Can't send mail from server in DMZ

fieryhail — Mon, 11 Mar 2019 17:27:22 GMT

Hello Everyone,

I'm in the process of getting a PIX 525 (OS 8.04) setup. It has 6 ethernet interfaces. I have a DMZ (DMZ-IBM) that hosts our Lotus Domino Servers. I am using PAT for this scenario. Inbound mail is working fine, but I am unable to send any outgoing mail. For that matter, I am also unable to access the internet from any server in that DMZ which while not needed all the time, is useful for updating the OS on those servers.

DMZ-IBM are all using 192.168.10.0/28. I have 2 public IPs that those servers share using PAT. I tried running a packet-tracer and it says that traffic is dropped by an Access-List, an implicit rule. I'm not sure what kind of an ACL to create to enable web and mail traffic to go out the outside interface from a host in DMZ-IBM. Any suggestions are welcome. Thank you very much!

Re: Can't send mail from server in DMZ

Collin Clark — Tue, 30 Mar 2010 18:30:53 GMT

Can you post your config?

Re: Can't send mail from server in DMZ

fieryhail — Tue, 30 Mar 2010 18:49:46 GMT

I apologize for the fact that it is probably very messy. I am very very new to this. Please forgive me (and point out) any ametuerish mistakes I have made. I also omitted the VPN entries as I do not believe they are relevant to this situation in order to make the config a little easier to read. Thanks again for any assistance in tis matter. Is very much appreciated.

PIX Version 8.0(4)
!
hostname pix
domain-name rcserveny.com

names
!
interface Ethernet0
nameif outside
security-level 0
ip address 96.xx.xx.174 255.255.255.248
!
interface Ethernet1
nameif DMZ1
security-level 50
ip address 192.168.30.1 255.255.255.248
!
interface Ethernet2
speed 100
duplex full
nameif DMZ-ESX
security-level 80
ip address 192.168.50.1 255.255.255.248
!
interface Ethernet3
speed 100
duplex full
nameif DMZ-IBM
security-level 60
ip address 192.168.10.1 255.255.255.240
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name rcserveny.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list nonnat_inside_DMZ1 extended permit ip 10.0.0.0 255.0.0.0 192.168.30.0 255.255.255.0
access-list nonnat_inside_DMZ1 extended permit ip any 10.1.1.0 255.255.255.192
access-list nonnat_inside_DMZ1 extended permit ip host 10.1.1.1 10.1.1.0 255.255.255.192
access-list nonnat_inside_DMZ1 extended permit ip 10.0.0.0 255.0.0.0 192.168.112.0 255.255.248.0
access-list nonnat_inside_DMZ1 extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.192
access-list DMZ1_IN extended permit ip interface inside interface DMZ1
access-list DMZ1_IN extended permit tcp host 192.168.30.2 any eq www
access-list DMZ1_IN extended permit icmp host 192.168.30.2 any
access-list DMZ1_IN extended permit ip host 192.168.30.2 any
access-list DMZ1_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.30.0 255.255.255.248
access-list DMZ1_IN extended permit icmp any any
access-list DMZ1_IN extended permit ip 10.0.0.0 255.0.0.0 192.168.30.0 255.255.255.248
access-list INSIDE_IN extended permit ip 10.0.0.0 255.0.0.0 any
access-list INSIDE_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list INSIDE_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.240
access-list OUTSIDE_IN extended deny ip 0.0.0.0 255.0.0.0 any
access-list OUTSIDE_IN extended deny ip 10.0.0.0 255.0.0.0 any
access-list OUTSIDE_IN extended deny ip 127.0.0.0 255.0.0.0 any
access-list OUTSIDE_IN extended deny ip 172.16.0.0 255.240.0.0 any
access-list OUTSIDE_IN extended deny ip 192.168.0.0 255.255.0.0 any
access-list OUTSIDE_IN extended deny ip 224.0.0.0 224.0.0.0 any
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.171 eq www
access-list OUTSIDE_IN extended permit icmp any host 96.xx.xx.171
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.171 eq 420
access-list OUTSIDE_IN extended permit tcp 10.0.0.0 255.0.0.0 host 192.168.30.2 eq www
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq pop3
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq imap4
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq ldap
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 580
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 581
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq lotusnotes
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 1433
access-list OUTSIDE_IN extended permit udp any host 96.xx.xx.172 eq 1433
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 1516
access-list OUTSIDE_IN extended permit udp any host 96.xx.xx.172 eq 1516
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 2080
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 3891
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 3903
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 7080
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 7090
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 7092
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 7443
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 7444
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 8642
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 11099
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 11100
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 18180
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.172 eq 18443
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.171 eq ldap
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.171 eq https
access-list OUTSIDE_IN extended permit tcp any host 96.xx.xx.171 eq lotusnotes

access-list DMZ1_nat0_outbound extended permit ip 192.168.30.0 255.255.255.248 10.1.1.0 255.255.255.192
access-list DMZ-ESX_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.50.0 255.255.255.248
access-list DMZ-ESX_IN extended permit ip interface inside interface DMZ-ESX
access-list nonnat_inside_DMZ-ESX extended permit ip 10.0.0.0 255.0.0.0 192.168.50.0 255.255.255.248
access-list nonnat_inside_DMZ-ESX extended permit ip any 10.1.1.0 255.255.255.192
access-list nonnat_inside_DMZ-ESX extended permit ip host 10.1.1.1 10.1.1.0 255.255.255.192
access-list nonnat_inside_DMZ-ESX extended permit ip 10.0.0.0 255.0.0.0 192.168.112.0 255.255.248.0
access-list nonnat_inside_DMZ-ESX extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.192
access-list DMZ-IBM_IN extended permit ip interface inside interface DMZ-IBM
access-list DMZ-IBM_IN extended permit ip 10.1.1.0 255.255.255.0 192.168.10.0 255.255.255.240
access-list DMZ-IBM_IN extended permit tcp host 192.168.10.2 any eq smtp
pager lines 24
logging enable
logging monitor emergencies
logging asdm informational
logging host inside 10.1.1.101

mtu inside 1500
mtu outside 1500
mtu DMZ1 1500
mtu DMZ-ESX 1500
mtu DMZ-IBM 1500
ip local pool internal 10.1.1.31-10.1.1.40 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list nonnat_inside_DMZ1
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ1) 0 access-list DMZ1_nat0_outbound
static (DMZ1,outside) tcp 96.56.78.171 420 192.168.30.2 www netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 smtp 192.168.10.2 smtp netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 pop3 192.168.10.2 pop3 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 imap4 192.168.10.2 imap4 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 ldap 192.168.10.2 ldap netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 580 192.168.10.6 www netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 581 192.168.10.6 https netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 lotusnotes 192.168.10.2 lotusnotes netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 1433 192.168.10.2 1433 netmask 255.255.255.255
static (DMZ-IBM,outside) udp 96.56.78.172 1433 192.168.10.2 1433 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 1516 192.168.10.2 1516 netmask 255.255.255.255
static (DMZ-IBM,outside) udp 96.56.78.172 1516 192.168.10.2 1516 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 2080 192.168.10.2 www netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 2443 192.168.10.2 https netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 3891 192.168.10.2 3891 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 3903 192.168.10.2 3903 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 7080 192.168.10.6 7080 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 7090 192.168.10.6 7090 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 7092 192.168.10.6 7092 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 7443 192.168.10.6 7443 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 8642 192.168.10.6 8642 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 11099 192.168.10.6 11099 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 11100 192.168.10.6 11100 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 18180 192.168.10.6 18180 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.172 18443 192.168.10.6 18443 netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.171 www 192.168.10.4 www netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.171 ldap 192.168.10.4 ldap netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.171 https 192.168.10.4 https netmask 255.255.255.255
static (DMZ-IBM,outside) tcp 96.56.78.171 lotusnotes 192.168.10.4 lotusnotes netmask 255.255.255.255
static (inside,DMZ-ESX) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (inside,DMZ-IBM) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-group INSIDE_IN in interface inside
access-group OUTSIDE_IN in interface outside
access-group DMZ1_IN in interface DMZ1
access-group DMZ-ESX_IN in interface DMZ-ESX
access-group DMZ-IBM_IN in interface DMZ-IBM
route outside 0.0.0.0 0.0.0.0 96.xx.xx.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact

ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.101-10.1.1.200 inside
dhcpd dns xx.xx.xx.138 xx.xx.xx.4 interface inside
dhcpd domain rcserveny.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect esmtp
!
service-policy global_policy global
prompt hostname context
: end

Re: Can't send mail from server in DMZ

fieryhail — Tue, 30 Mar 2010 19:32:42 GMT

I seem to have solved the issue, but I'm not sure if in doing so I am creating more potential problems. My gut says that I may be. I see that I was missing a NAT statement

nat (DMZ-IBM) 101 192.168.10.0 255.255.255.248

and then i added: (and this is the part that concerns me)

access-list DMZ-IBM_IN extended permit ip any any

I think this may be opening the server up too much, is there a way to tighten it up some, or am I wrong to be concerned? Thanks in advance.

Re: Can't send mail from server in DMZ

Collin Clark — Tue, 30 Mar 2010 19:40:04 GMT

A missing NAT was I thought it would be. Your permit ip any any is wide open (but only outbound from the DMZ). You can tighten it down with something like this-

access-list DMZ-IBM_IN extended permit udp host 192.168.10.x host [dns server] eq 53

access-list DMZ-IBM_IN extended permit tcp host 192.168.10.x any eq 80

access-list DMZ-IBM_IN extended permit tcp host 192.168.10.x any eq 443

access-list DMZ-IBM_IN extended deny ip any any log

This would allow DNS lookups and web browsing. You don't need to permit traffic that comes into the interface as the ASA is stateful and will keep track of the sessions coming from other interfaces.

Hope it helps.

topic Can't send mail from server in DMZ in Network Security

Can't send mail from server in DMZ

Re: Can't send mail from server in DMZ

Re: Can't send mail from server in DMZ

Re: Can't send mail from server in DMZ

Re: Can't send mail from server in DMZ