05-29-2007 10:09 AM - edited 03-11-2019 03:22 AM
I created a DMZ and put a mail server in there. Now for some reason no matter what I do cant get SMTP from the dmz. Even if I do a packet trace from the ASDM it says its blocked by the implicit deny at the nd of the DMZ incoming rule. I have a rule set to allow SMTP but its still denied. I even changed that to allow everything from any to any and it gets denied. I am at a loss. Below is my ACL. Anyone see anything wrong with it?
Thanks
access-list DMZ_access_in remark Allow imap from DMZ to Inside
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq imap4
access-list DMZ_access_in remark Allow 6101 from DMZ to Inside
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 6101
access-list DMZ_access_in remark Allow webaccess from DMZ to Inside
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 1677
access-list DMZ_access_in remark Allow MTA access from DMZ to Inside
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 7100
access-list DMZ_access_in remark Allow webaccess from DMZ to Inside
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 7205
access-list DMZ_access_in remark Allow SLP request all from DMZ to Inside
access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 427
access-list DMZ_access_in remark Allow SLP request all from DMZ to Inside
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 427
access-list DMZ_access_in remark Allow Time Synch request all from DMZ to Inside
access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 524
access-list DMZ_access_in remark Allow NCP request all from DMZ to Inside
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 192.168.1.0 255.255.255.0 eq 524
access-list DMZ_access_in remark Allow NTP time request all from DMZ to Inside
access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 any eq ntp
access-list DMZ_access_in remark Echo reply to all
access-list DMZ_access_in extended permit icmp 12.167.246.136 255.255.255.248 any echo-reply
access-list DMZ_access_in remark Allow upd DNS from the DMZ to anywhere
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq domain
access-list DMZ_access_in remark Allow upd DNS from the DMZ to anywhere
access-list DMZ_access_in extended permit udp 12.167.246.136 255.255.255.248 any eq domain
access-list DMZ_access_in remark Allow mail2.lionel.com to send out smtp
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq smtp
access-list DMZ_access_in remark Deny all from DMZ to Inside network
access-list DMZ_access_in extended deny ip any 192.168.1.0 255.255.255.0
access-list DMZ_access_in remark Allow http out from the dmz
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq www
access-list DMZ_access_in remark Allow https out from the dmz
access-list DMZ_access_in extended permit tcp 12.167.246.136 255.255.255.248 any eq https
05-29-2007 10:14 AM
please clarify your problem.
are you wanting to allow smtp from the internet to your mail server which is on the dmz?
are wanting to allow smtp from the LAN to your dmz?
are you wanting to allow smtp from your dmz to the lan?
are you wanting to allow smtp from your dmz to the internet?
05-29-2007 10:39 AM
Srue,
Thanks for the reply. I am trying to send out SMTP to the internet but its getting blocked by the DMZ access in ACL. I dont need it to go to my internal lan just out from the DMZ to the internet.
05-29-2007 10:49 AM
Is your mail server ip 12.167.246.136?
05-29-2007 10:49 AM
assuming the ACL you originally posted is the one applied to your dmz interface, is this where you believe you've allowed outbound smtp from the dmz to the internet:
...permit tcp 12.167.246.136 255.255.255.248 any eq smtp
your acl entry should read something like that...
does the actual IP address of your SMTP server fall in the range 12.167.246.136/29? not that NAT'ed address, the actual address.
05-29-2007 10:51 AM
Yes its 12.167.246.140. I have changed the rule to any any and its still denied though.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: