Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Need to allow SMTP on ASA

Hi I want to give SMTP acccess to one of the machine in DMZ zone .I am going to allow DMZ access-list IN for port 25 .do i need to allow return traffic in ASA .or editing access list IN in DMZ and patting will allow me to access SMTP on internet.

please explain thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Need to allow SMTP on ASA

Yes 'return' traffic will be allowed.

No need to worry.

Regards

Farrukh

4 REPLIES

Re: Need to allow SMTP on ASA

Ajay, you just need to permit it in the outside >> dmz direction. The remaining (dmz>>outside) return traffic will automatically be permitted due to the 'stateful' nature of the firewall.

As long as your DMZ server has higher security level than outside, it will also be able to 'send' outbound email (provided proper NAT rules are there).

Have a look at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Regards

Farrukh

Re: Need to allow SMTP on ASA

Hi Farrukh,

Thanks for your reply but mail server is not sitting in DMZ zone .....this is application server sitting in DMZ on which i need to just configure sending mail to outside .

This will not be a static natting I will pat it with same IP as i do for Inside hosts .

In this case traffic from DMZ >>>Outside on port 25 will be allowed but what about return traffic .

will it allow by default or i need to add any inspect rule.

Please explain

Re: Need to allow SMTP on ASA

Yes 'return' traffic will be allowed.

No need to worry.

Regards

Farrukh

Re: Need to allow SMTP on ASA

Hi Ajay,

If you dont have an ACL applied to DMZ atm, you dont need to specifically permit a traffic originated from a higher security level interface destined to a lower security interface.

Firewall is a statefull device and will permit return traffic by default. you dont need extra ACLs.

If you have an ACL applied to dmz for other(filtering purpoeses) you should specifically enter permit for smtp outbound, since the ACL has an implicit deny

Regards

493
Views
0
Helpful
4
Replies
CreatePlease to create content