Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SMTP

Hi,

I have Edge server on the the DMZ network which needs to access the Exchange server on the inside network. i configured Static map and access list. I can access the mail server from outside through SMTP, but not from the DMZ. Any help please and documentation

Thank you in advance

Mulu

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: SMTP

You're trying to reach 172.16.1.3 from the outside via SMTP?

You have:

static (DMZ,outside) tcp interface smtp 172.16.1.3 smtp netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 78.227.x.x.59 eq smtp

This means that from outside you will send SMTP packets to the outside IP of the ASA and it will redirect that traffic to 172.16.1.3.

Do you get hitcounts incrementing in the above ACL when sending SMTP packets? sh access-list outside_access_in

Federico.

Re: SMTP

We know the ASA is receiving the SMTP packets... we can check if the ASA is sending those SMTP packets to the server....

access-list testdmz permit tcp any host 172.16.1.3 eq 25
access-list testdmz permit ip any any
access-group testdmz out interface dmz

The above is applied outbound to the DMZ, so if the hitcounts of the first line increments, you will know the ASA is sending SMTP packets to 172.16.1.3

If the hitcounts increment, I will think the ASA is doing the job and will look into the server itself to see if it's receiving the packets (netstat or equivalent).

Federico.

12 REPLIES

Re: SMTP

Hi,

If you can access it from the outside is because you have static/ACL.

To access it from DMZ you need static/ACL as well but applied to DMZ interface.

i.e.

static (in,out)

access-list outside...

From DMZ:

static(in,dmz)

access-list dmz...

Do you have this configuration?

Federico.

New Member

Re: SMTP

Thank you Federico

and here is the conf

static (inside,outside) tcp 78.227.41.x smtp 10.2.10.10 smtp netmask 255.255.255.255

access-list outside-access-in permit tcp any host
78.227.41.x eq 25

172.16.1.3- is Edge server at DMZ
static (inside,DMZ) tcp 10.2.10.10 smtp 172.16.1.23 smtp netmask
255.255.255.25

access-list dmz-access-in permit tcp host 172.16.1.3 host
172.16.1.23 eq 25

I can ping 172.16.1.23 from 172.16.1.3

thank you

Re: SMTP

But assuming that 10.2.10.10 is the real IP of the SMTP server...
That's why from the outside you can reach it with IP 78.227.41.x

But.. from DMZ...
The static should be the other way around..
static (inside,DMZ) tcp 172.16.1.23 smtp 10.2.10.10 smtp

In this way you can reach the server 10.2.10.10 from the DMZ using IP 172.16.1.23??

Or how do you want to access the SMTP server from DMZ?

Federico.

New Member

Re: SMTP

Sorry Fredico, u right its on the other round

static (inside,DMZ) tcp 172.16.1.23 smtp 10.2.10.10 smtp

but i can't access it through SMTP and that is weird for me, and sometimes the ASA stucks, its version 8.3 and new.

thank u

Re: SMTP

But ASA 8.3 does not even recognize the static command:

Check the migration guide (NAT migration) for the new equivalent commands in 8.3:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968

Federico.

New Member

Re: SMTP

Hi Federico

i have cleaned the whole configuration and did it again then works fine, but i want to use port maping on the outside interface

static (inside,outside) tcp interface www 10.2.10.10 www netmask 255.255.255.255

static (inside,outside) tcp interface https 10.2.10.10 https netmask 255.255.255.255

static (DMZ,outside) tcp interface smtp 172.16.1.3 smtp netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 78.227.x.x eq www

access-list outside_access_in extended permit tcp any host 78.227.x.x eq https

access-list outside_access_in extended permit tcp any host 78.227.x.x.59 eq smtp

i can access 10.2.10.10  from outside with http and https but not 172.16.1.3 with smtp

telnet 78.227.x.x 25 - failed

any help as usual

thanx

by the way the version is 8.0(3) not 8.3 sorry for that

Re: SMTP

You're trying to reach 172.16.1.3 from the outside via SMTP?

You have:

static (DMZ,outside) tcp interface smtp 172.16.1.3 smtp netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 78.227.x.x.59 eq smtp

This means that from outside you will send SMTP packets to the outside IP of the ASA and it will redirect that traffic to 172.16.1.3.

Do you get hitcounts incrementing in the above ACL when sending SMTP packets? sh access-list outside_access_in

Federico.

New Member

Re: SMTP

Thank you Federico,

Yes it gets hits increamenting. But how can i be sure that  it reaches to the server?

thanx

Re: SMTP

We know the ASA is receiving the SMTP packets... we can check if the ASA is sending those SMTP packets to the server....

access-list testdmz permit tcp any host 172.16.1.3 eq 25
access-list testdmz permit ip any any
access-group testdmz out interface dmz

The above is applied outbound to the DMZ, so if the hitcounts of the first line increments, you will know the ASA is sending SMTP packets to 172.16.1.3

If the hitcounts increment, I will think the ASA is doing the job and will look into the server itself to see if it's receiving the packets (netstat or equivalent).

Federico.

New Member

Re: SMTP

thank you again Federico

I configured it with

access-list dmz_in permit ip any any

but with inbound direction

access-group dmz_in in interface dmz

so i will check with outbound direction and i will let u know the result, i thought if i configure the nat and outside accesslist it will work

thank u very much

Mulu

Re: SMTP

Hi,

Can I ask why I was rated with a not-helpful at all score of 1?

Federico.

New Member

Re: SMTP

Sorry Federico,

You are extremely helpful. And the problem was on the server not on the config. Thank you very very much!!

Mulu

448
Views
6
Helpful
12
Replies
CreatePlease to create content