This is my first post so please forgive me if this has already been answered in the forum.
I have a standard ASA 5505 with inside, dmz and outside with the default security levels, 100/50/0. we have an email server inside which has been NATed and is working fine. However users accessing the wireless on the dmz are unable to access their emails on https (443). How do I allow SSL access ONLY to users on the dmz using ASA 8.4 commands or ADSM 6.4?
Many thanks for any help.
you will need to allow that traffic into the DMZ access-list
access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 192.168.2.2 (inside email server) eq 443
access-list dmz permit tcp x.x.x.x 255.255.255.0 (dmz subnet) host 192.168.2.2 (inside email server) eq 25
access-group dmz in interface dmz
DO rate all the helpful posts
Thanks for your reply. I will try this later but I'm not sure that I can achieve this with an access-list only. I'll post details later.
As you asked just for an ACL, I thought you already had the NAT.
Lets say the ip address of the Inside server is 10.10.10.2 and the DMZ subnet is 192.168.12.0
You want to nat the Inside server on the DMZ to 192.168.12.3
Here is what you need
object network Inside_server
object network DMZ_Server_global
nat (inside,dmz) source static Inside_server DMZ_Server_global
Do rate all the helpful posts!!
My pleasure, I will be more than glad to help.
Do rate all the helpful posts
Thanks again but your suggested solution does not appear to work.
Just to clarify:
1. We do not have any servers on the dmz network. All we use that for is allow connections from smart phones through a wireless access point out to the internet.
2. The smartphones are able to access the internet but cannot access the public address of the Exchange server. We need to be able to allow ssl access only (from all mobile devices on the dmz) to the exchange public interface.
Found the following link which highlights a similar scenario but I'm not sure if the commands will work for ASA 8.4
.. appreciate any further help.
First thing u may need to have an acl created for dmz zone to permit https from dmz zone subnet to email server.
Also you need to check on the routing if any infra present in the inside zone.
Check if there is any hits when you try to access web mail through mobiles. If hits present for that... then you may need to check on the routing and other stuffs related to dmz.
Please let me know if this helps...
Did a search on Google for a problem that sounds much like this one and found this thread. Did the above fix the problem? I'm not quite clear where the ACL was applied if the public addresses are not on an interface. I have the same situation; public IPs are defined in the NAT rules, but not associated with an interface. Thanks.