Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Email Port Open for ASA5505

Hi all ;

Just posted a question that when I want to let email to come through the ASA5505 from outside to DMZ and Inside network, are the below command lines correct and good enough?

access-list  outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq imap4

access-list outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq pop3

access-list outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq smtp

access-list outside_inside extended permit tcp outside-network-ip inside-network-ip eq imap4

access-list outside_inside extended permit tcp outside-network-ip inside-network-ip eq pop3

access-list outside_inside extended permit tcp outside-network-ip inside-network-ip eq smtp

access-group outside_DMZ in interface outside

access-group outside _inside interface outside

Are there any other TCP ports want to be allowed and other command lines need to be added?

Thanks!

Regards,

tangsuan

1 ACCEPTED SOLUTION

Accepted Solutions

Email Port Open for ASA5505

Hello Tang,

Depend of your email server,

Just in case:

  • Email Ports

  • For networks, a port means an endpoint to a logical connection. The port number identifies what type of port it is. Here are the default email ports for:

      POP3 - port 110
      IMAP - port 143
      SMTP - port 25
      HTTP - port 80
      Secure SMTP (SSMTP) - port 465
      Secure IMAP (IMAP4-SSL) - port 585
      IMAP4 over SSL (IMAPS) - port 993
      Secure POP3 (SSL-POP) - port 995

    Rate helpful posts

    Julio

    Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
    5 REPLIES

    Email Port Open for ASA5505

    Hello Tang,

    You will need to do a static one to one from the inside host to the outside and from the dmz host to the outside or you could use port-forwarding ( only for inbound connections)

    Regarding the ACLs you only need one access-group so on the same ACL create the statements to access both servers (inside and dmz) from the outside.Remember you can only have one access-group per direction on each interface.

    Rate helpful posts

    Regards,

    Julio

    Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
    New Member

    Email Port Open for ASA5505

    Hi Jcarvaja :

    Thanks for your reply!

    1. For inside to outside, I have used a dynamic nat as below :

    nat (inside) 20 192.168.100.0 255.255.255.0

    global (outside) 20 192.168.50.171-192.168.50.180

    As such, it should be not necessary for static one to one from inside to outside, right?

    2. For dmz to outside, I use the static nat and so each individual mapped IP is need to create. For example :

    static (dmz,outside) 192.168.20.x 192.168.50.x netmask 255.255.255.255

    whereby 192.168.20.x is host at outside network and 192.168.50.x is at dmz network. This will be ok, right?

    3. As for the ACL, I can group all the hosts (servers or stations) at dmz and inside and applied one ALC as below :

    access-list Email_in extended permit tcp object-group Outside_Network object-group hosts_dmz_inside eq smtp

    access-list Email_in extended permit tcp object-group Outside_Network object-group hosts_dmz_inside eq pop3

    access-list Email_in extended permit tcp object-group Outside_Network object-group hosts_dmz_inside eq imap4

    Let me know is it any problem, thanks!

    regards,

    tangsuan

    Email Port Open for ASA5505

    Hello Tang,

    That's it! That is what I meant before.

    Glad I could help!

    You can test it and let me know, I will be more than glad to help.

    Regards,

    Julio

    Rate all posts that helps!!

    Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
    New Member

    Re: Email Port Open for ASA5505

    Hi Jcarvaja and all :

    Are the three ports : smtp, imap4 and pop3 enough for the email traffic?

    Any other ports or services that I should also added in?

    thanks and regards,

    tangsuan

    Hi Jcarvaja :

    Many tahnks for the other ports reference for the Email access.

    You already helped a lot on this question.

    regards,

    tangsuan

    Email Port Open for ASA5505

    Hello Tang,

    Depend of your email server,

    Just in case:

  • Email Ports

  • For networks, a port means an endpoint to a logical connection. The port number identifies what type of port it is. Here are the default email ports for:

      POP3 - port 110
      IMAP - port 143
      SMTP - port 25
      HTTP - port 80
      Secure SMTP (SSMTP) - port 465
      Secure IMAP (IMAP4-SSL) - port 585
      IMAP4 over SSL (IMAPS) - port 993
      Secure POP3 (SSL-POP) - port 995

    Rate helpful posts

    Julio

    Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
    1805
    Views
    0
    Helpful
    5
    Replies