Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510 - making progress but no mail

ASA V. 7.0(4)12

I have a basic small business setup: internet, firewall with inside, outside, dmz interfaces, and intranet including a router for subnets. I've attached the config file that I was helped with by members of the forum a few months back. (I'm not an expert). I've changed the ip addresses.

So I've finally got people on inside seeing internet and internet seeing our web server on dmz, but no mail is getting to our email server on dmz.

The static (inside,dmz) statements are so I will know who on the inside is accessing our server - maybe there is a better way but I think that is working.

Our email/web server is 10.10.2.21. We have a DNS server on the inside intranet 10.10.1.21. Our ISP DNS servers are 209.165.131.12 and .13.

In the logs, I've not found errors for smtp or pop3 specifically, but have seen the following errors:

5 REPLIES
New Member

Re: ASA5510 - making progress but no mail

Do I add an additional nat statement such as:

nat (dmz) 1 0.0.0.0 0.0.0.0

Or could there be a problem with inspect esmtp

or any ideas? Help muchly appreciated!

New Member

Re: ASA5510 - making progress but no mail

Please try.

nat (dmz)2 0.0.0.0 0.0.0.0

static (dmz,outside) Public_IP Private_IP netmask. (IP of your mail server)

Create a ACL for your DMZ.

New Member

Re: ASA5510 - making progress but no mail

Many thanks for your help!

Your static statement: I don't have a public_IP for the server - just the outside interface. I will assume you did mean the public_ip for the outside interface. Also, people outside can connect to the webserver which is the same box as the email server. Not sure if I made this clear - but I will try your static statement.

For an ACL, I will try this:

access-list dmz_int extended permit tcp host 10.10.2.21 any eq smtp

access-group dmz_int in interface dmz

Thanks again!! Jim

New Member

Re: ASA5510 - making progress but no mail

I think it may be working now - there could be some issues still. I do see this in the logs:

Deny tcp src outside:216.239.63.83/443 dst dmz:65.xxx.xxx.20/1359 by access-group "inbound"

The 65.xxx.xxx.20 being our public outside ip_addr.

Several of these from different outside ip addresses. For our website, I think the only https we have is webmail - so perhaps these are just probes/errors/other?

cheers, Jim

New Member

Re: ASA5510 - making progress but no mail

[edit]- no problem - just popping up password prompts in the email clients when it (the old firewall) didn't before. wonder if there is a fix for that?

117
Views
0
Helpful
5
Replies
CreatePlease login to create content