08-28-2010 03:52 AM - edited 03-11-2019 11:31 AM
Hello Dears,
I m facing a problem,i have created a DMZ on ASA ,with subinterface for 2 Exchange servers with 2 NIC cards each,1 for internal and 1 for External.
DMZ exchange server wants to communicate with the inside network exchange server on protocol ESMTP and TLS, I have opened each every port between these Inside exchange and DMZ exchange by specifying below access-list but it doesn't work.
acl-inside extended permit ip host 10.X.X.X host 10.X.X.X
And
access-list DMZ2 extended permit ip any any
Also i have done Static Identity NAT for internal Exchange Servers to go on DMZ
static (inside,DMZ2) 10.10.12.23 10.10.12.23 netmask 255.255.255.255
STRANGE:
When i move the DMZ Exchange server's internal NIC from firewall to CORE Switch it works,Where i m missing ???
Please help.
Solved! Go to Solution.
08-28-2010 06:44 AM
If you use ASDM, go to:
Configuration --> Firewall --> Service Policy Rules --> highlight the "inspection_default" --> Edit --> click on the "Rule Actions" tab --> untick "ESMTP" --> OK --> Apply
Alternatively, if you are using CLI:
policy-map global_policy
class inspection_default
no inspect esmtp
08-28-2010 10:33 AM
Estela,
Looks like you have a CSC module scanning traffic. You may want to deny the flow between the e-mails servers (on the inside and the one on the dmz) in question from being scanned.
Pls. post the following:
sh run class-map csc-ftp-class
sh run class-map csc-class
Also copy and paste the access-list that is associated with the above two class-map.
-KS
08-28-2010 02:09 PM
Hello,
If you suspect the CSC and want to bypass SMTP traffic between the internal and dmz servers, then please insert these access-list lines:
access-list csc-acl line 1 deny ip host
access-list csc-acl line 2 deny ip host
One thing that is not clear to me is the two NIC part. Does the server have two NIC? If it has two NICs, what would be its default gateway? Does it have a route statement for the internal network pointing to ASA's DMZ address?
Regards,
NT
Message was edited by: Nagaraja Thanthry
08-28-2010 02:15 PM
Estella,
Pls. add this as line 1 in the acl
access-list csc-acl line 1 deny tcp host d.d.d.d ho i.i.i.i eq 25
where
d.d.d.d - dmz e-mail server ip address
i.i.i.i.i - inside e-mail server ip address
Let me know.
-KS
08-28-2010 04:14 AM
Try disabling esmtp inspection and see if that resolves your issue.
Otherwise, enable logging and check the logs which might give us more information why it's failing.
08-28-2010 04:38 AM
Hello Halijenn
How to disable ESMTP inspection??
Thanks
08-28-2010 06:44 AM
If you use ASDM, go to:
Configuration --> Firewall --> Service Policy Rules --> highlight the "inspection_default" --> Edit --> click on the "Rule Actions" tab --> untick "ESMTP" --> OK --> Apply
Alternatively, if you are using CLI:
policy-map global_policy
class inspection_default
no inspect esmtp
08-28-2010 09:05 AM
Hello Helijenn,
But in GLobal policy map there is no inspection for ESMTP.Below are the configs. I m having a CSC SSM module installed,is it so it is making a problem.
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
class csc-ftp-class
csc fail-open
class csc-class
csc fail-open
class no_check_ttl
set connection advanced-options ttl_map
!
service-policy global_policy global.
08-28-2010 10:33 AM
Estela,
Looks like you have a CSC module scanning traffic. You may want to deny the flow between the e-mails servers (on the inside and the one on the dmz) in question from being scanned.
Pls. post the following:
sh run class-map csc-ftp-class
sh run class-map csc-class
Also copy and paste the access-list that is associated with the above two class-map.
-KS
08-28-2010 12:00 PM
Hello Kusankar,
I can't post the sh run for Class Map as if now i m out of office. please have a look for the access-list for class-map.
access-list csc-acl-ftp extended permit tcp any any eq ftp
access-list csc-acl extended deny ip host 10.10.10.10 any
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp
access-list acl_ttl extended permit ip any host 95.1.1.1
access-list acl_ttl extended permit ip host 95.1.1.1 any
class-map csc-class
match access-list csc-acl
class-map csc-ftp-class
match access-list csc-acl-ftp
class-map no_check_ttl
match access-list acl_ttl
class-map type inspect im match-any 123
match service chat games webcam
match protocol msn-im yahoo-im
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
class csc-ftp-class
csc fail-open
class csc-class
csc fail-open
class no_check_ttl
set connection advanced-options ttl_map
!
service-policy global_policy global
prompt hostname context
Thanks,
08-28-2010 01:22 PM
Hello,
Based on your description, you have a layer 3 switch that connects the
exchange server to the ASA. If my guess is correct, you are sharing that
switch to connect your inside network as well. If my above assumption is
correct, can you turn-off the layer 3 interface (vlan interface) on the
switch that corresponds to the dmz interface? If internal hosts have their
default gateway set to the switch, the switch will try to locally route the
return packets bypassing the ASA. ASA will block further packets from the
DMZ device as it did not see the connection getting established completely.
Hope this helps.
Regards,
NT
08-28-2010 02:02 PM
Hello Naqraja,
Commnication between internal Exchange server and Edge Exchange server in DMZ is through ASA there is no direct connection from DMZ Servers (internal NIC) to Core Layer 3 switch, when i face the communication problem through ASA then i thought of alternative to connect DMZ server internal NIC cards to direct to Core Switch.By doing that it worked but by keeping internal NIC on the ASA it doesn't i hope the CSC is dropping packets ???
Can u help me to exempt smtp traffic to be scann by CSC.
Thanks
08-28-2010 02:09 PM
Hello,
If you suspect the CSC and want to bypass SMTP traffic between the internal and dmz servers, then please insert these access-list lines:
access-list csc-acl line 1 deny ip host
access-list csc-acl line 2 deny ip host
One thing that is not clear to me is the two NIC part. Does the server have two NIC? If it has two NICs, what would be its default gateway? Does it have a route statement for the internal network pointing to ASA's DMZ address?
Regards,
NT
Message was edited by: Nagaraja Thanthry
08-28-2010 02:15 PM
Estella,
Pls. add this as line 1 in the acl
access-list csc-acl line 1 deny tcp host d.d.d.d ho i.i.i.i eq 25
where
d.d.d.d - dmz e-mail server ip address
i.i.i.i.i - inside e-mail server ip address
Let me know.
-KS
08-28-2010 02:26 PM
Hello Naqraja,
Yes the Servers has 2 NIC cards 1 external and 1 Internal with Defalt gateways pointing to ASA DMZ Subinterfaces,I have added a static route in Windows Server for internal network pointing to ASA.
Hello Kusankar,
YES
that is what i was reading the ASA 8.2 guide and i found something doing same as u suggest.I will do it tomorrow and i will confirm.
Thank u all for ur support i will do rate the post once i get rid of this issue.
08-30-2010 04:28 AM
Hello Kusankar,
Thanks U very much.
I have added
access-list csc-acl line 1 deny tcp host d.d.d.d ho i.i.i.i eq 25
access-list csc-acl line 2 deny tcp host i.i.i.i ho d.d.d.d eq 25
Only from line 1 it doesn't work.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide