Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
0
Helpful
5
Replies

ACL for front end and back end mail server

sboivin
Level 1
Level 1

‎01-24-2006 06:52 AM - edited ‎02-20-2020 09:35 PM

I have my front end email server on a dmz that needs to query my back end mail server.

If you look at the VISIO drawing i have here you can see my network.

http://66.162.19.153/

Im not sure where to put the access list. Do i create the access list and then apply it to out the inside interface?

Labels:
0 Helpful
5 Replies 5

Patrick Laidlaw
Level 4
Level 4

‎01-24-2006 10:14 AM

Hello,

So your going to create a couple of access-lists if your trying to allow mail in from outside to the DMZ mail server and then have it relay mail to your inside e-mail server. I've created three basic access-lists below one allowing only mail to the DMZ server one allowing the DMZ server to only send mail to the inside mail server and one to allow everything inside out.

access-list IN_DMZ permit tcp host 172.16.1.10 host 192.168.1.23 eq smtp

access-list IN_DMZ deny ip any any

access-list IN_OUTSIDE permit tcp any host 172.16.1.10 eq smtp

access-list IN_OUTSIDE deny ip any any

access-list IN_INSIDE permit ip any any

access-group IN_DMZ in interface dmz

access-group IN_OUTSIDE in interface outside

access-group IN_INSIDE in interface inside

Hope this helps.

Patrick

0 Helpful

sboivin
Level 1
Level 1
In response to Patrick Laidlaw

‎01-24-2006 10:57 AM

Patrick

People from outside are only connecting to the FE mail server via HTTPS. I already have that configured on the outside acl. My concern is the FE server requestion information fron the BE server. The FE server needs SMTP access to the BE server.

0 Helpful

Patrick Laidlaw
Level 4
Level 4
In response to sboivin

‎01-24-2006 01:45 PM

So set it up like this so that your only using the dmz access-list in my example.

nat (dmz, inside) 172.16.1.10 172.16.1.10

access-list IN_DMZ permit tcp host 172.16.1.10 host 192.168.1.23 eq smtp

access-list IN_DMZ deny ip any any

access-group IN_DMZ in interface dmz

This will allow your server to only initiate connections via smtp to your mail server.

Please rate any posts that are helpful.

Patrick

0 Helpful

flaggmd
Level 1
Level 1

‎01-24-2006 01:53 PM

It depend totally on who makes your mail servers and what services you are running. If your front-end is Exchange and you running OWA, POP etc.. you need a bunch of ports open. If you are only routing SMTP with the front end then you should only need SMTP open. You also need to make sure you have good DNS resolution. Let me know and I can try to help.

0 Helpful

sboivin
Level 1
Level 1
In response to flaggmd

‎01-24-2006 05:42 PM

It is a MS Exchange email server. I was trying to keep the post as simple as possible by just saying smtp. I am aware of the other ports that need to be open on the acl. Im just trying to grasp the concept of the dmz to inside acl. I will take a better look at it now. TY

0 Helpful
Customers Also Viewed These Support Documents