Cisco ASA DMZ for Microsoft Exchnage

harishbabum · ‎11-10-2009

I have a Cisco ASA 5510 with the following interfaces

1) Ethernet 0 - 192.167.50.1/29 (Outside)

2) Ethernet 1 - 192.168.50.1/24 (Inside)

3) Ethernet 2 - 192.169.50.1/24 (DMZ)

I need assistance for configuring the ASA for my exchange edge server at the DMZ, i need the same public IP to be mapped to the Exchange on DMZ and the ISA server on the inside network. Between the DMZ and the Inside network i need to allow the following ports

- LDAP - Port 50389 (TCP)

- Secure LDAP - Port 50636 (TCP & UDP)

- SMTP - Port 25 (TCP)

- RDP - Port 3389 (TCP) (Optional)

Please check the configuration below and the attached diagram.

-------------------------------------------------

ASA Version 8.2(1)

!

hostname ASA

domain-name cisco.com

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 192.167.50.1 255.255.255.248

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.50.1 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 192.169.50.1 255.255.255.0

!

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list 100 extended permit tcp any host 192.167.50.2 eq smtp

access-list 100 extended permit tcp any host 192.167.50.2 eq www

access-list 100 extended permit tcp any host 192.167.50.2 eq 3000

access-list 100 extended permit tcp any host 192.167.50.2 eq 366

access-list 100 extended permit tcp any host 192.167.50.2 eq imap4

access-list 100 extended permit tcp any host 192.167.50.2 eq domain

access-list 100 extended permit tcp any host 192.167.50.2 eq ldap

access-list 100 extended permit tcp any host 192.167.50.2 eq 3002

access-list 100 extended permit tcp any host 192.167.50.2 eq 1000

access-list 100 extended permit tcp any host 192.167.50.2 eq pop3

access-list 300 extended permit tcp host 192.169.50.4 any eq smtp

access-list 300 extended permit tcp host 192.169.50.4 any eq 50389

access-list 300 extended permit tcp host 192.169.50.4 any eq 50636

access-list 300 extended permit udp host 192.169.50.4 any eq 50636

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

global (outside) 10 192.167.50.3 netmask 255.255.255.248

nat (inside) 10 192.168.50.0 255.255.255.0

static (outside,inside) tcp 192.168.50.1 www 192.167.50.2 www netmask 255.255.255.255

static (outside,inside) tcp 192.168.50.1 https 192.167.50.2 https netmask 255.255.255.255

static (outside,DMZ) tcp 192.169.50.4 smtp 192.167.50.2 smtp netmask 255.255.255.255

access-group 100 in interface outside

access-group 300 in interface outside

route outside 0.0.0.0 0.0.0.0 192.167.50.4 1

Panos Kampanakis · ‎11-10-2009

You config looks good with some minor issues. First I see two ACLs applied on the outside interface.

Probably you wanted to do

access-group 300 in interface DMZ

You have

static (outside,inside) tcp 192.168.50.1 www 192.167.50.2 www netmask 255.255.255.255

static (outside,inside) tcp 192.168.50.1 https 192.167.50.2 https netmask 255.255.255.255

static (outside,DMZ) tcp 192.169.50.4 smtp 192.167.50.2 smtp netmask 255.255.255.255

I am guessing the 192.168.50.1 is the ISA on the inside, and 192.169.50.4 is the Exchange. The you would want to do

static (inside,outside) tcp 192.167.50.2 www 192.168.50.1 www netmask 255.255.255.255

static (inside,outside) tcp 192.167.50.2 https 192.168.50.1 https netmask 255.255.255.255

static (DMZ,outside) tcp 192.167.50.2 smtp 192.169.50.4 smtp netmask 255.255.255.255

I hope it helps.

PK

ccarreto · ‎11-10-2009

Hi,

that's seems to be strange

>access-group 100 in interface outside

>access-group 300 in interface outside

I would configure the following

access-list 100 extended permit tcp any host 192.167.50.2 eq smtp

access-list 100 extended permit tcp any host 192.167.50.2 eq www

access-list 100 extended permit tcp any host 192.167.50.2 eq 443

access-group 100 in interface outside

access-list 200 extended permit tcp host 192.169.50.4 any eq smtp

access-list 200 extended permit tcp host 192.169.50.4 any eq 50389

access-list 200 extended permit tcp host 192.169.50.4 any eq 50636

access-list 200 extended permit udp host 192.169.50.4 any eq 50636

access-list 200 extended permit tcp host 192.169.50.4 any eq 3389

access-list 200 extended deny ip host 192.169.50.0 255.255.255.0 192.168.50.0 255.255.255.0

access-list 200 extended permit ip any any

access-group 200 in interface dmz

access-list 300 extended permit tcp any host 192.169.50.4 eq smtp

access-list 300 extended permit tcp any host 192.169.50.4 eq 50389

access-list 300 extended permit tcp any host 192.169.50.4 eq 50636

access-list 300 extended permit udp any host 192.169.50.4 eq 50636

access-list 300 extended permit tcp any host 192.169.50.4 eq 3389

access-list 300 extended deny ip host 192.168.50.0 255.255.255.0 192.169.50.0 255.255.255.0

access-list 300 extended permit ip any any

access-group 300 in interface inside

Additional you have to configure a NoNat between dmz and inside! And if you are starting connections from DMZ to inside you may need

static (dmz,inside)192.168.50.2 192.168.50.2

Regards, Celio

harishbabum · ‎11-12-2009

Hi Celio

Thank you for your suggestions.

It would be of very help if you please provide the NAT configuration for both Inside to DMZ and DMZ to Inside.

Regards

Harish Babu