dmz mail relay configuration

bpelino · ‎06-01-2009

I'm trying to setup a smtp relay server in a DMZ and am having trouble figuring out what I need to do to allow it to relay mail to the inside. The mail relay will be 10.0.0.2 and the Exchange server on the inside is 192.168.100.3. I've got traffic getting to the relay server, but can't get my head around what I need to do to get the traffic inside. I've read that I need to NAT the traffic, but I'm not sure why I would need to other than to hide the internal IP. If I just use an inbound acl on the DMZ that says:

permit tcp host 10.0.0.2 host 192.168.100.3 eq smtp

Would that work or am I missing something else

Jon Marshall · ‎06-01-2009

Brian

You don't have to hide the internal IP but unless you have no-nat control turned on then you will need either a static or a nat exemption in addition to your acl on the DMZ eg.

static (inside,dmz) 192.168.100.3 192.168.100.3

One other thing. Bear in mind if you add that acl to your dmz ie.

permit tcp host 10.0.0.2 host 192.168.100.3 eq smtp

then there is an implict deny at the end of the acl so if that is all there is in the acl then you would stop your DMZ servers initiating connections to the Internet. Generally speaking your DMZ acl would look like

permit tcp host 10.0.0.2 host 192.168.100.3 eq smtp

deny ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0

permit ip 10.0.0.0 255.255.255.0 any

where 192.168.100.0/24 is the internal network and 10.0.0.0/24 is the DMZ network.

Jon

bpelino · ‎06-01-2009

Thanks Jon,

That's exactly what I needed.

Brian

Jon Marshall · ‎06-01-2009

Glad to have helped.