trying to resolve an issue that I have not come across before, in routing smtp email out from a DMZ mailserver to a Mailserver on the Inside.
We have a ASA5520 fairly standard configuration with CSC10 Module
Outside security 0 Inside 100 DMZ 50
Public IP Address on Outside with a routed range
Private IP range on Inside NAT
Private IP range on DMZ NAT
DMZ with an Exchange server 2007, Static NAT from Private IP to Public IP rdns, mx reocrds etc setup. Send email ok everywhere apart from Inside exchange server.
INSIDE with an Exchange Server 2010, different domain no relationship to dmz mailserver,, Static NAT from private IP to Public IP, same Public IP address range as DMZ and Oustide Interface. Send email ok everywhere apart from DMZ exchange server.
Cannot send email either way, from Inside Exchange Server to DMZ Exchange Server, or DMZ to Inside.
I believe it is the issue Public IP DNS and going in and out of the same interface with the same public ip range?
Looking at the issue so much that am probably missing the solution now.
Any help would be much appreciated.
So is the issue that your DMZ server isnt visible to the LAN server with its public IP address and the LAN server isnt visible to the DMZ server with its public IP address?
I guess on solution in this case could be doing Static NAT for both servers towards eachother.
The problem is that this would mean that all traffic between these servers would have to use public IP address in the future. So if you had something else between these servers that were currently using the local IP addresses then this might become a problem.
It would be possible to configure this so that the public IP address translation between DMZ and LAN for both servers would only apply to SMTP traffic though.
What is the ASA software level your are using?
thanks for the reply
I have got the Inside Exchange Server sending mail to the DMZ exchange server using internal private ip internal dns and, higher to lower security
The main problem I cannot get my head round is on the DMZ server. I guess that because the DMZ server has its own DNS server, I could open SMTP between the DMZ and INSIDE for the ip's of the servers, and get dns for the sending receiving domains in question to be resolved using the private ip's, but never like opening up ports.
Again it gets a bit confusing when public IPs and MX records and Same interface routing, Inside and DMZ Rules and Static NAT, etc
The age old saying "dont overcomplicate things" think I have been looking/reading so much got myself in a mix as to what to do.
I can't really comment on anything related to the actual Exchange Servers, their operation or requirements.
If the requirement is to enable the Servers on the LAN and DMZ to communicate with the public IP addresses and also show up to eachother with public IP addresses then the only option is to use NAT between the LAN and DMZ interfaces of the ASA. They wont be able to communicate through any other interface than directly between the LAN and DMZ interface.
The NAT configuration format depends on the software level running on your ASA.
If the problem is the IP addresses with which the hosts are visible to eachother (which to my understanding is the biggest problem usually related to the Mail servers) then it should be correctable with NAT configurations.
We need the configuration and we need to know how that server on the DMZ is intending to get to the mail server on the inside (how does it resolve through DNS the IP address of the internal mail server).
Get that information for us and run a packet tracer from the DMZ server trying to get to the internal mail server via the public and private IP address, something like this:
packet-tracer input dmz tcp dmz_mail_server 1025 inside_private_mail_server 25 detail
packet-tracer input dmz tcp dmz_mail_server 1026 inside_public_mail_server 25 detail
Please send the requested information and we can help you out.
Value our effort and rate the assistance!
For the moment I have configured private dmz IP to private lan IP, by using DNS on the DMZ server directing smtp for the inside mail domain, via Static dmz,inside and smtp port.
access-list DMZ_access_in permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list DMZ_access_in extended deny ip any xxx.xxx.xxx.xxx 255.255.255.0
access-list DMZ_access_in extended permit ip any any
access-group DMZ_access_in in interface DMZ
static (INSIDE,DMZ) xxx.xxx.xxx.6 xxx.xxx.xxx.6 netmask 255.255.255.255
All working fine, but the big question is, is it possible to get the dmz mail server to send SMTP via the Static NAT Public IP address out thru the Outside Interface of the Firewall to the Internal Mail Server to the public Static NAT IP address which also resides on the Outside Interface of the Firewall.?
Also another interesting point for those with Exchange Servers 2007, 2010 and 2013, and loss of mail, intermittant receipt of mail from exchange servers, error 451 4.4.0 dns query failed, check out this; I also had this problem, which is now resolved by the articles below.
So if I understood you correctly, you have done Static NAT for the INSIDE server towards the DMZ. You are translating the private INSIDE IP address to a public IP address towards the DMZ.
Your servers wont be able to communicate through the OUTSIDE interface with their public IP addresses. The communication has to be through the actual INSIDE and DMZ interface
My original suggestion for this (without seeing your configurations) was to translate both the servers to the public IP address when crossing DMZ -> INSIDE and INSIDE -> DMZ.
This would also mean that all communication between these servers should use the public IP address of the other server after this configuration. That was my biggest doubt as I didn't know what other traffic might be between these servers that might be using the private IP address (which would stop working with the suggested configuration)
So the idea was to configure
If you wanted this to apply on to a certain service then we would need to configure Static PAT or Static Policy PAT
access-list mail_private permit tcp host
access-list mail_public permit tcp host
Static policy NAT configuration:
static (inside, DMZ)
static (inside, DMZ)
FYI: Depending if your internal server is expecting a specific address of the mail server (public or private) you need to place one line before the other, static NAT is read from top to bottom.
Also add the "inspect ICMP" to the policy-map to the default-class so if you try to ping to the private IP it forces the reply to come back from the private address.
Value our effort and rate the assistance!