ASA-DMZ

Answered Question
Aug 28th, 2010
User Badges:

Hello Dears,


I m facing a problem,i have created a DMZ on ASA ,with subinterface for 2 Exchange servers with 2 NIC cards each,1 for internal and 1 for External.

DMZ exchange server wants to communicate with the inside network exchange server on protocol ESMTP and TLS, I have opened each every port between these Inside exchange and DMZ exchange by specifying below access-list but it doesn't work.


acl-inside extended permit ip host 10.X.X.X host 10.X.X.X


And


access-list DMZ2 extended permit ip any any


Also i have done Static Identity NAT for internal Exchange Servers to go on DMZ


static (inside,DMZ2) 10.10.12.23 10.10.12.23 netmask 255.255.255.255


STRANGE:


When i move the DMZ Exchange server's internal NIC from firewall to CORE Switch it works,Where i m missing ???


Please help.

Attachment: 
Correct Answer by Kureli Sankar about 6 years 8 months ago

Estella,

Pls. add this as line 1 in the acl


access-list csc-acl line 1 deny tcp host d.d.d.d ho i.i.i.i eq 25


where


d.d.d.d - dmz e-mail server ip address

i.i.i.i.i - inside e-mail server ip address


Let me know.


-KS

Correct Answer by Nagaraja Thanthry about 6 years 8 months ago

Hello,


If you suspect the CSC and want to bypass SMTP traffic between the internal and dmz servers, then please insert these access-list lines:


access-list csc-acl line 1 deny ip host host

access-list csc-acl line 2 deny ip host host


One thing that is not clear to me is the two NIC part. Does the server have two NIC? If it has two NICs, what would be its default gateway? Does it have a route statement for the internal network pointing to ASA's DMZ address?


Regards,


NT


Message was edited by: Nagaraja Thanthry

Correct Answer by Kureli Sankar about 6 years 8 months ago

Estela,

Looks like you have a CSC module scanning traffic. You may want to deny the flow between the e-mails servers (on the inside and the one on the dmz) in question from being scanned.


Pls. post the following:

sh run class-map csc-ftp-class

sh run class-map csc-class


Also copy and paste the access-list that is associated with the above two class-map.


-KS

Correct Answer by Jennifer Halim about 6 years 8 months ago

If you use ASDM, go to:

Configuration --> Firewall --> Service Policy Rules --> highlight the "inspection_default" --> Edit --> click on the "Rule Actions" tab --> untick "ESMTP" --> OK --> Apply


Alternatively, if you are using CLI:

policy-map global_policy
       class inspection_default
          no inspect esmtp

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Jennifer Halim Sat, 08/28/2010 - 04:14
User Badges:
  • Cisco Employee,

Try disabling esmtp inspection and see if that resolves your issue.


Otherwise, enable logging and check the logs which might give us more information why it's failing.

Correct Answer
Jennifer Halim Sat, 08/28/2010 - 06:44
User Badges:
  • Cisco Employee,

If you use ASDM, go to:

Configuration --> Firewall --> Service Policy Rules --> highlight the "inspection_default" --> Edit --> click on the "Rule Actions" tab --> untick "ESMTP" --> OK --> Apply


Alternatively, if you are using CLI:

policy-map global_policy
       class inspection_default
          no inspect esmtp

estelamathew Sat, 08/28/2010 - 09:05
User Badges:

Hello Helijenn,


But in GLobal policy map there is no inspection for ESMTP.Below are the configs. I m having a CSC SSM module installed,is it so it is making a problem.


policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
class csc-ftp-class
  csc fail-open
class csc-class
  csc fail-open
class no_check_ttl
  set connection advanced-options ttl_map
!
service-policy global_policy global.

Correct Answer
Kureli Sankar Sat, 08/28/2010 - 10:33
User Badges:
  • Cisco Employee,

Estela,

Looks like you have a CSC module scanning traffic. You may want to deny the flow between the e-mails servers (on the inside and the one on the dmz) in question from being scanned.


Pls. post the following:

sh run class-map csc-ftp-class

sh run class-map csc-class


Also copy and paste the access-list that is associated with the above two class-map.


