08-08-2006 09:15 AM - edited 03-09-2019 03:50 PM
ASA V. 7.0(4)12
I have a basic small business setup: internet, firewall with inside, outside, dmz interfaces, and intranet including a router for subnets. I've attached the config file that I was helped with by members of the forum a few months back. (I'm not an expert). I've changed the ip addresses.
So I've finally got people on inside seeing internet and internet seeing our web server on dmz, but no mail is getting to our email server on dmz.
The static (inside,dmz) statements are so I will know who on the inside is accessing our server - maybe there is a better way but I think that is working.
Our email/web server is 10.10.2.21. We have a DNS server on the inside intranet 10.10.1.21. Our ISP DNS servers are 209.165.131.12 and .13.
In the logs, I've not found errors for smtp or pop3 specifically, but have seen the following errors:
08-09-2006 11:01 AM
Do I add an additional nat statement such as:
nat (dmz) 1 0.0.0.0 0.0.0.0
Or could there be a problem with inspect esmtp
or any ideas? Help muchly appreciated!
08-11-2006 05:16 AM
Please try.
nat (dmz)2 0.0.0.0 0.0.0.0
static (dmz,outside) Public_IP Private_IP netmask. (IP of your mail server)
Create a ACL for your DMZ.
08-11-2006 08:19 AM
Many thanks for your help!
Your static statement: I don't have a public_IP for the server - just the outside interface. I will assume you did mean the public_ip for the outside interface. Also, people outside can connect to the webserver which is the same box as the email server. Not sure if I made this clear - but I will try your static statement.
For an ACL, I will try this:
access-list dmz_int extended permit tcp host 10.10.2.21 any eq smtp
access-group dmz_int in interface dmz
Thanks again!! Jim
08-11-2006 03:43 PM
I think it may be working now - there could be some issues still. I do see this in the logs:
Deny tcp src outside:216.239.63.83/443 dst dmz:65.xxx.xxx.20/1359 by access-group "inbound"
The 65.xxx.xxx.20 being our public outside ip_addr.
Several of these from different outside ip addresses. For our website, I think the only https we have is webmail - so perhaps these are just probes/errors/other?
cheers, Jim
08-14-2006 09:45 AM
[edit]- no problem - just popping up password prompts in the email clients when it (the old firewall) didn't before. wonder if there is a fix for that?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide