Solved: ASA-DMZ

estelamathew · ‎08-28-2010

Hello Dears,

I m facing a problem,i have created a DMZ on ASA ,with subinterface for 2 Exchange servers with 2 NIC cards each,1 for internal and 1 for External.

DMZ exchange server wants to communicate with the inside network exchange server on protocol ESMTP and TLS, I have opened each every port between these Inside exchange and DMZ exchange by specifying below access-list but it doesn't work.

acl-inside extended permit ip host 10.X.X.X host 10.X.X.X

And

access-list DMZ2 extended permit ip any any

Also i have done Static Identity NAT for internal Exchange Servers to go on DMZ

static (inside,DMZ2) 10.10.12.23 10.10.12.23 netmask 255.255.255.255

STRANGE:

When i move the DMZ Exchange server's internal NIC from firewall to CORE Switch it works,Where i m missing ???

Please help.

Jennifer Halim · ‎08-28-2010

If you use ASDM, go to:

Configuration --> Firewall --> Service Policy Rules --> highlight the "inspection_default" --> Edit --> click on the "Rule Actions" tab --> untick "ESMTP" --> OK --> Apply

Alternatively, if you are using CLI:

policy-map global_policy
class inspection_default
no inspect esmtp

View solution in original post

Kureli Sankar · ‎08-28-2010

Estela,

Looks like you have a CSC module scanning traffic. You may want to deny the flow between the e-mails servers (on the inside and the one on the dmz) in question from being scanned.

Pls. post the following:

sh run class-map csc-ftp-class

sh run class-map csc-class

Also copy and paste the access-list that is associated with the above two class-map.

-KS

View solution in original post

Nagaraja Thanthry · ‎08-28-2010

Hello,

If you suspect the CSC and want to bypass SMTP traffic between the internal and dmz servers, then please insert these access-list lines:

access-list csc-acl line 1 deny ip host host

access-list csc-acl line 2 deny ip host host

One thing that is not clear to me is the two NIC part. Does the server have two NIC? If it has two NICs, what would be its default gateway? Does it have a route statement for the internal network pointing to ASA's DMZ address?

Regards,

NT

Message was edited by: Nagaraja Thanthry

View solution in original post

Kureli Sankar · ‎08-28-2010

Estella,

Pls. add this as line 1 in the acl

access-list csc-acl line 1 deny tcp host d.d.d.d ho i.i.i.i eq 25

where

d.d.d.d - dmz e-mail server ip address

i.i.i.i.i - inside e-mail server ip address

Let me know.

-KS

View solution in original post

Jennifer Halim · ‎08-28-2010

Try disabling esmtp inspection and see if that resolves your issue.

Otherwise, enable logging and check the logs which might give us more information why it's failing.

estelamathew · ‎08-28-2010

Hello Halijenn

How to disable ESMTP inspection??

Thanks

Jennifer Halim · ‎08-28-2010

If you use ASDM, go to:

Configuration --> Firewall --> Service Policy Rules --> highlight the "inspection_default" --> Edit --> click on the "Rule Actions" tab --> untick "ESMTP" --> OK --> Apply

Alternatively, if you are using CLI:

policy-map global_policy
class inspection_default
no inspect esmtp

estelamathew · ‎08-28-2010

Hello Helijenn,

But in GLobal policy map there is no inspection for ESMTP.Below are the configs. I m having a CSC SSM module installed,is it so it is making a problem.

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
class csc-ftp-class
csc fail-open
class csc-class
csc fail-open
class no_check_ttl
set connection advanced-options ttl_map
!
service-policy global_policy global.

Kureli Sankar · ‎08-28-2010

Estela,

Looks like you have a CSC module scanning traffic. You may want to deny the flow between the e-mails servers (on the inside and the one on the dmz) in question from being scanned.

Pls. post the following:

sh run class-map csc-ftp-class

sh run class-map csc-class

Also copy and paste the access-list that is associated with the above two class-map.

-KS

estelamathew · ‎08-28-2010

Hello Kusankar,

I can't post the sh run for Class Map as if now i m out of office. please have a look for the access-list for class-map.

access-list csc-acl-ftp extended permit tcp any any eq ftp

access-list csc-acl extended deny ip host 10.10.10.10 any
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl extended permit tcp any any eq www
access-list csc-acl extended permit tcp any any eq smtp

access-list acl_ttl extended permit ip any host 95.1.1.1
access-list acl_ttl extended permit ip host 95.1.1.1 any

class-map csc-class
match access-list csc-acl
class-map csc-ftp-class
match access-list csc-acl-ftp

class-map no_check_ttl
match access-list acl_ttl
class-map type inspect im match-any 123
match service chat games webcam
match protocol msn-im yahoo-im
class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
class csc-ftp-class
csc fail-open
class csc-class
csc fail-open
class no_check_ttl
set connection advanced-options ttl_map
!
service-policy global_policy global
prompt hostname context

Thanks,

Nagaraja Thanthry · ‎08-28-2010

Hello,

Based on your description, you have a layer 3 switch that connects the

exchange server to the ASA. If my guess is correct, you are sharing that

switch to connect your inside network as well. If my above assumption is

correct, can you turn-off the layer 3 interface (vlan interface) on the

switch that corresponds to the dmz interface? If internal hosts have their

default gateway set to the switch, the switch will try to locally route the

return packets bypassing the ASA. ASA will block further packets from the

DMZ device as it did not see the connection getting established completely.

Hope this helps.

Regards,

NT

estelamathew · ‎08-28-2010

Hello Naqraja,

Commnication between internal Exchange server and Edge Exchange server in DMZ is through ASA there is no direct connection from DMZ Servers (internal NIC) to Core Layer 3 switch, when i face the communication problem through ASA then i thought of alternative to connect DMZ server internal NIC cards to direct to Core Switch.By doing that it worked but by keeping internal NIC on the ASA it doesn't i hope the CSC is dropping packets ???

Can u help me to exempt smtp traffic to be scann by CSC.

Thanks

Nagaraja Thanthry · ‎08-28-2010

Hello,

If you suspect the CSC and want to bypass SMTP traffic between the internal and dmz servers, then please insert these access-list lines:

access-list csc-acl line 1 deny ip host host

access-list csc-acl line 2 deny ip host host

One thing that is not clear to me is the two NIC part. Does the server have two NIC? If it has two NICs, what would be its default gateway? Does it have a route statement for the internal network pointing to ASA's DMZ address?

Regards,

NT

Message was edited by: Nagaraja Thanthry

Kureli Sankar · ‎08-28-2010

Estella,

Pls. add this as line 1 in the acl

access-list csc-acl line 1 deny tcp host d.d.d.d ho i.i.i.i eq 25

where

d.d.d.d - dmz e-mail server ip address

i.i.i.i.i - inside e-mail server ip address

Let me know.

-KS

estelamathew · ‎08-28-2010

Hello Naqraja,

Yes the Servers has 2 NIC cards 1 external and 1 Internal with Defalt gateways pointing to ASA DMZ Subinterfaces,I have added a static route in Windows Server for internal network pointing to ASA.

Hello Kusankar,

YES

that is what i was reading the ASA 8.2 guide and i found something doing same as u suggest.I will do it tomorrow and i will confirm.

Thank u all for ur support i will do rate the post once i get rid of this issue.

estelamathew · ‎08-30-2010

Hello Kusankar,

Thanks U very much.

I have added

access-list csc-acl line 1 deny tcp host d.d.d.d ho i.i.i.i eq 25

access-list csc-acl line 2 deny tcp host i.i.i.i ho d.d.d.d eq 25

Only from line 1 it doesn't work.

Thanks.