ASA 8.3 - DMZ and inside connected to a server with 2 NIC?

Unanswered Question

We have an ASA5505 firewall, and 1 server on our internal network - this server runs DNS, mail, DHCP etc...

We want mail and webmail from external IPs to forwarded to our internal server.

We understand it is possible (but not easy) to do the port forwarding with NAT, access_rules etc... - I have spent way too much time trying to figure this out for ASA version 8.3(1) - big PITA! 

The public server feature seems to be what we want, but it only works with DMZ (we currently do not use a DMZ as we have only 1 server).

Our internal server has 2 NIC cards (currently setup in parallel to increase bandwidth).  Would it be possible/advisable to have 2 LAN connections from the ASA - a DMZ going directly to the server NIC1, and a normal connection to the rest of the LAN (and accessed by NIC2 on the server)?

All help appreciated!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mirober2 Fri, 09/10/2010 - 12:35
User Badges:
  • Cisco Employee,


You can use Object NAT and an access-list to accomplish this with a couple of lines--no need to multi-home the server:

object network obj-server


    nat (inside,outside) static


access-list outside_access_in permit tcp any host eq 443

access-list outside_access_in permit tcp any host eq 25

access-group outside_access_in in interface outside

That should do the trick for webmail and SMTP traffic. Just replace the variables in <> according to your environment.

Hope that helps.


Mike - thank you for taking the time to reply - unfortunately I have tried what you have suggested, and smtp incoming still does not work.

My full config is below (default with only a port forward of the mail server - nothing else).  Internet access from the inside works well through PAT.

Can you spot what is wrong with port forwarding of smtp?

Much much appreciated (beating my head against the wall with 8.3 trying to get a simple port forward to work).


: Saved
: Written by enable_15 at 20:17:39.058 UTC Fri Sep 10 2010
ASA Version 8.3(1)
hostname test
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group PPPoEGroup
ip address pppoe setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
object network obj_any
object network Mailserver
access-list outside_access_in extended permit tcp any any eq smtp
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging facility 16
logging host inside
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
object network obj_any
nat (inside,outside) dynamic interface
object network Mailserver
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn statements omitted
dhcpd auto_config outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
: end

Nagaraja Thanthry Fri, 09/10/2010 - 13:53
User Badges:
  • Cisco Employee,


Can you please try the following:

access-list outside_access_in line 1 permit tcp any host eq 25

Hope this helps.



Nagaraja Thanthry Fri, 09/10/2010 - 14:35
User Badges:
  • Cisco Employee,


What is the default gateway of the Mail server? Can you browse internet from

your mail server?



Nagaraja Thanthry Fri, 09/10/2010 - 15:19
User Badges:
  • Cisco Employee,


Have you tried to telnet to the mail server from outside? Please try telnet

to outside interface IP of the firewall on port 25 (from internet) and see

if the connection opens. Also, once the attempt is done, check the

access-list (show access-list) to see if you are seeing any hit counts for

any rules. That should tell us if the traffic is hitting the firewall or





This Discussion