Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
5
Replies

ASA5510 - making progress but no mail

jdory99
Level 1
Level 1

‎08-08-2006 09:15 AM - edited ‎03-09-2019 03:50 PM

ASA V. 7.0(4)12

I have a basic small business setup: internet, firewall with inside, outside, dmz interfaces, and intranet including a router for subnets. I've attached the config file that I was helped with by members of the forum a few months back. (I'm not an expert). I've changed the ip addresses.

So I've finally got people on inside seeing internet and internet seeing our web server on dmz, but no mail is getting to our email server on dmz.

The static (inside,dmz) statements are so I will know who on the inside is accessing our server - maybe there is a better way but I think that is working.

Our email/web server is 10.10.2.21. We have a DNS server on the inside intranet 10.10.1.21. Our ISP DNS servers are 209.165.131.12 and .13.

In the logs, I've not found errors for smtp or pop3 specifically, but have seen the following errors:

Labels:
Preview file
5 KB
0 Helpful
5 Replies 5

jdory99
Level 1
Level 1

‎08-09-2006 11:01 AM

Do I add an additional nat statement such as:

nat (dmz) 1 0.0.0.0 0.0.0.0

Or could there be a problem with inspect esmtp

or any ideas? Help muchly appreciated!

0 Helpful

starlingsolon
Level 1
Level 1
In response to jdory99

‎08-11-2006 05:16 AM

Please try.

nat (dmz)2 0.0.0.0 0.0.0.0

static (dmz,outside) Public_IP Private_IP netmask. (IP of your mail server)

Create a ACL for your DMZ.

0 Helpful

jdory99
Level 1
Level 1
In response to starlingsolon

‎08-11-2006 08:19 AM

Many thanks for your help!

Your static statement: I don't have a public_IP for the server - just the outside interface. I will assume you did mean the public_ip for the outside interface. Also, people outside can connect to the webserver which is the same box as the email server. Not sure if I made this clear - but I will try your static statement.

For an ACL, I will try this:

access-list dmz_int extended permit tcp host 10.10.2.21 any eq smtp

access-group dmz_int in interface dmz

Thanks again!! Jim

0 Helpful

jdory99
Level 1
Level 1
In response to starlingsolon

‎08-11-2006 03:43 PM

I think it may be working now - there could be some issues still. I do see this in the logs:

Deny tcp src outside:216.239.63.83/443 dst dmz:65.xxx.xxx.20/1359 by access-group "inbound"

The 65.xxx.xxx.20 being our public outside ip_addr.

Several of these from different outside ip addresses. For our website, I think the only https we have is webmail - so perhaps these are just probes/errors/other?

cheers, Jim

0 Helpful

jdory99
Level 1
Level 1
In response to starlingsolon

‎08-14-2006 09:45 AM

[edit]- no problem - just popping up password prompts in the email clients when it (the old firewall) didn't before. wonder if there is a fix for that?

0 Helpful
Customers Also Viewed These Support Documents