i facing a problem that outside user cannot access to my webmail application. (https://mail.xxx.com)
1. Error message show at the broswer is "The server at mail.xxx.com is taking too long to respond."
2. from outside still manage ping to the mail server external IP.
3. From internal LAN access the webmail service is ok.
i just wanna ensure the border router newly running on IOS ZWF is it causing any conflict between the external firewall and internal firewall design
showing with network topology.
So, Traffic traverse from internet into the LAN / DMZ must go through border router.
currently, border router just implement IOS zone-pair firewall, where zone-pair shown as below:
1. zone-pair security ccp-zp-in-out source in-zone destination out-zone
2.policy inspect on the class-map of ccp-insp-traffic
match protocol http and match protocol https
3. border router's routing will pass the traffic reach the ASA FW as the threshole either doing NAT to get into private network or traverse between DMZ servers.
4. mail server IP is 184.108.40.206 / 28, which is same subnet with ASA FW
Did i miss anything? should i built another policy for out-zone -> in-zone?
ACL is it should permit any 220.127.116.11 0.0.0.16 , with allow protocol on domain, 443, 80, smtp ?
(i try but no go)
hints and idea needed to solve out this myth, thank you
> Did i miss anything? should i built another policy for out-zone -> in-zone?
yes we will need another zone pair created from out-zone to in-zone and explicitly allow traffic to the mail server's Ip address (18.104.22.168) on TCP ports 80 and 443.
Another thing that you can do to check if the Border router is forwarding packets to the ASA is to apply captures on the ASA's outside interface.
Below is a useful document for ZBF which can you use for reference:
All the best!