ASA 5510 cross interface issue

jonathanbruck · ‎10-26-2012

We have a 5510 (8.2) with the following 4 interfaces (security-levels) inside (95), outside(0), dmz(25), and test (95). The dmz network is 10.10.10.0/24 and the outside interface is 40.133.84.69.

We have run into a situation where a dmz hosted iRedMail server running postfix (10.10.10.51) is relaying mail which in some cases points back to us at 40.133.84.69 and into our Exchange server. In these cases in the dmz server's mail logs we see postfix timeout trying to connect to smtp at 40.133.84.69. When I try to telnet from 10.10.10.51 to the outside interface on port 25 it times out.

We've tried different ways to allow the outside adapter to permit smtp (or any service!) from 10.10.10.51 but we're left scratching out heads.

Any help is much appreciated!

Jon

Jennifer Halim · ‎10-27-2012

Yes, it won't be able to connect to the public/outside interface ip from dmz host.

From dmz host, you would need to connect to the private/dmz host ip address, in your case 10.10.10.51)

The exchange server would either needs to resolve the mail relay server to its private IP, or using IP address to connect instead of dns name if it can only resolve to the public ip.

Are you using an internal or external dns server?

If you are using an external dns server, then you could configure the "dns" keyword on the static PAT/NAT statement that you configure for the mail relay.

eg:

static (dmz,outside) tcp interface 25 10.10.10.51 25 netmask 255.255.255.255 dns

Or, alternatively, if you can't resolve dns to its private IP, you can configure hosts file entry to resolve the mail relay domain name to its private IP on your exchange server.

Hope that helps.