SMTP and POP3

Unanswered Question
Jul 6th, 2008

Friends, i have ASA 5520 and opened SMTP and POP3 ports. I want to be sure that i did everything ok. Outside Interface IP is 1.2.3.4 and 10.0.0.10 is mail server Microsoft exchange.


I created ACL:

1) access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq pop3

2) access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq smtp

and static nat:

1)static (Inside,Outside) tcp 1.2.3.4 pop3 10.0.0.10 pop3 netmask 255.255.255.255

2) static (Inside,Outside) tcp 1.2.3.4 pop3 10.0.0.10 smtp netmask 255.255.255.255



Need advice...)))


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Sun, 07/06/2008 - 04:59

no static (Inside,Outside) tcp 1.2.3.4 pop3 10.0.0.10 pop3 netmask 255.255.255.255

no static (Inside,Outside) tcp 1.2.3.4 pop3 10.0.0.10 smtp netmask 255.255.255.255


static (Inside,Outside) tcp interface pop3 10.0.0.10 pop3 netmask 255.255.255.255

static (Inside,Outside) tcp interface smtp 10.0.0.10 smtp netmask 255.255.255.255

batumibatumi Sun, 07/06/2008 - 07:11

1). static (Inside,Outside) tcp interface smtp 10.0.0.10 smtp netmask 255.255.255.255

2). static (Inside,Outside) tcp interface pop3 10.0.0.10 pop3 netmask 255.255.255.255


and my ACL is correct. i mean this static nat with this ACL is OK ...


1) access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq pop3

2) access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq smtp


I creat ACL and static nat on outside interface... Am i right ... ?!


In this case with this configuration smtp and pop3 will work properly ... ?!


srue, great thanks its very kide from UR side to help me ... :))) thanks once more...


Regards

srue Sun, 07/06/2008 - 16:11

no access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq pop3

no access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq smtp


access-list Outside_access_in extended permit tcp any interface outside eq pop3

access-list Outside_access_in extended permit tcp any interface outside eq smtp

cisco24x7 Sun, 07/06/2008 - 17:05

Aren't they accomplishing the same thing?


CiscoPix# sh ip

System IP Addresses:

Interface Name IP address Subnet mask Method

Ethernet0 outside 192.168.0.25 255.255.255.128 CONFIG

Ethernet1 inside 172.20.20.254 255.255.255.0 CONFIG

Current IP Addresses:

Interface Name IP address Subnet mask Method

Ethernet0 outside 192.168.0.25 255.255.255.128 CONFIG

Ethernet1 inside 172.20.20.254 255.255.255.0 CONFIG

CiscoPix# sh run static | i 172.20

static (inside,outside) tcp interface 222 172.20.20.1 ssh netmask 255.255.255.255

CiscoPix# sh run | i access-list External

access-list External extended permit icmp any any log

access-list External extended permit tcp any host 192.168.0.25 eq 222 log

CiscoPix#


[[email protected]-lab root]# ssh -p 222 -l admin 192.168.0.25

[email protected]'s password:

Last login: Mon Jul 7 01:57:44 2008 from 10.250.97.9

[[email protected]]#


CiscoPix# sh access-list External

access-list External; 2 elements

access-list External line 1 extended permit icmp any any log informational interval 300 (hitcnt=0) 0xa53e0e51

access-list External line 2 extended permit tcp any host 192.168.0.25 eq 222 log informational interval 300 (hitcnt=2) 0x8b240e30

CiscoPix#



batumibatumi Sun, 07/06/2008 - 22:41

It'means that i have to change

access-list Outside_access_in extended permit tcp any host 1.2.3.4 eq smtp

access-list Outside_access_in extended permit tcp any interface outside eq smtp


But now with my config permit tcp any host 1.2.3.4 i can telnet, open 1.2.3.4 25 from Internet. and i think it work properly 'caous i can access it.

srue, i belive u and do exavtly what u said :))))

Regards

Actions

This Discussion