cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6406
Views
0
Helpful
12
Replies

Adding Email Server with Public IP to DMZ network

mahesh18
Level 6
Level 6

 

Hi Everyone,

My ASA has following interfaces

Inside,outside and DMZ.

inside 10.0.0.0

DMZ 192.168.1.0

I need to config and setup email server on my inside or DMZ network so that it is reachable via internet.

Need to know how can i do this by assigning Public IP to this?

which firewall interface should i put the email server?

Currently my outside interface has public IP and i am using PAT overloading.

Can i setup email server with private IP and do PAT?

 

ASA version is

Cisco Adaptive Security Appliance Software Version 9.1(1)


Regards

MAhesh

2 Accepted Solutions

Accepted Solutions

nkarthikeyan
Level 7
Level 7

Hi Mahesh,

 

It is preferred to keep the mail server in dmz zone and you can do port forwarding to get that accessible from the internet.....

object network SMTP_SERVER

host 192.168.1.x (dmz private ip address of email server)

nat (dmz,outside) static <public ip x.x.x.x> service tcp smtp smtp

!

 

Regards

Karthik

View solution in original post

Hi Mahesh,

Try the below configuration and let me know if that helps:

The configuration is based on the following assumptions.

Email Server IP - 10.0.0.100

External IP (outside interface) - 1.1.1.1


Configure Network Objects


object network EmailServer-HTTPS

host 10.0.0.100

nat (inside,outside) static 1.1.1.1 service tcp 443 443

!

object network EmailServer-SMTP

host 10.0.0.100

nat (inside,outside) static 1.1.1.1 service tcp 25 25

!

object network EmailServer-POP3

host 10.0.0.100

nat (inside,outside) static 1.1.1.1 service tcp 110 110


!

object network EmailServer-IMAP

host 10.0.0.100

nat (inside,outside) static 1.1.1.1 service tcp 143 143


Define ACL to permit Email Server Traffic


access-list OutsideToInside permit tcp any host 10.0.0.100 eq 443
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 25
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 110
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 143


Apply the Access-Control List to the outside interface with an access-group statement.

access-group OutsideToInside in interface outside

 

Best Regards,

Yadhu


 

Regards,
Tony

http://yadhutony.blogspot.com

View solution in original post

12 Replies 12

Yadhu Tony
Level 1
Level 1

Hi Mahesh,

Need to know how can i do this by assigning Public IP to this? 

Do you have only one public IP on the outside or do you have a subnet?

which firewall interface should i put the email server?

Normally in DMZ Zone. But if you have only one Public IP then you may need to consider keeping the Email server on LAN.

Currently my outside interface has public IP and i am using PAT overloading. Can i setup email server with private IP and do PAT?

Yes, you need to perform the below tasks to achieve this:

1. Add an access-list entry on the outside interface with > source any, destination private IP and port of your Email server.

2.Configure NAT/Port Forwarding for this to work.

Please rate if the information has been helpfull. Feel free to contact me for any further assistance.

Best Regards,

Yadhu

http://blog.yadhutony.com

Regards,
Tony

http://yadhutony.blogspot.com

 

Hi Yadhu,

Actually i have only 1 public IP on outside interface and second IP which i have is on different subnet

then outside interface.

So does it mean that i can keep email server on LAN assign it 10.0.0.x IP and then do the port forwarding?Will this work with Single Public IP which is assigned to ASA outside interface?

 

Regards

MAhesh

Hi Mahesh,

Even though if you have the different public IP available and if that is routed and pointed to firewall outside IP then you can use that as well.

 

Regards

Karthik

Hi Mahesh,

 

As Karthik said, if you have another Public IP available then you can configure that for DMZ zone and NAT it to your Email Server. Otherwise use the existing public IP and perform the steps which I mentioned earlier. If you need any further clarification with this do let us know.

 

Best Regards,

Yadhu

Regards,
Tony

http://yadhutony.blogspot.com

Hi Mahesh,

Hope this document may help you to learn more about ASA NAT configuration.

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Feel free to contact us for any further help.

Best Regards,

Yadhu

PS: Pls rate all helpful posts.

