06-01-2009 09:56 AM - edited 03-11-2019 08:38 AM
I'm trying to setup a smtp relay server in a DMZ and am having trouble figuring out what I need to do to allow it to relay mail to the inside. The mail relay will be 10.0.0.2 and the Exchange server on the inside is 192.168.100.3. I've got traffic getting to the relay server, but can't get my head around what I need to do to get the traffic inside. I've read that I need to NAT the traffic, but I'm not sure why I would need to other than to hide the internal IP. If I just use an inbound acl on the DMZ that says:
permit tcp host 10.0.0.2 host 192.168.100.3 eq smtp
Would that work or am I missing something else
06-01-2009 10:09 AM
Brian
You don't have to hide the internal IP but unless you have no-nat control turned on then you will need either a static or a nat exemption in addition to your acl on the DMZ eg.
static (inside,dmz) 192.168.100.3 192.168.100.3
One other thing. Bear in mind if you add that acl to your dmz ie.
permit tcp host 10.0.0.2 host 192.168.100.3 eq smtp
then there is an implict deny at the end of the acl so if that is all there is in the acl then you would stop your DMZ servers initiating connections to the Internet. Generally speaking your DMZ acl would look like
permit tcp host 10.0.0.2 host 192.168.100.3 eq smtp
deny ip 10.0.0.0 255.255.255.0 192.168.100.0 255.255.255.0
permit ip 10.0.0.0 255.255.255.0 any
where 192.168.100.0/24 is the internal network and 10.0.0.0/24 is the DMZ network.
Jon
06-01-2009 10:22 AM
Thanks Jon,
That's exactly what I needed.
Brian
06-01-2009 10:34 AM
Glad to have helped.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide