https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008910#M918795 <HTML><HEAD></HEAD><BODY><P>Ajay, you just need to permit it in the outside &gt;&gt; dmz direction. The remaining (dmz&gt;&gt;outside) return traffic will automatically be permitted due to the 'stateful' nature of the firewall.</P><P></P><P>As long as your DMZ server has higher security level than outside, it will also be able to 'send' outbound email (provided proper NAT rules are there).</P><P></P><P>Have a look at:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml</A></P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 06 Jun 2008 14:31:08 GMT Farrukh Haroon 2008-06-06T14:31:08Z https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008909#M918793 <P>Hi I want to give SMTP acccess to one of the machine in DMZ zone .I am going to allow DMZ access-list IN for port 25 .do i need to allow return traffic in ASA .or editing access list IN in DMZ and patting will allow me to access SMTP on internet.</P><P></P><P>please explain thanks</P> Mon, 11 Mar 2019 12:56:13 GMT https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008909#M918793 ajay chauhan 2019-03-11T12:56:13Z https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008910#M918795 <HTML><HEAD></HEAD><BODY><P>Ajay, you just need to permit it in the outside &gt;&gt; dmz direction. The remaining (dmz&gt;&gt;outside) return traffic will automatically be permitted due to the 'stateful' nature of the firewall.</P><P></P><P>As long as your DMZ server has higher security level than outside, it will also be able to 'send' outbound email (provided proper NAT rules are there).</P><P></P><P>Have a look at:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml</A></P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 06 Jun 2008 14:31:08 GMT https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008910#M918795 Farrukh Haroon 2008-06-06T14:31:08Z https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008911#M918797 <HTML><HEAD></HEAD><BODY><P>Hi Farrukh,</P><P></P><P></P><P>Thanks for your reply but mail server is not sitting in DMZ zone .....this is application server sitting in DMZ on which i need to just configure sending mail to outside .</P><P></P><P>This will not be a static natting I will pat it with same IP as i do for Inside hosts .</P><P></P><P>In this case traffic from DMZ &gt;&gt;&gt;Outside on port 25 will be allowed but what about return traffic .</P><P></P><P>will it allow by default or i need to add any inspect rule.</P><P></P><P>Please explain </P></BODY></HTML> Fri, 06 Jun 2008 14:37:32 GMT https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008911#M918797 ajay chauhan 2008-06-06T14:37:32Z https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008912#M918799 <HTML><HEAD></HEAD><BODY><P>Yes 'return' traffic will be allowed.</P><P></P><P>No need to worry.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 06 Jun 2008 14:41:47 GMT https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008912#M918799 Farrukh Haroon 2008-06-06T14:41:47Z https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008913#M918801 <HTML><HEAD></HEAD><BODY><P>Hi Ajay,</P><P> If you dont have an ACL applied to DMZ atm, you dont need to specifically permit a traffic originated from a higher security level interface destined to a lower security interface. </P><P> Firewall is a statefull device and will permit return traffic by default. you dont need extra ACLs.</P><P> If you have an ACL applied to dmz for other(filtering purpoeses) you should specifically enter permit for smtp outbound, since the ACL has an implicit deny</P><P></P><P>Regards</P></BODY></HTML> Fri, 06 Jun 2008 14:42:37 GMT https://community.cisco.com/t5/network-security/need-to-allow-smtp-on-asa/m-p/1008913#M918801 Alan Huseyin Kayahan 2008-06-06T14:42:37Z