Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Mail server at DMZ

if I have an access-list like this:

access-list mail permit tcp any any eq smtp

access-list mail permit tcp any any eq pop3

Do I need to have another access-list to permit smtp and pop3 to and from my mail server located at the DMZ?

3 REPLIES
Community Member

Re: Mail server at DMZ

In a normal situation, it will not be necessary

Community Member

Re: Mail server at DMZ

under what situation do I need it? I do have an access-list that applied to the dmz interface to allow smtp and pop3 in.

Silver

Re: Mail server at DMZ

If you have that access-list on your outside interface and NAT is working correctly, you will not need to specifically allow the traffic in your DMZ interface. The ASA (adaptive security algorithm) will know to let the traffic back in the DMZ interface regardless of what the access-list there says. In fact, even an explicit Deny statement would not stop the traffic.

102
Views
0
Helpful
3
Replies
CreatePlease to create content