I m facing a problem,i have created a DMZ on ASA ,with subinterface for 2 Exchange servers with 2 NIC cards each,1 for internal and 1 for External.
DMZ exchange server wants to communicate with the inside network exchange server on protocol ESMTP and TLS, I have opened each every port between these Inside exchange and DMZ exchange by specifying below access-list but it doesn't work.
acl-inside extended permit ip host 10.X.X.X host 10.X.X.X
access-list DMZ2 extended permit ip any any
Also i have done Static Identity NAT for internal Exchange Servers to go on DMZ
static (inside,DMZ2) 10.10.12.23 10.10.12.23 netmask 255.255.255.255
When i move the DMZ Exchange server's internal NIC from firewall to CORE Switch it works,Where i m missing ???
Pls. add this as line 1 in the acl
access-list csc-acl line 1 deny tcp host d.d.d.d ho i.i.i.i eq 25
d.d.d.d - dmz e-mail server ip address
i.i.i.i.i - inside e-mail server ip address
Let me know.
If you suspect the CSC and want to bypass SMTP traffic between the internal and dmz servers, then please insert these access-list lines:
access-list csc-acl line 1 deny ip host host
access-list csc-acl line 2 deny ip host host
One thing that is not clear to me is the two NIC part. Does the server have two NIC? If it has two NICs, what would be its default gateway? Does it have a route statement for the internal network pointing to ASA's DMZ address?
Message was edited by: Nagaraja Thanthry
Looks like you have a CSC module scanning traffic. You may want to deny the flow between the e-mails servers (on the inside and the one on the dmz) in question from being scanned.
Pls. post the following:
sh run class-map csc-ftp-class
sh run class-map csc-class
Also copy and paste the access-list that is associated with the above two class-map.
If you use ASDM, go to:
Configuration --> Firewall --> Service Policy Rules --> highlight the "inspection_default" --> Edit --> click on the "Rule Actions" tab --> untick "ESMTP" --> OK --> Apply
Alternatively, if you are using CLI:
no inspect esmtp