topic Re: problem with mail server in dmz zone in Network Security

problem with mail server in dmz zone

goran ljubic — Tue, 12 Mar 2019 00:19:44 GMT

i configured on my asa 5510 dmz zone and put my mail server in this zone. i configured nat rule with public address which i received from my ISP and i configured ACL rule. my configuration of asa 5510 is:

[quote]

Result of the command: "show runn"

: Saved

ASA Version 8.4(2)

hostname asa5510

domain-name domen.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.178 255.255.255.248

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.10 255.255.255.0

interface Ethernet0/2

description Mreza za virtualne masine- mail server, wsus....

nameif DMZ

security-level 50

ip address 172.16.20.1 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name dri.local

object network VPN-POOL

subnet 192.168.50.0 255.255.255.0

description VPN Client pool

object network LAN-NETWORK

subnet 192.168.0.0 255.255.255.0

description LAN Network

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network 192.168.0.10

host 192.168.0.10

object service ssl

service tcp destination eq 465

object service tls

service tcp destination eq 995

object network mail_server

host 172.16.20.200

object service StartTLS

service tcp destination eq 587

object service admin_port

service tcp destination eq 1000

object service ODMR

service tcp destination eq 366

object service SSL-IMAP

service tcp destination eq 993

object network remote

host 172.16.20.200

object network test

host 192.168.0.22

object network mail

host 172.16.20.200

object-group network PAT-SOURCE-NETWORKS

description Source networks for PAT

network-object 192.168.0.0 255.255.255.0

object-group service DM_INLINE_SERVICE_2

service-object tcp

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp

service-object icmp echo-reply

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object mail_server

access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any

access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.22

access-list outside_dmz extended permit tcp any host 178.254.133.179 eq smtp

access-list outside_dmz extended permit tcp any host 178.254.133.179 eq pop3

ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL

object network mail_server

nat (DMZ,outside) static x.x.x.179

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 x.x.x.177 1

timeout xlate 3:00:00

[/quote]

But, my client cannot access my mail server. Which rules i need put that my mail server works?

Re: problem with mail server in dmz zone

Karsten Iwen — Tue, 06 Nov 2012 15:00:19 GMT

the NAT-statement is in place and the ACL allows SMTP, thats fine. (In fact, you allow all TCP to the DMZ-server because of "service object tcp" in the group DM_INLINE_SERVICE_2; that should be removed).

Can your server access the Internet?

If that works you can try disabling the SMTP-inspection with

no fixup protocol smtp 25

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: problem with mail server in dmz zone

goran ljubic — Tue, 06 Nov 2012 15:10:14 GMT

my server cannot access the internet. my ISP is registered in dns zone A record on my public IP x,x,x,179, MX record and TXT record, but i can't access to internet from my mail server

Re: problem with mail server in dmz zone

goran ljubic — Tue, 06 Nov 2012 15:12:56 GMT

my mail server must have the access to the internet? i can't search web page from web browser

Re: problem with mail server in dmz zone

Karsten Iwen — Tue, 06 Nov 2012 15:14:56 GMT

ok, that is a different situation. Then start troubleshooting your connection from the ASA to the server:

1) can they ping each other?

2) Switchport-config corect where your server is connected?

3) IP-config on mail-server correct?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: problem with mail server in dmz zone

goran ljubic — Tue, 06 Nov 2012 15:27:07 GMT

1)yes, i can ping each other

3)my mail server have address 172.16.20.200 mask 255.255.255.0 gateway 172.16.20.1 dns 172.16.20.1. asa have configuration 172.16.20.1 mask 255.255.255.0

2) switchportport-config, where i see that configuration?

Re: problem with mail server in dmz zone

goran ljubic — Tue, 06 Nov 2012 15:37:46 GMT

when i use packet trace i receive picture like that my firewall is configured ok. what do you think?

