ASA 5510 Mailserver DMZ

Carsten Radke · ‎03-01-2009

Hi, I'm on the way to change from pix to asa.

I've a little problem to connect from Internet to the Mailserver in the dmz.

What do I wrong ?

The config:

ASA Version 7.0(8)

!

hostname gateway

domain-name test.de

enable password xxxxxxx encrypted

passwd xxxxxxxxxx encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 8.26.247.170 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

access-list outside_access_in extended permit tcp any host 8.26.247.171 eq smtp

access-list outside_access_in extended deny ip any any

pager lines 24

logging enable

logging buffered warnings

logging asdm informational

mtu inside 1500

mtu dmz 1500

mtu outside 1500

no failover

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

static (dmz,outside) 8.26.247.171 192.168.0.11 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 8.26.247.169 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username radke password xxxxxxxxx encrypted privilege 15

http server enable

http 192.168.1.66 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

arvind.thevendriya · ‎03-01-2009

Hey,

Your config looks perfect and simple to me. I am suprised why is it not working.

Is it working from Inside?

adamclarkuk_2 · ‎03-01-2009

ASA config looks good.

Check the IP details on your server including default gateway settings and check that the servers Mail app hasn't crashed and is listening on TCP port 25.

Also try clearing the translation table with the clear xlate command.

rickeyrobertson · ‎03-01-2009

If you cannot telnet to the mail server address from the outside on port 25 check and see if your outside ACE's are getting any hits, if not you may need to reset any routing device in front of the ASA if you have control over it. That way it can build a proper arp table. That was my issue when I upgraded from a pix to asa. Check the "Outside access in through asa 5510" post. Exact problem with smtp traffic.

Farrukh Haroon · ‎03-01-2009

Configuration is OK, you maybe re-check the IPs and then run the packet-tracer command (available on ASA 7.2 and later only). Or a simple telnet as others suggested. Also make sure the SMTP server has a default route and the service is working properly

Regards

Farrukh