its still denied. I even changed that to allow everything from any to any and it gets denied. I am at a loss. Below is my ACL. Anyone see anything wrong with it?


Thanks



access-list DMZ_access_in remark Allow imap from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq imap4

access-list DMZ_access_in remark Allow 6101 from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 6101

access-list DMZ_access_in remark Allow webaccess from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 1677

access-list DMZ_access_in remark Allow MTA access from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 7100

access-list DMZ_access_in remark Allow webaccess from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 7205

access-list DMZ_access_in remark Allow SLP request all from DMZ to Inside

access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 427

access-list DMZ_access_in remark Allow SLP request all from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 427

access-list DMZ_access_in remark Allow Time Synch request all from DMZ to Inside

access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 524

access-list DMZ_access_in remark Allow NCP request all from DMZ to Inside

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 524

access-list DMZ_access_in remark Allow NTP time request all from DMZ to Inside

access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 any eq ntp

access-list DMZ_access_in remark Echo reply to all

access-list DMZ_access_in extended permit icmp 12.167.246.136 255.255.255.248 any echo-reply

access-list DMZ_access_in remark Allow upd DNS from the DMZ to anywhere

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq domain

access-list DMZ_access_in remark Allow upd DNS from the DMZ to anywhere

access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 any eq domain

access-list DMZ_access_in remark Allow mail2.lionel.com to send out smtp

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq smtp

access-list DMZ_access_in remark Deny all from DMZ to Inside network

access-list DMZ_access_in extended deny ip any 192.168.1.0 255.255.255.0

access-list DMZ_access_in remark Allow http out from the dmz

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq www

access-list DMZ_access_in remark Allow https out from the dmz

access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq https

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Tue, 05/29/2007 - 10:14
User Badges:
  • Blue, 1500 points or more

please clarify your problem.

are you wanting to allow smtp from the internet to your mail server which is on the dmz?

are wanting to allow smtp from the LAN to your dmz?

are you wanting to allow smtp from your dmz to the lan?

are you wanting to allow smtp from your dmz to the internet?

dstjames123 Tue, 05/29/2007 - 10:39
User Badges:

Srue,


Thanks for the reply. I am trying to send out SMTP to the internet but its getting blocked by the DMZ access in ACL. I dont need it to go to my internal lan just out from the DMZ to the internet.

acomiskey Tue, 05/29/2007 - 10:49
User Badges:
  • Green, 3000 points or more

Is your mail server ip 12.167.246.136?

srue Tue, 05/29/2007 - 10:49
User Badges:
  • Blue, 1500 points or more

assuming the ACL you originally posted is the one applied to your dmz interface, is this where you believe you've allowed outbound smtp from the dmz to the internet:

...permit tcp 12.167.246.136 255.255.255.248 any eq smtp


your acl entry should read something like that...

does the actual IP address of your SMTP server fall in the range 12.167.246.136/29? not that NAT'ed address, the actual address.

dstjames123 Tue, 05/29/2007 - 10:51
User Badges:

Yes its 12.167.246.140. I have changed the rule to any any and its still denied though.



Actions

This Discussion