Regards,
Tony

http://yadhutony.blogspot.com

 

Hi Yadhu,

Only thing i need to know is it is possible to telnet to email server from outside world?

IF yes how can i do that?

Best regards

MAhesh

 

Hi Mahesh,

Yes, you can perform this. I believe you are planning to host email server in LAN. If so please post the current ASA configuration by removing all sensitive information and I will guide you to modify the config to allow Email communication. Hope you need to allow SMTP,POP3,IMAP and HTTPS.

Regards,

Yadhu

Regards,
Tony

http://yadhutony.blogspot.com

 

Hi Yadhu,

Here is ASA config

interface Ethernet0/0
 description Connection to ISP
 switchport access vlan 2
!
interface Ethernet0/1
 description Connection to Inside - R1
!
interface Ethernet0/2
 description Connection to Sales 2950A
 switchport access vlan 3
!
interface Ethernet0/3
 description Connection to R2
 switchport access vlan 4
!
interface Ethernet0/4
 description Connection to Dlink Router
!
interface Ethernet0/5
 switchport access vlan 30
!
interface Ethernet0/6
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 96.51.x.x 255.255.252.0
!
interface Vlan3
 nameif sales
 security-level 50
 ip address 10.12.12.1 255.255.255.0 standby 10.12.12.2
!
interface Vlan4
 nameif DMZ
 security-level 45
 ip address 192.168.1.171 255.255.255.0 standby 192.168.1.172
!
interface Vlan30
 description LAN Failover Interface

 

object network Sales
 subnet 10.12.12.0 255.255.255.0
object network DMZ
 subnet 192.168.1.0 255.255.255.0
object-group service web_services
 service-object tcp destination eq www
 service-object tcp destination eq https
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network sales
 network-object 10.12.12.0 255.255.255.0

 

object-group network inside
 network-object 10.0.0.0 255.255.255.0
 network-object 192.168.50.0 255.255.255.0

object-group network DNS_SERVERS
 network-object host 64.59.144.19

 

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group sales_access_in in interface sales
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 96.51.x.x
route inside 10.1.0.0 255.255.0.0 10.0.0.4 1
route DMZ 192.168.2.0 255.255.255.0 192.168.1.174 1
route inside 192.168.50.0 255.255.255.0 10.0.0.4 1

Let me know if you need any other info.

Regards

MAhesh

Hi Mahesh,

Try the below configuration and let me know if that helps:

The configuration is based on the following assumptions.

Email Server IP - 10.0.0.100

External IP (outside interface) - 1.1.1.1


Configure Network Objects


object network EmailServer-HTTPS

host 10.0.0.100

nat (inside,outside) static 1.1.1.1 service tcp 443 443

!

object network EmailServer-SMTP

host 10.0.0.100

nat (inside,outside) static 1.1.1.1 service tcp 25 25

!

object network EmailServer-POP3

host 10.0.0.100

nat (inside,outside) static 1.1.1.1 service tcp 110 110


!

object network EmailServer-IMAP

host 10.0.0.100

nat (inside,outside) static 1.1.1.1 service tcp 143 143


Define ACL to permit Email Server Traffic


access-list OutsideToInside permit tcp any host 10.0.0.100 eq 443
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 25
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 110
access-list OutsideToInside permit tcp any host 10.0.0.100 eq 143


Apply the Access-Control List to the outside interface with an access-group statement.

access-group OutsideToInside in interface outside

 

Best Regards,

Yadhu


 

Regards,
Tony

http://yadhutony.blogspot.com

nkarthikeyan
Level 7
Level 7

Hi Mahesh,

 

It is preferred to keep the mail server in dmz zone and you can do port forwarding to get that accessible from the internet.....

object network SMTP_SERVER

host 192.168.1.x (dmz private ip address of email server)

nat (dmz,outside) static <public ip x.x.x.x> service tcp smtp smtp

!

 

Regards

Karthik

 

Hi Karthik,

Can i use same Outside IP of ASA which is public IP for port forwarding?

Regards

MAhesh

Hi Mahesh,

Yes you can do that mapping to outside interface IP.

 

Regards

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: