topic Re: Accessing Exchange Server from DMZ in Network Security

Accessing Exchange Server from DMZ

sholiday666 — Mon, 11 Mar 2019 21:13:09 GMT

Good morning,

We have a ASA5510 with a webserver in the DMZ network 10.2.2.0/24. We now want this web server to be able to access the Exchange server in the Inside network 10.1.1.0/24. I researched this and it seemed straight forward according the the Cisco document below:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

I'm looking to do this with smtp so I added these lines to the config:

static (inside,DMZ) 10.2.2.30 10.1.1.11 netmask 255.255.255.255

access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp

The configuration line:

access-group DMZ in interface DMZ

Already existed in the configuration so didn't need to be re-entered.

ASA Version 8.0(4)

hostname xxxx

domain-name xxxx.com

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

names

dns-guard

interface Ethernet0/0

nameif outside

security-level 0

ip address xxx.xxx.141.85 255.255.255.224

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.1.255.254 255.255.255.248

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.2.2.1 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

boot system disk0:/asa804-k8.bin

ftp mode passive

clock timezone MDT -7

clock summer-time MDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.1

domain-name mjfirm.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inbound extended permit tcp any host xxx.xxx.141.83 eq www

access-list inbound extended permit tcp any host xxx.xxx.141.83 eq https

access-list inbound extended permit tcp any host xxx.xxx.141.83 eq ftp

access-list inbound extended permit tcp any host xxx.xxx.141.83 eq ftp-data

access-list inbound extended permit tcp any host xxx.xxx.141.83 eq ssh

access-list inbound extended permit tcp any host xxx.xxx.141.84 eq imap4

access-list inbound extended permit tcp any host xxx.xxx.141.84 eq pop3

access-list inbound extended permit tcp any host xxx.xxx.141.84 eq www

access-list inbound extended permit tcp any host xxx.xxx.141.84 eq https

access-list inbound extended permit tcp any host xxx.xxx.141.84 eq smtp

access-list inbound extended permit icmp any any

access-list dmz extended deny ip any 10.1.0.0 255.255.0.0

access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp

access-list dmz extended permit ip any any

access-list nonat extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0

access-list nonat extended permit ip 10.1.0.0 255.255.0.0 10.1.0.0 255.255.0.0

access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list vpnsplit extended permit ip 10.1.0.0 255.255.0.0 172.16.22.0 255.255.255.0

access-list encrypt_acl extended permit ip 10.1.10.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list encrypt_acl extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

ip local pool vpnpool 172.16.22.1-172.16.22.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400

global (outside) 10 xxx.xxx.141.82 netmask 255.255.255.0

global (dmz) 10 interface

nat (inside) 0 access-list nonat

nat (inside) 10 0.0.0.0 0.0.0.0

nat (dmz) 10 0.0.0.0 0.0.0.0

static (dmz,outside) xxx.xxx.141.83 10.2.2.2 netmask 255.255.255.255

static (inside,outside) xxx.xxx.141.84 10.1.1.11 netmask 255.255.255.255

static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255

access-group inbound in interface outside

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 xxx.xxx.141.81 1

route inside 10.1.0.0 255.255.0.0 10.1.255.249 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server vpn protocol radius

aaa-server vpn (inside) host 10.1.1.12

key -->

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa local authentication attempts max-fail 16

http server enable

http 172.16.22.0 255.255.255.0 inside

http 10.1.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

sysopt noproxyarp inside

sysopt noproxyarp dmz

sysopt noproxyarp management

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set HQset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 20 match address encrypt_acl

crypto map outside_map 20 set peer 207.202.195.198

crypto map outside_map 20 set transform-set HQset

crypto map outside_map 20 set security-association lifetime seconds 28800

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 50

telnet 10.1.0.0 255.255.0.0 inside

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh 10.1.0.0 255.255.0.0 inside

ssh timeout 30

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.43.244.18

webvpn

enable outside

svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy vpnclients internal

group-policy vpnclients attributes

wins-server value 10.1.1.12

dns-server value 10.1.1.12

vpn-tunnel-protocol IPSec

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnsplit

default-domain value mjfirm.local

split-dns value mjfirm.local

address-pools value vpnpool

group-policy clientgroup internal

group-policy clientgroup attributes

wins-server value 10.1.1.12

dns-server value 10.1.1.12

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelall

webvpn

svc keep-installer installed

svc rekey time 30

svc rekey method ssl

svc ask none default svc

tunnel-group M&J type remote-access

tunnel-group M&J general-attributes

address-pool vpnpool

authentication-server-group vpn

default-group-policy vpnclients

tunnel-group M&J ipsec-attributes

pre-shared-key *

tunnel-group sslgroup type remote-access

tunnel-group sslgroup general-attributes

address-pool vpnpool

authentication-server-group vpn

default-group-policy clientgroup

tunnel-group sslgroup webvpn-attributes

group-alias sslgroup_users enable

tunnel-group xxx.xxx.195.198 type ipsec-l2l

tunnel-group xxx.xxx.195.198 ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 768

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

It's not working. Below is the output form Packet-Tracer using smtp

Phase: 6

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255

match ip inside host 10.1.1.11 dmz any

static translation to 10.2.2.30

translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

out id=0xd5786190, priority=5, domain=nat-reverse, deny=false

hits=9, user_data=0xd627c598, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=10.1.1.11, mask=255.255.255.255, port=0, dscp=0x0

Result:

input-interface: dmz

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Any assistance would be appreciated!

Accessing Exchange Server from DMZ

varrao — Wed, 17 Aug 2011 16:14:10 GMT

Hi Scott,

Can you provide the complete output of the packet-tracer, that will be helpful.

Thanks,

Varun

Re: Accessing Exchange Server from DMZ

sholiday666 — Wed, 17 Aug 2011 17:15:48 GMT

Thanks Varun, here it is:

ASA# packet-tracer input dmz tcp 10.2.2.2 smtp 10.1.1.11 smtp detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.0.0 255.255.0.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz in interface dmz
access-list dmz extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd56cdc20, priority=12, domain=permit, deny=false
        hits=18, user_data=0xd5785640, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd56f8458, priority=0, domain=permit-ip-option, deny=true
        hits=905436, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) xxx.xxx.141.83 10.2.2.2 netmask 255.255.255.255
match ip dmz host 10.2.2.2 outside any
    static translation to xxx.xxx.141.83
    translate_hits = 29659, untranslate_hits = 1026673
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd576e668, priority=5, domain=host, deny=false
        hits=899340, user_data=0xd5786790, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.2.2.2, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
match ip inside host 10.1.1.11 dmz any
    static translation to 10.2.2.30
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd967f210, priority=5, domain=nat-reverse, deny=false
        hits=0, user_data=0xd96d12a0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.1.1.11, mask=255.255.255.255, port=0, dscp=0x0

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Accessing Exchange Server from DMZ

varrao — Wed, 17 Aug 2011 17:49:11 GMT

Hi Scott,

Something doesn't seem right to me, if you see on the tracer, on phase 5, the packets are falling into the wrong nat statement, because the tracer command used is not correct, it should be:

packet-tracer input dmz tcp 10.2.2.2 2345 10.2.2.30 smtp detailed

Remember, you are trying to access the server on inside on IP 10.2.2.30, so it should be this.

i would also take captures on the firewall;

access-list cap permit ip host 10.2.2.2 host 10.2.2.30

access-list cap permit ip host 10.2.2.30 host 10.2.2.2

access-list cap permit ip host 10.1.1.11 host 10.2.2.2

access-list cap permit ip host 10.2.2.2 host 10.1.1.11

cap capin access-list cap interface inside

cap capo access-list cap interface outside

Generate some traffic and then collect the captures and logs for it.

show cap capin

show cap capo

Also, as a test, can you add:

global (inside) 10 interface

Let me know the results.

Thanks,

Varun

Re: Accessing Exchange Server from DMZ

sholiday666 — Wed, 17 Aug 2011 19:07:03 GMT

Thanks Varun. That did the trick as far as packet-tracer. Below is the output. But why did you ahve me use port 2345?

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
match ip inside host 10.1.1.11 dmz any
static translation to 10.2.2.30
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface inside
Untranslate 10.2.2.30/0 to 10.1.1.11/0 using netmask 255.255.255.255

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group dmz in interface dmz
access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd9dc16d8, priority=12, domain=permit, deny=false
        hits=0, user_data=0xd56ae608, cs_id=0x0, flags=0x0, protocol=6
        src ip=10.2.2.2, mask=255.255.255.255, port=0
        dst ip=10.2.2.30, mask=255.255.255.255, port=25, dscp=0x0

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd56f8458, priority=0, domain=permit-ip-option, deny=true
        hits=906425, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (dmz,outside) xxx.xxx.141.83 10.2.2.2 netmask 255.255.255.255
match ip dmz host 10.2.2.2 outside any
    static translation to xxx.xxx.141.83
    translate_hits = 29663, untranslate_hits = 1026933
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd576e668, priority=5, domain=host, deny=false
        hits=900329, user_data=0xd5786790, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.2.2.2, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,dmz) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
match ip inside host 10.1.1.11 dmz any
    static translation to 10.2.2.30
    translate_hits = 0, untranslate_hits = 1
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd967f210, priority=5, domain=nat-reverse, deny=false
        hits=1, user_data=0xd96d12a0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=10.1.1.11, mask=255.255.255.255, port=0, dscp=0x0

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) xxx.xxx.141.84 10.1.1.11 netmask 255.255.255.255
match ip inside host 10.1.1.11 outside any
    static translation to xxx.xxx.141.84
    translate_hits = 19832486, untranslate_hits = 5484763
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd56093b0, priority=5, domain=host, deny=false
        hits=23010699, user_data=0xd5915db8, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=10.1.1.11, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd56a5470, priority=0, domain=permit-ip-option, deny=true
        hits=145735197, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 149903633, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.255.249 using egress ifc inside
adjacency Active
next-hop mac address 0017.0e3b.82bf hits 3981329

Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Accessing Exchange Server from DMZ

varrao — Thu, 18 Aug 2011 02:25:49 GMT

Hi Scott,

Did you take the captures and logs as well???

-Varun

Accessing Exchange Server from DMZ

sholiday666 — Thu, 18 Aug 2011 04:25:15 GMT

Varuna,

Yes set up the captures but i didn't get anything. I generated telnet, icmp, and smtp from 10.2.2.2 to 10.2.2.30 then added captures for the dmz interface and again no captures.

-Scott

Accessing Exchange Server from DMZ

varrao — Thu, 18 Aug 2011 04:34:03 GMT

Hi Scott,

what we would need to identify is, apply both the captures on the inside and dmz together and then generate traffic. Reason 1 - This would identify whether tnhe traffic is reaching the ASA dmthz interface, if not then routing on the etwork needs to be checked.

Reason 2- If the packets are seen on the dmz, do those packets reach the inside interface?? If not, its ASA dropping them.

Collect logs as well, it would help greatly.

Thanks,

Varun

Re: Accessing Exchange Server from DMZ

sholiday666 — Thu, 18 Aug 2011 15:28:54 GMT

ASA# sh capture capin

1 packet captured

1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192

1 packet shown

ASA# sh capture capo

1 packet captured

1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192

1 packet shown

Accessing Exchange Server from DMZ

varrao — Thu, 18 Aug 2011 15:42:56 GMT

Hi Scott,

The captures shows me that the request is going to the server but no replies coming back, which means the server is not responding back.

But before jumpimg to conclusions, I think after applying the captures, you ran a packet tracer and collected the cap tures, because the source port is also 25, in actual traffic, the source port would always be a higherseries port number. Also packet-tracer is just a helping tool and never always the clear picture. We now need to depend on the real traffic, and it would be good to take logs and captures when you actually initiate traffic from the dmz host.

For collecting logs you would need:

logging buffered 7

after generating traffic:

show logg | in 10.2.2.2

show logg | in 10.2.2.30

I guess we would nail the problem this way, and also could you please test with:

global (inside) 10 interface

Thanks,

Varun

Re: Accessing Exchange Server from DMZ

sholiday666 — Thu, 18 Aug 2011 16:51:40 GMT

Varun,

I added the entry

global (inside) 10 interface

and enabled logging and initiated traffic from the web server using the form that will contact the Exchange server, but nothing is showing up in the logs for 10.2.2.2 or 10.2.2.30.

Accessing Exchange Server from DMZ

varrao — Thu, 18 Aug 2011 17:00:56 GMT

Hi Scott,

If you do not see anything in the logs and the captures, then it might be posible that the packets are not even reaching the firewall.

-Varun

Re: Accessing Exchange Server from DMZ

sholiday666 — Thu, 18 Aug 2011 17:10:40 GMT

Varun,

If you look at my configuration you probably noticed that I attempted to enable telnet and ICMP to test. Telnet and ping are not working either. Is there something you can see in the config that is not right? these were the entries I created for telnet and ICMP:

access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq telnet

access-list dmz extended permit icmp host 10.2.2.2 host 10.2.2.30 echo

access-list dmz extended permit icmp host 10.2.2.2 host 10.2.2.30 echo-reply

Shouldn't these work. If I could get telnet going i could try the old "telnet 10.2.2.30 25" command from the 10.2.2.2 host.

Re: Accessing Exchange Server from DMZ

sholiday666 — Thu, 18 Aug 2011 17:25:17 GMT

Varun,

Here is the output from sh xlate detail:

MJASA# sh xlate detail

NAT from inside:10.1.1.11 to dmz:10.2.2.30 flags s

NAT from dmz:10.2.2.2 to inside:10.2.2.2 flags s

NAT from dmz:10.2.2.2 to outside:xxx.xxx.141.83 flags s

Accessing Exchange Server from DMZ

varrao — Thu, 18 Aug 2011 17:30:07 GMT

Hi Scott,

What you have is correct.

Lets try one thing, use the following config:

static (inside,dmz) 10.1.1.11 10.1.1.11

nat (dmz) 10 0.0.0.0 0.0.0.0

global (inside) 10 interface

access-list dmz extended permit tcp host 10.2.2.2 host 10.1.1.11 eq telnet

access-list dmz extended permit icmp host 10.2.2.2 host 10.1.1.11 echo

access-list dmz extended permit icmp host 10.2.2.2 host 10.1.1.11 echo-reply

access-list dmz extended permit icmp host 10.2.2.2 host 10.1.1.11 eq 25

once you have this, apply fresh captures:

access-list test permit ip host 10.1.1.11 host 10.2.2.2

access-list test permit ip host 10.2.2.2 host 10.1.1.11

cap capi access-list test interface inside

cap capdmz access-list test interface dmz

Once you have everything setup, try initiating telnet or ping traffic, and collect captures. If we atleast have this info, we woudl be able to identify the issue.

Hope everything goes well.

Thanks,

Varun

Re: Accessing Exchange Server from DMZ

sholiday666 — Thu, 18 Aug 2011 17:37:54 GMT

Do I need to erase the other configuration entries related to telnet and ICMP using 10.2.2.30 first? Also do i need to erase the "access-list dmz extended permit ip any any" and then add it back at the end so it shows up last?

I appreciate your help.

Accessing Exchange Server from DMZ

varrao — Thu, 18 Aug 2011 17:40:01 GMT

If you have ip any any in dmz interface, let it be for testing purpose, just remove the previous static and add the new statement, along with the global.

-Varun

Re: Accessing Exchange Server from DMZ

sholiday666 — Thu, 18 Aug 2011 18:19:39 GMT

Varun,

Ping and telnet are working and I was able to connect to Exchange. Here is a small sample of the capture. There are hundreds of lines:

MJASA(config)# sh capture capin

1917 packets captured

1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192

2: 09:33:52.110010 10.2.2.2.25 > 10.2.2.30.25: S 1614045430:1614045430(0) win 8192

3: 11:59:13.552141 10.2.2.2 > 10.1.1.11: icmp: echo request

4: 11:59:13.552309 10.2.2.2 > 10.1.1.11: icmp: echo request

5: 11:59:13.552736 10.1.1.11 > 10.2.2.2: icmp: echo reply

6: 11:59:13.552873 10.1.1.11 > 10.2.2.2: icmp: echo reply

7: 11:59:14.544207 10.2.2.2 > 10.1.1.11: icmp: echo request

8: 11:59:14.544237 10.2.2.2 > 10.1.1.11: icmp: echo request

9: 11:59:14.544649 10.1.1.11 > 10.2.2.2: icmp: echo reply

10: 11:59:14.544664 10.1.1.11 > 10.2.2.2: icmp: echo reply

11: 11:59:15.544191 10.2.2.2 > 10.1.1.11: icmp: echo request

12: 11:59:15.544222 10.2.2.2 > 10.1.1.11: icmp: echo request

13: 11:59:15.544573 10.1.1.11 > 10.2.2.2: icmp: echo reply

14: 11:59:15.544588 10.1.1.11 > 10.2.2.2: icmp: echo reply

15: 11:59:16.544252 10.2.2.2 > 10.1.1.11: icmp: echo request

16: 11:59:16.544268 10.2.2.2 > 10.1.1.11: icmp: echo request

17: 11:59:16.544619 10.1.1.11 > 10.2.2.2: icmp: echo reply

18: 11:59:16.544634 10.1.1.11 > 10.2.2.2: icmp: echo reply

19: 11:59:24.607527 10.2.2.2.2408 > 10.1.1.11.25: S 3220685032:3220685032(0) win 65535

op,nop,sackOK>

20: 11:59:24.607726 10.2.2.2.2408 > 10.1.1.11.25: S 3606219141:3606219141(0) win 65535

op,nop,sackOK>

21: 11:59:24.608229 10.1.1.11.25 > 10.2.2.2.2408: S 735101338:735101338(0) ack 3606219142 win 8192

22: 11:59:24.608290 10.1.1.11.25 > 10.2.2.2.2408: S 1680224940:1680224940(0) ack 3220685033 win 81

23: 11:59:24.608382 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680224941 win 65535

24: 11:59:24.608412 10.2.2.2.2408 > 10.1.1.11.25: . ack 735101339 win 65535

25: 11:59:24.609862 10.1.1.11.25 > 10.2.2.2.2408: P 735101339:735101438(99) ack 3606219142 win 648

26: 11:59:24.609877 10.1.1.11.25 > 10.2.2.2.2408: P 1680224941:1680225040(99) ack 3220685033 win 6

4860

27: 11:59:24.856782 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225040 win 65436

28: 11:59:24.856812 10.2.2.2.2408 > 10.1.1.11.25: . ack 735101438 win 65436

29: 11:59:30.971827 10.2.2.2.2408 > 10.1.1.11.25: P 3220685033:3220685034(1) ack 1680225040 win 65

436

30: 11:59:30.971843 10.2.2.2.2408 > 10.1.1.11.25: P 3606219142:3606219143(1) ack 735101438 win 654

31: 11:59:31.174734 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219143 win 64859

32: 11:59:31.174749 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685034 win 64859

33: 11:59:31.306960 10.2.2.2.2408 > 10.1.1.11.25: P 3220685034:3220685035(1) ack 1680225040 win 65

436

34: 11:59:31.306975 10.2.2.2.2408 > 10.1.1.11.25: P 3606219143:3606219144(1) ack 735101438 win 654

35: 11:59:31.502278 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219144 win 64858

36: 11:59:31.502293 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685035 win 64858

37: 11:59:31.546846 10.2.2.2.2408 > 10.1.1.11.25: P 3220685035:3220685036(1) ack 1680225040 win 65

436

38: 11:59:31.546861 10.2.2.2.2408 > 10.1.1.11.25: P 3606219144:3606219145(1) ack 735101438 win 654

39: 11:59:31.751868 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219145 win 64857

40: 11:59:31.751898 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685036 win 64857

41: 11:59:31.754782 10.2.2.2.2408 > 10.1.1.11.25: P 3220685036:3220685037(1) ack 1680225040 win 65

436

42: 11:59:31.754813 10.2.2.2.2408 > 10.1.1.11.25: P 3606219145:3606219146(1) ack 735101438 win 654

43: 11:59:31.954738 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219146 win 64856

44: 11:59:31.954769 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685037 win 64856

45: 11:59:32.522617 10.2.2.2.2408 > 10.1.1.11.25: P 3220685037:3220685039(2) ack 1680225040 win 65

436

46: 11:59:32.522647 10.2.2.2.2408 > 10.1.1.11.25: P 3606219146:3606219148(2) ack 735101438 win 654

47: 11:59:32.523212 10.1.1.11.25 > 10.2.2.2.2408: P 735101438:735101484(46) ack 3606219148 win 648

48: 11:59:32.523227 10.1.1.11.25 > 10.2.2.2.2408: P 1680225040:1680225086(46) ack 3220685039 win 6

MJASA(config)# sh capture capo

965 packets captured

1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192

2: 09:33:52.110010 10.2.2.2.25 > 10.2.2.30.25: S 1614045430:1614045430(0) win 8192

3: 11:59:13.552141 10.2.2.2 > 10.1.1.11: icmp: echo request

4: 11:59:13.552873 10.1.1.11 > 10.2.2.2: icmp: echo reply

5: 11:59:14.544207 10.2.2.2 > 10.1.1.11: icmp: echo request

6: 11:59:14.544664 10.1.1.11 > 10.2.2.2: icmp: echo reply

7: 11:59:15.544207 10.2.2.2 > 10.1.1.11: icmp: echo request

8: 11:59:15.544588 10.1.1.11 > 10.2.2.2: icmp: echo reply

9: 11:59:16.544252 10.2.2.2 > 10.1.1.11: icmp: echo request

10: 11:59:16.544634 10.1.1.11 > 10.2.2.2: icmp: echo reply

11: 11:59:24.607527 10.2.2.2.2408 > 10.1.1.11.25: S 3220685032:3220685032(0) win 65535

op,nop,sackOK>

12: 11:59:24.608290 10.1.1.11.25 > 10.2.2.2.2408: S 1680224940:1680224940(0) ack 3220685033 win 81

13: 11:59:24.608382 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680224941 win 65535

14: 11:59:24.609877 10.1.1.11.25 > 10.2.2.2.2408: P 1680224941:1680225040(99) ack 3220685033 win 6

4860

15: 11:59:24.856782 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225040 win 65436

16: 11:59:30.971827 10.2.2.2.2408 > 10.1.1.11.25: P 3220685033:3220685034(1) ack 1680225040 win 65

436

17: 11:59:31.174765 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685034 win 64859

18: 11:59:31.306960 10.2.2.2.2408 > 10.1.1.11.25: P 3220685034:3220685035(1) ack 1680225040 win 65

436

19: 11:59:31.502293 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685035 win 64858

20: 11:59:31.546846 10.2.2.2.2408 > 10.1.1.11.25: P 3220685035:3220685036(1) ack 1680225040 win 65

436

21: 11:59:31.751898 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685036 win 64857

22: 11:59:31.754782 10.2.2.2.2408 > 10.1.1.11.25: P 3220685036:3220685037(1) ack 1680225040 win 65

436

23: 11:59:31.954769 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685037 win 64856

24: 11:59:32.522617 10.2.2.2.2408 > 10.1.1.11.25: P 3220685037:3220685039(2) ack 1680225040 win 65

436

25: 11:59:32.523227 10.1.1.11.25 > 10.2.2.2.2408: P 1680225040:1680225086(46) ack 3220685039 win 6

4854

26: 11:59:32.841173 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225086 win 65390

27: 12:01:29.930829 10.2.2.2.2408 > 10.1.1.11.25: P 3220685039:3220685040(1) ack 1680225086 win 65

390

28: 12:01:30.130867 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685040 win 64853

29: 12:01:30.131005 10.2.2.2.2408 > 10.1.1.11.25: P 3220685040:3220685041(1) ack 1680225086 win 65

390

30: 12:01:30.333738 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685041 win 64852

31: 12:01:30.333860 10.2.2.2.2408 > 10.1.1.11.25: P 3220685041:3220685042(1) ack 1680225086 win 65

390

32: 12:01:30.536486 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685042 win 64851

33: 12:01:30.536593 10.2.2.2.2408 > 10.1.1.11.25: P 3220685042:3220685043(1) ack 1680225086 win 65

390

34: 12:01:30.739234 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685043 win 64850

35: 12:01:32.763052 10.2.2.2.2408 > 10.1.1.11.25: P 3220685043:3220685044(1) ack 1680225086 win 65

390

36: 12:01:32.970195 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685044 win 64849

37: 12:01:32.970866 10.2.2.2.2408 > 10.1.1.11.25: P 3220685044:3220685045(1) ack 1680225086 win 65

MJASA(config)# sh capture capin

1917 packets captured

1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192

2: 09:33:52.110010 10.2.2.2.25 > 10.2.2.30.25: S 1614045430:1614045430(0) win 8192

3: 11:59:13.552141 10.2.2.2 > 10.1.1.11: icmp: echo request

4: 11:59:13.552309 10.2.2.2 > 10.1.1.11: icmp: echo request

5: 11:59:13.552736 10.1.1.11 > 10.2.2.2: icmp: echo reply

6: 11:59:13.552873 10.1.1.11 > 10.2.2.2: icmp: echo reply

7: 11:59:14.544207 10.2.2.2 > 10.1.1.11: icmp: echo request

8: 11:59:14.544237 10.2.2.2 > 10.1.1.11: icmp: echo request

9: 11:59:14.544649 10.1.1.11 > 10.2.2.2: icmp: echo reply

10: 11:59:14.544664 10.1.1.11 > 10.2.2.2: icmp: echo reply

11: 11:59:15.544191 10.2.2.2 > 10.1.1.11: icmp: echo request

12: 11:59:15.544222 10.2.2.2 > 10.1.1.11: icmp: echo request

13: 11:59:15.544573 10.1.1.11 > 10.2.2.2: icmp: echo reply

14: 11:59:15.544588 10.1.1.11 > 10.2.2.2: icmp: echo reply

15: 11:59:16.544252 10.2.2.2 > 10.1.1.11: icmp: echo request

16: 11:59:16.544268 10.2.2.2 > 10.1.1.11: icmp: echo request

17: 11:59:16.544619 10.1.1.11 > 10.2.2.2: icmp: echo reply

18: 11:59:16.544634 10.1.1.11 > 10.2.2.2: icmp: echo reply

19: 11:59:24.607527 10.2.2.2.2408 > 10.1.1.11.25: S 3220685032:3220685032(0) win 65535

op,nop,sackOK>

20: 11:59:24.607726 10.2.2.2.2408 > 10.1.1.11.25: S 3606219141:3606219141(0) win 65535

op,nop,sackOK>

21: 11:59:24.608229 10.1.1.11.25 > 10.2.2.2.2408: S 735101338:735101338(0) ack 3606219142 win 8192

22: 11:59:24.608290 10.1.1.11.25 > 10.2.2.2.2408: S 1680224940:1680224940(0) ack 3220685033 win 81

23: 11:59:24.608382 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680224941 win 65535

24: 11:59:24.608412 10.2.2.2.2408 > 10.1.1.11.25: . ack 735101339 win 65535

25: 11:59:24.609862 10.1.1.11.25 > 10.2.2.2.2408: P 735101339:735101438(99) ack 3606219142 win 648

26: 11:59:24.609877 10.1.1.11.25 > 10.2.2.2.2408: P 1680224941:1680225040(99) ack 3220685033 win 6

4860

27: 11:59:24.856782 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225040 win 65436

28: 11:59:24.856812 10.2.2.2.2408 > 10.1.1.11.25: . ack 735101438 win 65436

29: 11:59:30.971827 10.2.2.2.2408 > 10.1.1.11.25: P 3220685033:3220685034(1) ack 1680225040 win 65

436

30: 11:59:30.971843 10.2.2.2.2408 > 10.1.1.11.25: P 3606219142:3606219143(1) ack 735101438 win 654

31: 11:59:31.174734 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219143 win 64859

32: 11:59:31.174749 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685034 win 64859

33: 11:59:31.306960 10.2.2.2.2408 > 10.1.1.11.25: P 3220685034:3220685035(1) ack 1680225040 win 65

436

34: 11:59:31.306975 10.2.2.2.2408 > 10.1.1.11.25: P 3606219143:3606219144(1) ack 735101438 win 654

35: 11:59:31.502278 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219144 win 64858

36: 11:59:31.502293 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685035 win 64858

37: 11:59:31.546846 10.2.2.2.2408 > 10.1.1.11.25: P 3220685035:3220685036(1) ack 1680225040 win 65

436

38: 11:59:31.546861 10.2.2.2.2408 > 10.1.1.11.25: P 3606219144:3606219145(1) ack 735101438 win 654

39: 11:59:31.751868 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219145 win 64857

40: 11:59:31.751898 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685036 win 64857

41: 11:59:31.754782 10.2.2.2.2408 > 10.1.1.11.25: P 3220685036:3220685037(1) ack 1680225040 win 65

436

42: 11:59:31.754813 10.2.2.2.2408 > 10.1.1.11.25: P 3606219145:3606219146(1) ack 735101438 win 654

43: 11:59:31.954738 10.1.1.11.25 > 10.2.2.2.2408: . ack 3606219146 win 64856

44: 11:59:31.954769 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685037 win 64856

45: 11:59:32.522617 10.2.2.2.2408 > 10.1.1.11.25: P 3220685037:3220685039(2) ack 1680225040 win 65

436

46: 11:59:32.522647 10.2.2.2.2408 > 10.1.1.11.25: P 3606219146:3606219148(2) ack 735101438 win 654

47: 11:59:32.523212 10.1.1.11.25 > 10.2.2.2.2408: P 735101438:735101484(46) ack 3606219148 win 648

48: 11:59:32.523227 10.1.1.11.25 > 10.2.2.2.2408: P 1680225040:1680225086(46) ack 3220685039 win 6

And here is capo:

MJASA(config)# sh capture capo
965 packets captured
   1: 09:15:58.300414 10.2.2.2.25 > 10.2.2.30.25: S 1910509976:1910509976(0) win 8192
   2: 09:33:52.110010 10.2.2.2.25 > 10.2.2.30.25: S 1614045430:1614045430(0) win 8192
   3: 11:59:13.552141 10.2.2.2 > 10.1.1.11: icmp: echo request
   4: 11:59:13.552873 10.1.1.11 > 10.2.2.2: icmp: echo reply
   5: 11:59:14.544207 10.2.2.2 > 10.1.1.11: icmp: echo request
   6: 11:59:14.544664 10.1.1.11 > 10.2.2.2: icmp: echo reply
   7: 11:59:15.544207 10.2.2.2 > 10.1.1.11: icmp: echo request
   8: 11:59:15.544588 10.1.1.11 > 10.2.2.2: icmp: echo reply
   9: 11:59:16.544252 10.2.2.2 > 10.1.1.11: icmp: echo request
10: 11:59:16.544634 10.1.1.11 > 10.2.2.2: icmp: echo reply
11: 11:59:24.607527 10.2.2.2.2408 > 10.1.1.11.25: S 3220685032:3220685032(0) win 65535 op,nop,sackOK>
12: 11:59:24.608290 10.1.1.11.25 > 10.2.2.2.2408: S 1680224940:1680224940(0) ack 3220685033 win 81
92
13: 11:59:24.608382 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680224941 win 65535
14: 11:59:24.609877 10.1.1.11.25 > 10.2.2.2.2408: P 1680224941:1680225040(99) ack 3220685033 win 6
4860
15: 11:59:24.856782 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225040 win 65436
16: 11:59:30.971827 10.2.2.2.2408 > 10.1.1.11.25: P 3220685033:3220685034(1) ack 1680225040 win 65
436
17: 11:59:31.174765 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685034 win 64859
18: 11:59:31.306960 10.2.2.2.2408 > 10.1.1.11.25: P 3220685034:3220685035(1) ack 1680225040 win 65
436
19: 11:59:31.502293 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685035 win 64858
20: 11:59:31.546846 10.2.2.2.2408 > 10.1.1.11.25: P 3220685035:3220685036(1) ack 1680225040 win 65
436
21: 11:59:31.751898 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685036 win 64857
22: 11:59:31.754782 10.2.2.2.2408 > 10.1.1.11.25: P 3220685036:3220685037(1) ack 1680225040 win 65
436
23: 11:59:31.954769 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685037 win 64856
24: 11:59:32.522617 10.2.2.2.2408 > 10.1.1.11.25: P 3220685037:3220685039(2) ack 1680225040 win 65
436
25: 11:59:32.523227 10.1.1.11.25 > 10.2.2.2.2408: P 1680225040:1680225086(46) ack 3220685039 win 6
4854
26: 11:59:32.841173 10.2.2.2.2408 > 10.1.1.11.25: . ack 1680225086 win 65390
27: 12:01:29.930829 10.2.2.2.2408 > 10.1.1.11.25: P 3220685039:3220685040(1) ack 1680225086 win 65
390
28: 12:01:30.130867 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685040 win 64853
29: 12:01:30.131005 10.2.2.2.2408 > 10.1.1.11.25: P 3220685040:3220685041(1) ack 1680225086 win 65
390
30: 12:01:30.333738 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685041 win 64852
31: 12:01:30.333860 10.2.2.2.2408 > 10.1.1.11.25: P 3220685041:3220685042(1) ack 1680225086 win 65
390
32: 12:01:30.536486 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685042 win 64851
33: 12:01:30.536593 10.2.2.2.2408 > 10.1.1.11.25: P 3220685042:3220685043(1) ack 1680225086 win 65
390
34: 12:01:30.739234 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685043 win 64850
35: 12:01:32.763052 10.2.2.2.2408 > 10.1.1.11.25: P 3220685043:3220685044(1) ack 1680225086 win 65
390
36: 12:01:32.970195 10.1.1.11.25 > 10.2.2.2.2408: . ack 3220685044 win 64849
37: 12:01:32.970866 10.2.2.2.2408 > 10.1.1.11.25: P 3220685044:3220685045(1) ack 1680225086 win 65

Accessing Exchange Server from DMZ

varrao — Thu, 18 Aug 2011 18:22:43 GMT

Hey thats great Scott, so wats the next worry for us???

-Varun

Re: Accessing Exchange Server from DMZ

sholiday666 — Thu, 18 Aug 2011 18:35:11 GMT

I was curious why there are hundreds of packets passing through now. Does that point to someone on the outside trying to get in or something? I only created two test emails.

Oh and by the way thanks for all your help.

I still have the access list:

access-list dmz extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp

in the config and not one pointing to 10.1.1.11. Do I need to add that?