Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
4
Replies

ASA configuration for on-prem DNS and Microsoft exchange server

Go to solution
Junaid1661
Level 1
Level 1

‎01-26-2024 01:30 AM - last edited on ‎01-26-2024 09:39 PM by Community Manager

hello experts ,

we have ASA 5525 and want to send and receive the emails from internet and  use behind the asa on-prem DNS server and on-prem Microsoft exchange server with the below map

exchanger server internal IP 192.160.10.5

Domain controller  internal IP 192.168.10.20        this is our DNS manager 

public static IP is e.x  110.20.4.43/29

public IP gateway   e.x   110.20.4.41/29

the inside range for internet access is also 192.168.10.0 255.255.255.0 and asa inside interface ip is 174.20.20.1 255.255.255.0

currently the asa is configured only for internet access

current ASA  configuration :

 

ASA Version 9.2(2)4
!
hostname Gate197
enable password xxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 110.20.4.43 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 174.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj-192.168.190
subnet 192.168.190.0 255.255.255.0

access-list INT extended permit ip any any
access-list inside-acl extended permit ip 192.168.190.0 255.255.255.0 interface outside
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

!
object network obj-192.168.190
nat (inside,outside) dynamic interface
access-group INT in interface outside
route outside 0.0.0.0 0.0.0.0 110.20.4.43 1
route inside 192.168.10.0 255.255.255.0 174.20.20.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy

console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile CiscoTAC-1

---------------------------

the domain already registered and both servers configured properly 

now how to configure the asa to be able to send and receive emails from internet and be able to resolve the DNS and open all required ports and do port forwarding for exchange server pleas provide it step by step

 

Thanks in advance for helping and providing detailed information

 

 

 

 

 

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎01-26-2024 02:20 AM

As it stands right now your Exchange server will be able to send to the internet, so you will only need for traffic from the internet to be forwarded to your Exchange server.

To do that you could do something like the following using the ASA outside interface as the public IP, if you have spare public IP you could use that instead:

object network EXCHANGE_SERVER
host 192.160.10.5

object service SMTP
service tcp destination eq smtp

nat (outside,inside) source static any any destination static interface EXCHANGE_SERVER service SMTP

access-list access-in extended permit tcp any host 192.160.10.5 eq 25
access-group access-in in interface outside

For any further port opening you require you can refer to the following microsoft document and then repeat the above configuration for other ports.

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/deployment-ref/network-ports?view=exchserver-2019

 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Junaid1661

‎01-27-2024 02:22 AM

Would be good if you provide more info on what you have tried and how have you tried it (I.E. did you configure all the ports mentioned in the document at the same time or did you try one at a time).  Also, some info on how you are testing would be good.

Would be good with screenshots of any error messages or timeouts as well as posting the configuration that you implemented.

Some suggestions for troubleshooting.  Do a packet-tracer on the firewall and post the output here.

packet-tracer input outside tcp 8.8.8.8 12345 192.160.10.5 25 detail

also, you could setup a capture to see if the traffic is exiting and returing on the inside interface.

capture capin interface inside match ip any host 192.160.10.5

show capture capin

 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎01-26-2024 02:20 AM

As it stands right now your Exchange server will be able to send to the internet, so you will only need for traffic from the internet to be forwarded to your Exchange server.

To do that you could do something like the following using the ASA outside interface as the public IP, if you have spare public IP you could use that instead:

object network EXCHANGE_SERVER
host 192.160.10.5

object service SMTP
service tcp destination eq smtp

nat (outside,inside) source static any any destination static interface EXCHANGE_SERVER service SMTP

access-list access-in extended permit tcp any host 192.160.10.5 eq 25
access-group access-in in interface outside

For any further port opening you require you can refer to the following microsoft document and then repeat the above configuration for other ports.

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/deployment-ref/network-ports?view=exchserver-2019

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Junaid1661
Level 1
Level 1
In response to Marius Gunnerud

‎01-27-2024 01:46 AM

thanks  Marius Gunnerud

 i tried all available options still no results gotten 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Junaid1661

‎01-27-2024 02:22 AM

Would be good if you provide more info on what you have tried and how have you tried it (I.E. did you configure all the ports mentioned in the document at the same time or did you try one at a time).  Also, some info on how you are testing would be good.

Would be good with screenshots of any error messages or timeouts as well as posting the configuration that you implemented.

Some suggestions for troubleshooting.  Do a packet-tracer on the firewall and post the output here.

packet-tracer input outside tcp 8.8.8.8 12345 192.160.10.5 25 detail

also, you could setup a capture to see if the traffic is exiting and returing on the inside interface.

capture capin interface inside match ip any host 192.160.10.5

show capture capin

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card