topic Re: SMTP in Network Security

SMTP

mulugojjam abebe — Mon, 11 Mar 2019 19:14:12 GMT

Hi,

I have Edge server on the the DMZ network which needs to access the Exchange server on the inside network. i configured Static map and access list. I can access the mail server from outside through SMTP, but not from the DMZ. Any help please and documentation

Thank you in advance

Mulu

Re: SMTP

Federico Coto Fajardo — Wed, 24 Nov 2010 18:42:12 GMT

Hi,

If you can access it from the outside is because you have static/ACL.

To access it from DMZ you need static/ACL as well but applied to DMZ interface.

i.e.

static (in,out)

access-list outside...

From DMZ:

static(in,dmz)

access-list dmz...

Do you have this configuration?

Federico.

Re: SMTP

mulugojjam abebe — Wed, 24 Nov 2010 19:12:45 GMT

Thank you Federico

and here is the conf

static (inside,outside) tcp 78.227.41.x smtp 10.2.10.10 smtp netmask 255.255.255.255

access-list outside-access-in permit tcp any host
78.227.41.x eq 25

172.16.1.3- is Edge server at DMZ
static (inside,DMZ) tcp 10.2.10.10 smtp 172.16.1.23 smtp netmask
255.255.255.25

access-list dmz-access-in permit tcp host 172.16.1.3 host
172.16.1.23 eq 25

I can ping 172.16.1.23 from 172.16.1.3

thank you

Re: SMTP

Federico Coto Fajardo — Wed, 24 Nov 2010 19:16:32 GMT

But assuming that 10.2.10.10 is the real IP of the SMTP server...
That's why from the outside you can reach it with IP 78.227.41.x

But.. from DMZ...
The static should be the other way around..
static (inside,DMZ) tcp 172.16.1.23 smtp 10.2.10.10 smtp

In this way you can reach the server 10.2.10.10 from the DMZ using IP 172.16.1.23??

Or how do you want to access the SMTP server from DMZ?

Federico.

Re: SMTP

mulugojjam abebe — Wed, 24 Nov 2010 19:27:20 GMT

Sorry Fredico, u right its on the other round

static (inside,DMZ) tcp 172.16.1.23 smtp 10.2.10.10 smtp

but i can't access it through SMTP and that is weird for me, and sometimes the ASA stucks, its version 8.3 and new.

thank u

Re: SMTP

Federico Coto Fajardo — Wed, 24 Nov 2010 19:35:07 GMT

But ASA 8.3 does not even recognize the static command:

Check the migration guide (NAT migration) for the new equivalent commands in 8.3:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp83968

Federico.

Re: SMTP

mulugojjam abebe — Thu, 25 Nov 2010 15:26:37 GMT

Hi Federico

i have cleaned the whole configuration and did it again then works fine, but i want to use port maping on the outside interface

static (inside,outside) tcp interface www 10.2.10.10 www netmask 255.255.255.255

static (inside,outside) tcp interface https 10.2.10.10 https netmask 255.255.255.255

static (DMZ,outside) tcp interface smtp 172.16.1.3 smtp netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 78.227.x.x eq www

access-list outside_access_in extended permit tcp any host 78.227.x.x eq https

access-list outside_access_in extended permit tcp any host 78.227.x.x.59 eq smtp

i can access 10.2.10.10 from outside with http and https but not 172.16.1.3 with smtp

telnet 78.227.x.x 25 - failed

any help as usual

thanx

by the way the version is 8.0(3) not 8.3 sorry for that

Re: SMTP

Federico Coto Fajardo — Thu, 25 Nov 2010 16:00:35 GMT

You're trying to reach 172.16.1.3 from the outside via SMTP?

You have:

static (DMZ,outside) tcp interface smtp 172.16.1.3 smtp netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 78.227.x.x.59 eq smtp

This means that from outside you will send SMTP packets to the outside IP of the ASA and it will redirect that traffic to 172.16.1.3.

Do you get hitcounts incrementing in the above ACL when sending SMTP packets? sh access-list outside_access_in

Federico.

Re: SMTP

mulugojjam abebe — Thu, 25 Nov 2010 17:31:21 GMT

Thank you Federico,

Yes it gets hits increamenting. But how can i be sure that it reaches to the server?

thanx

Re: SMTP

Federico Coto Fajardo — Thu, 25 Nov 2010 17:46:53 GMT

We know the ASA is receiving the SMTP packets... we can check if the ASA is sending those SMTP packets to the server....

access-list testdmz permit tcp any host 172.16.1.3 eq 25
access-list testdmz permit ip any any
access-group testdmz out interface dmz

The above is applied outbound to the DMZ, so if the hitcounts of the first line increments, you will know the ASA is sending SMTP packets to 172.16.1.3

If the hitcounts increment, I will think the ASA is doing the job and will look into the server itself to see if it's receiving the packets (netstat or equivalent).

Federico.

Re: SMTP

mulugojjam abebe — Thu, 25 Nov 2010 18:20:14 GMT

thank you again Federico

I configured it with

access-list dmz_in permit ip any any

but with inbound direction

access-group dmz_in in interface dmz

so i will check with outbound direction and i will let u know the result, i thought if i configure the nat and outside accesslist it will work

thank u very much

Mulu

Re: SMTP

Federico Coto Fajardo — Thu, 25 Nov 2010 18:26:50 GMT

Hi,

Can I ask why I was rated with a not-helpful at all score of 1?

Federico.

Re: SMTP

mulugojjam abebe — Fri, 26 Nov 2010 08:59:09 GMT

Sorry Federico,

You are extremely helpful. And the problem was on the server not on the config. Thank you very very much!!

Mulu