07-01-2014 04:23 PM - edited 03-11-2019 09:24 PM
Hi Everyone,
My ASA has following interfaces
Inside,outside and DMZ.
inside 10.0.0.0
DMZ 192.168.1.0
I need to config and setup email server on my inside or DMZ network so that it is reachable via internet.
Need to know how can i do this by assigning Public IP to this?
which firewall interface should i put the email server?
Currently my outside interface has public IP and i am using PAT overloading.
Can i setup email server with private IP and do PAT?
ASA version is
Cisco Adaptive Security Appliance Software Version 9.1(1)
Regards
MAhesh
Solved! Go to Solution.
07-02-2014 12:53 AM
Hi Mahesh,
It is preferred to keep the mail server in dmz zone and you can do port forwarding to get that accessible from the internet.....
object network SMTP_SERVER
host 192.168.1.x (dmz private ip address of email server)
nat (dmz,outside) static <public ip x.x.x.x> service tcp smtp smtp
!
Regards
Karthik
07-04-2014 12:48 AM
Hi Mahesh,
Try the below configuration and let me know if that helps:
The configuration is based on the following assumptions.
Email Server IP - 10.0.0.100
External IP (outside interface) - 1.1.1.1
Configure Network Objects
object network EmailServer-HTTPS
host 10.0.0.100
nat (inside,outside) static 1.1.1.1 service tcp 443 443
!
object network EmailServer-SMTP
host 10.0.0.100
nat (inside,outside) static 1.1.1.1 service tcp 25 25
!
object network EmailServer-POP3
host 10.0.0.100
nat (inside,outside) static 1.1.1.1 service tcp 110 110
!
object network EmailServer-IMAP
host 10.0.0.100
nat (inside,outside) static 1.1.1.1 service tcp 143 143
Define ACL to permit Email Server Traffic
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 443
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 25
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 110
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 143
Apply the Access-Control List to the outside interface with an access-group statement.
access-group OutsideToInside in interface outside
Best Regards,
Yadhu
07-01-2014 09:44 PM
Hi Mahesh,
Need to know how can i do this by assigning Public IP to this?
Do you have only one public IP on the outside or do you have a subnet?
which firewall interface should i put the email server?
Normally in DMZ Zone. But if you have only one Public IP then you may need to consider keeping the Email server on LAN.
Currently my outside interface has public IP and i am using PAT overloading. Can i setup email server with private IP and do PAT?
Yes, you need to perform the below tasks to achieve this:
1. Add an access-list entry on the outside interface with > source any, destination private IP and port of your Email server.
2.Configure NAT/Port Forwarding for this to work.
Please rate if the information has been helpfull. Feel free to contact me for any further assistance.
Best Regards,
Yadhu
http://blog.yadhutony.com
07-02-2014 05:53 AM
Hi Yadhu,
Actually i have only 1 public IP on outside interface and second IP which i have is on different subnet
then outside interface.
So does it mean that i can keep email server on LAN assign it 10.0.0.x IP and then do the port forwarding?Will this work with Single Public IP which is assigned to ASA outside interface?
Regards
MAhesh
07-02-2014 06:03 AM
Hi Mahesh,
Even though if you have the different public IP available and if that is routed and pointed to firewall outside IP then you can use that as well.
Regards
Karthik
07-02-2014 06:56 AM
Hi Mahesh,
As Karthik said, if you have another Public IP available then you can configure that for DMZ zone and NAT it to your Email Server. Otherwise use the existing public IP and perform the steps which I mentioned earlier. If you need any further clarification with this do let us know.
Best Regards,
Yadhu
07-02-2014 09:10 PM
Hi Mahesh,
Hope this document may help you to learn more about ASA NAT configuration.
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Feel free to contact us for any further help.
Best Regards,
Yadhu
PS: Pls rate all helpful posts.
07-03-2014 06:10 AM
Hi Yadhu,
Only thing i need to know is it is possible to telnet to email server from outside world?
IF yes how can i do that?
Best regards
MAhesh
07-03-2014 07:57 AM
Hi Mahesh,
Yes, you can perform this. I believe you are planning to host email server in LAN. If so please post the current ASA configuration by removing all sensitive information and I will guide you to modify the config to allow Email communication. Hope you need to allow SMTP,POP3,IMAP and HTTPS.
Regards,
Yadhu
07-03-2014 08:57 PM
Hi Yadhu,
Here is ASA config
interface Ethernet0/0
description Connection to ISP
switchport access vlan 2
!
interface Ethernet0/1
description Connection to Inside - R1
!
interface Ethernet0/2
description Connection to Sales 2950A
switchport access vlan 3
!
interface Ethernet0/3
description Connection to R2
switchport access vlan 4
!
interface Ethernet0/4
description Connection to Dlink Router
!
interface Ethernet0/5
switchport access vlan 30
!
interface Ethernet0/6
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
!
interface Vlan2
nameif outside
security-level 0
ip address 96.51.x.x 255.255.252.0
!
interface Vlan3
nameif sales
security-level 50
ip address 10.12.12.1 255.255.255.0 standby 10.12.12.2
!
interface Vlan4
nameif DMZ
security-level 45
ip address 192.168.1.171 255.255.255.0 standby 192.168.1.172
!
interface Vlan30
description LAN Failover Interface
object network Sales
subnet 10.12.12.0 255.255.255.0
object network DMZ
subnet 192.168.1.0 255.255.255.0
object-group service web_services
service-object tcp destination eq www
service-object tcp destination eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network sales
network-object 10.12.12.0 255.255.255.0
object-group network inside
network-object 10.0.0.0 255.255.255.0
network-object 192.168.50.0 255.255.255.0
object-group network DNS_SERVERS
network-object host 64.59.144.19
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group sales_access_in in interface sales
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 96.51.x.x
route inside 10.1.0.0 255.255.0.0 10.0.0.4 1
route DMZ 192.168.2.0 255.255.255.0 192.168.1.174 1
route inside 192.168.50.0 255.255.255.0 10.0.0.4 1
Let me know if you need any other info.
Regards
MAhesh
07-04-2014 12:48 AM
Hi Mahesh,
Try the below configuration and let me know if that helps:
The configuration is based on the following assumptions.
Email Server IP - 10.0.0.100
External IP (outside interface) - 1.1.1.1
Configure Network Objects
object network EmailServer-HTTPS
host 10.0.0.100
nat (inside,outside) static 1.1.1.1 service tcp 443 443
!
object network EmailServer-SMTP
host 10.0.0.100
nat (inside,outside) static 1.1.1.1 service tcp 25 25
!
object network EmailServer-POP3
host 10.0.0.100
nat (inside,outside) static 1.1.1.1 service tcp 110 110
!
object network EmailServer-IMAP
host 10.0.0.100
nat (inside,outside) static 1.1.1.1 service tcp 143 143
Define ACL to permit Email Server Traffic
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 443
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 25
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 110
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 143
Apply the Access-Control List to the outside interface with an access-group statement.
access-group OutsideToInside in interface outside
Best Regards,
Yadhu
07-02-2014 12:53 AM
Hi Mahesh,
It is preferred to keep the mail server in dmz zone and you can do port forwarding to get that accessible from the internet.....
object network SMTP_SERVER
host 192.168.1.x (dmz private ip address of email server)
nat (dmz,outside) static <public ip x.x.x.x> service tcp smtp smtp
!
Regards
Karthik
07-02-2014 05:45 AM
Hi Karthik,
Can i use same Outside IP of ASA which is public IP for port forwarding?
Regards
MAhesh
07-02-2014 06:02 AM
Hi Mahesh,
Yes you can do that mapping to outside interface IP.
Regards
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: