06-06-2008 06:59 AM - edited 03-11-2019 05:56 AM
Hi I want to give SMTP acccess to one of the machine in DMZ zone .I am going to allow DMZ access-list IN for port 25 .do i need to allow return traffic in ASA .or editing access list IN in DMZ and patting will allow me to access SMTP on internet.
please explain thanks
Solved! Go to Solution.
06-06-2008 07:41 AM
06-06-2008 07:31 AM
Ajay, you just need to permit it in the outside >> dmz direction. The remaining (dmz>>outside) return traffic will automatically be permitted due to the 'stateful' nature of the firewall.
As long as your DMZ server has higher security level than outside, it will also be able to 'send' outbound email (provided proper NAT rules are there).
Have a look at:
Regards
Farrukh
06-06-2008 07:37 AM
Hi Farrukh,
Thanks for your reply but mail server is not sitting in DMZ zone .....this is application server sitting in DMZ on which i need to just configure sending mail to outside .
This will not be a static natting I will pat it with same IP as i do for Inside hosts .
In this case traffic from DMZ >>>Outside on port 25 will be allowed but what about return traffic .
will it allow by default or i need to add any inspect rule.
Please explain
06-06-2008 07:41 AM
Yes 'return' traffic will be allowed.
No need to worry.
Regards
Farrukh
06-06-2008 07:42 AM
Hi Ajay,
If you dont have an ACL applied to DMZ atm, you dont need to specifically permit a traffic originated from a higher security level interface destined to a lower security interface.
Firewall is a statefull device and will permit return traffic by default. you dont need extra ACLs.
If you have an ACL applied to dmz for other(filtering purpoeses) you should specifically enter permit for smtp outbound, since the ACL has an implicit deny
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide