How to send a mail from a DMZ ...

Unanswered Question
Oct 30th, 2007

I have this configuration on my ASA :

- outside (WAN) : 10.0.0.254

- inside (LAN) : 192.168.100.254

- dmz : 192.168.110.254

In my DMZ, I have a https server which can be accesible from internet. So I have created a nat rule to redirect the port 443 :

#> sh run static

static (DMZ,WAN) tcp interface https 192.168.110.1netmask 255.255.255.255

Moreover I have created a rule in the security policy to permit the https connection from WAN to DMZ.

My problem is that the https server can't send a mail from the DMZ. I have created this rule in the security policy but without effect :

FROM :

server 192.168.110.1

in the DMZ

on the port any

TO :

any

in the WAN

on the port 25

ACTION : permit

When I do a telnet on the port 25 of a smtp server, I have a message TCP TIMEOUT in the live log.

What is the problem ?

Thanks for your help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 10/30/2007 - 09:37

Your acl is something like this?

access-list dmz_to_outside permit tcp host 192.168.110.1 any eq 25

I would check a couple of things: How and where is the acl applied? Will you need DNS? Check the hit count on the ACL.

mathieu47 Wed, 10/31/2007 - 01:51

I have created your access-list rule without effect ... I try to answer to your questions (sorry, I an a novice in cisco management)

1) How and where is the acl applied ?

I don't know !!! In fact, I think that I don't really know what the acl is !!! Is it the same think that the security policy ?

2) Will you need DNS ?

Yes. But DNS isn't a problem because I have created rule to check dns in my LAN and the DNS requests are OK (for example with a nslookup on my server)

3) Check the hit count

What is the hit count ?

Sorry for my gaps !!!

Thanks for your help

mathieu47 Wed, 10/31/2007 - 03:44

I have solved my problem !!! I have created this nat rule :

static (DMZ,WAN) 10.0.0.100 192.168.110.1 netmask 255.255.255.255

Then I have created 2 rule in the security policy to open the ports 443 and 25.

So the server is accessible from internet and it can be send email !!!

Actions

This Discussion