Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1578
Views
0
Helpful
2
Replies

configurate exchange and proxy servers at DMZ at ASA

teymur azimov
Level 1
Level 1

‎10-04-2011 10:27 AM - edited ‎02-21-2020 04:28 AM

Hi dears.

my mail server at dmz zone and i want  static nat.

i write access list which is dmz zone access to inside zone(as you know security level) and i also configurated proxy at dmz zone.

i also write access list for proxy server.

access-list

access-list 100 extended permit ip 172.16.10.10( mail server ip) any

access-list 100 extended permit ip 172.16.10.254(proxy server) any

apply this access list to dmz interface.

the problem is access list.

when i remove access list from interface at this time:

the users have internet but i have not access from mail server to inside so i need access-list.

but mail server have internet.

when i put access group at interface(dmz)

at mail server have not internet.

but mail server can access inside user.

the user go to internet from proxy and  proxy inside interface connect  at dmz zone.(ip 172.16.10.254)

the mail server do not pass through from proxy  i do static nat and when i remove access list at dmz interface the mail server have internet.

i do not understand what is that?

i wrote any any access-list all of them ok but i do not want any any.

please help me.

i want to ask

i do this access list

any any

so mail server have internet and also dmz  mail server can access to inside user but i do not ant use any any .

i know the problem at access-list.

is it not possibly to configurate two server at dmz zone?

or what this access-list do?

!

!

0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-06-2011 04:26 AM

Traffic from high to low security level does not need access-list and by default it will allow all connections through.

Traffic from low to high security level requires access-list, and once you configure access-list for traffic from low to high, then you would also need to configure access-list from high to low. Because once you apply access-list to an interface, then there is an implicit deny unless you explicitly configure access-list to allow those traffic out.

Base on your description, if you configure:

access-list 100 extended permit ip 172.16.10.10( mail server ip) any

access-list 100 extended permit ip 172.16.10.254(proxy server) any

and apply that to your DMZ interface, this will allow both the mail server to initiate connection to both inside and outside/internet, and same goes to the proxy server.

If you can advise which access you require from DMZ host towards both inside and outside, maybe we can restrict the access-list more.

0 Helpful

Scott Pickles
Level 4
Level 4
In response to Jennifer Halim

‎02-20-2012 07:27 AM

Jennifer -

I'm totally confused.  You begin by saying that traffic is allowed from high to low, but once you configure an ACL to permit low to high you then need to create an ACL to allow the traffic back out (high to low).  But the ACL you created to permit low to high is only one direction (one ACL per interface per direction).  So how does that bear any impact on the return traffic when its governed by a separate ACL and by default should allow high to low?

Regards,
Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card