-KS

estelamathew Sat, 08/28/2010 - 12:00
User Badges:

Hello Kusankar,


I can't post the sh run for Class Map as if now i m out of office. please have a look for the access-list for class-map.


access-list csc-acl-ftp extended permit tcp any any eq ftp


access-list csc-acl extended deny ip host 10.10.10.10 any
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp


access-list acl_ttl extended permit ip any host 95.1.1.1
access-list acl_ttl extended permit ip host 95.1.1.1 any



class-map csc-class
match access-list csc-acl
class-map csc-ftp-class
match access-list csc-acl-ftp


class-map no_check_ttl
match access-list acl_ttl
class-map type inspect im match-any 123
match service chat games webcam
match protocol msn-im yahoo-im
class-map inspection_default
match default-inspection-traffic



policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
class csc-ftp-class
  csc fail-open
class csc-class
  csc fail-open
class no_check_ttl
  set connection advanced-options ttl_map
!
service-policy global_policy global
prompt hostname context


Thanks,

Nagaraja Thanthry Sat, 08/28/2010 - 13:22
User Badges:
  • Cisco Employee,

Hello,


Based on your description, you have a layer 3 switch that connects the

exchange server to the ASA. If my guess is correct, you are sharing that

switch to connect your inside network as well. If my above assumption is

correct, can you turn-off the layer 3 interface (vlan interface) on the

switch that corresponds to the dmz interface? If internal hosts have their

default gateway set to the switch, the switch will try to locally route the

return packets bypassing the ASA. ASA will block further packets from the

DMZ device as it did not see the connection getting established completely.


Hope this helps.


Regards,


NT

estelamathew Sat, 08/28/2010 - 14:02
User Badges:

Hello Naqraja,


Commnication between internal Exchange server and Edge Exchange server in DMZ is through ASA there is no direct connection from DMZ Servers (internal NIC) to Core Layer 3 switch, when i face the communication problem through ASA then i thought of alternative to connect DMZ server internal NIC cards to direct to Core Switch.By doing that it worked but by keeping internal NIC on the ASA it doesn't i hope the CSC is dropping packets ???


Can u help me to exempt smtp traffic to be scann by CSC.


Thanks

Correct Answer
Nagaraja Thanthry Sat, 08/28/2010 - 14:09
User Badges:
  • Cisco Employee,

Hello,


If you suspect the CSC and want to bypass SMTP traffic between the internal and dmz servers, then please insert these access-list lines:


access-list csc-acl line 1 deny ip host host

access-list csc-acl line 2 deny ip host host


One thing that is not clear to me is the two NIC part. Does the server have two NIC? If it has two NICs, what would be its default gateway? Does it have a route statement for the internal network pointing to ASA's DMZ address?


Regards,


NT


Message was edited by: Nagaraja Thanthry

Correct Answer
Kureli Sankar Sat, 08/28/2010 - 14:15
User Badges:
  • Cisco Employee,

Estella,

Pls. add this as line 1 in the acl


access-list csc-acl line 1 deny tcp host d.d.d.d ho i.i.i.i eq 25


where


d.d.d.d - dmz e-mail server ip address

i.i.i.i.i - inside e-mail server ip address


Let me know.


-KS

estelamathew Sat, 08/28/2010 - 14:26
User Badges:

Hello Naqraja,


Yes the Servers has 2 NIC cards 1 external and 1 Internal with Defalt gateways pointing to ASA DMZ Subinterfaces,I have added a static route in Windows Server for internal network pointing to ASA.


Hello Kusankar,


YES


that is what i was reading the ASA 8.2 guide and i found something doing same as u suggest.I will do it tomorrow and i will confirm.


Thank u all for ur support i will do rate the post once i get rid of this issue.

estelamathew Mon, 08/30/2010 - 04:28
User Badges:

Hello Kusankar,


Thanks U very much.


I have added


access-list   csc-acl line 1 deny tcp  host d.d.d.d ho i.i.i.i eq 25

access-list  csc-acl line 2 deny tcp  host i.i.i.i ho d.d.d.d eq 25


Only from line 1 it doesn't work.


Thanks.

Actions

This Discussion