Re: problem with mail server in dmz zone

Karsten Iwen — Tue, 06 Nov 2012 15:39:41 GMT

configure a different DNS server on the mail-server, not the 172.16.20.1. The ASA doesn't work as a DNS-server.

configure the following command:

fixup protocol icmp

and try to ping an address on the internet (like 8.8.8.8). Does that work?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: problem with mail server in dmz zone

Karsten Iwen — Tue, 06 Nov 2012 15:45:06 GMT

the packet-tracer looks fine. How do you test if you mail-server is reachable from the internet?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: problem with mail server in dmz zone

goran ljubic — Tue, 06 Nov 2012 15:45:54 GMT

i receive request time out

Re: problem with mail server in dmz zone

Karsten Iwen — Tue, 06 Nov 2012 15:49:38 GMT

yes, you allow only traffic to an internal server, try to add the following line and ping again to 8.8.8.8:

access-list DMZ_access_in extended permit icmp any any echo

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: problem with mail server in dmz zone

goran ljubic — Tue, 06 Nov 2012 20:42:01 GMT

again nothing request time out.i changed dns server. i puted dns server in my inside lan where's lan have internet. this dns server is integrated with active directory. my users have dns server with address 192.168.0.20 and they have internet. when i ping for exampe www.google.com i receive address of google but i don't have ping request time out. i put this dns sever like temporary solution. can i enable dhcp server and dns server on my asa 5510 firewall and i use dns of asa?

Re: problem with mail server in dmz zone

goran ljubic — Wed, 07 Nov 2012 08:55:41 GMT

I searched configuration of my Ethernet 0/2 and on ethernet0/2 is not configured VLAN and there's not switch port. Maybe this is problem.

Re: problem with mail server in dmz zone

Karsten Iwen — Wed, 07 Nov 2012 09:33:16 GMT

On your ASA the interface is configured. And you say you can ping the ASA from the server. So there shouldn't be a problem. Unless you have another system with IP 172.16.20.1 that was replying when you tested it.

Please enable icmp-debug on the ASA:

asa# deb icmp trace

asa# term mon

and ping the 172.16.20.1 again from the server. If you see a log-message the connection between the server and the ASA is fine.

And please provide the output of the following command:

asa# packet-tracer input DMZ icmp 172.16.20.200 8 0 1.2.3.4

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: problem with mail server in dmz zone

goran ljubic — Wed, 07 Nov 2012 09:42:22 GMT

log file is:

[quote]

asa5510(config)# ICMP echo request from 172.16.20.200 to 172.16.20.1 ID=1 seq=11

0 len=32

ICMP echo reply from 172.16.20.1 to 172.16.20.200 ID=1 seq=110 len=32

ICMP echo request from 172.16.20.200 to 172.16.20.1 ID=1 seq=111 len=32

ICMP echo reply from 172.16.20.1 to 172.16.20.200 ID=1 seq=111 len=32

ICMP echo request from 172.16.20.200 to 172.16.20.1 ID=1 seq=112 len=32

ICMP echo reply from 172.16.20.1 to 172.16.20.200 ID=1 seq=112 len=32

ICMP echo request from 172.16.20.200 to 172.16.20.1 ID=1 seq=113 len=32

ICMP echo reply from 172.16.20.1 to 172.16.20.200 ID=1 seq=113 len=32

[/quote]

Re: problem with mail server in dmz zone

Karsten Iwen — Wed, 07 Nov 2012 09:48:36 GMT

please provide also the packet-tracer-output.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: problem with mail server in dmz zone

goran ljubic — Wed, 07 Nov 2012 09:52:11 GMT

packet tracert from asa to mail server?

Re: problem with mail server in dmz zone

goran ljubic — Wed, 07 Nov 2012 10:01:21 GMT

i puted the picture when traffic come on outside interface)public address of mail server). i tested ping from outside interface on 8.8.8.8 it works but from dmz interface it's not works.

Re: problem with mail server in dmz zone

Karsten Iwen — Wed, 07 Nov 2012 11:10:57 GMT

asa# packet-tracer input DMZ icmp 172.16.20.200 8 0 1.2.3.4

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Re: problem with mail server in dmz zone

goran ljubic — Wed, 07 Nov 2012 11:35:28 GMT

result is:

[code]

asa5510# packet-tracer input DMZ icmp 172.16.20.200 8

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_defau

match default-inspection-

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_poli

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

object network mail_server

nat (DMZ,outside) static x.x.x.179

Additional Information:

Static translate 172.16.20.200/0 to x.x.x.179/0

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 27, packet dispatched to next module

Result:

input-interface: DMZ

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

[/code]