09-03-2022 11:39 AM
Beginner Question- We are provisioning a mail server in our ASA 5506 DMZ. This mail server uses our internal DNS servers then forwards to external DNS forwarders anything it can't resolve per the mail consultants recommendation. He prefers to use our internal DNS servers
I have a rule I am having great difficulty with in the DMZ firewall rules that would allow any traffic to our internal resources from the mail server (example below)? In the event the mail server get's compromised, the attacker would have access to all assets in the internal network.
DMZ Example Rule:
(DMZ IP) to (ANY) - Allowed (I need to allow all outbound traffic to internet but restrict access to internal assets unless initiated by the internal client)
This rule has to be there or internal mail clients cannot connect to the mail server in the DMZ, I feel like I need to split this up somehow and only allow traffic initiated by an internal asset to flow traffic to the mail server DMZ and back then; all outbound traffic to other mail servers and internet assets should go through as expected. This almost seems like a split tunnel VPN but I am stumped here.
Any thoughts on best practices on what I should do here?
Thanks in advance
09-03-2022 11:42 AM
(DMZ IP) to (ANY) - Allowed <<- no need this because the security level of DMZ is higher than the OUT
you need only to allow port or IP in OUT to access DMZ
Note:- the port represent the service need from Sever inside DMZ to handle it.
09-03-2022 12:20 PM
Beginner - I completely understand OUT and have that limited to only specific incoming ports are open to/from the internet. I feel safe and have scanned it and that is working as expected.
The problem is from the server in the DMZ. DMZ-Incoming
has to have the rule below to get out to the internet and also have access to our internal network clients. If I don't turn on this rule, internal clients cannot access the mail server or resolve anything on the internet from the mail server
09-03-2022 12:32 PM - edited 09-03-2022 12:34 PM
not need ACL what you need is email inspection.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/inspect-basic.html#ID-2092-00000dab
check this guide how to config inspection
09-03-2022 02:56 PM
Are you by chance using DNS rewrite for the internal servers? Does DNS resolve the internal servers to the public IP addresses? Might be that you need to allow access from DMZ to the internal IP addresses of the servers.
09-03-2022 05:57 PM
I am not sure it is using rewrite. I think only 1/2 the traffic is working. I am trying hard to understand this and ask the right question here in the forum. When I ping yahoo or google I get an IP address immediately so I think it knows where to go but no reply so It seems like only 1/2 the traffic is getting out and it cannot fully resolve.
I get out to google.com and yahoo.com (I get an IP for them) but only 1/2 way then I am getting this error on the reply so my mail server can never fully resolve the DNS request: The error points to an implicit rule I am very uncomfortable messing with.
4|Sep 03 2022|18:16:26|106023|192.168.252.12||98.137.11.164||Deny icmp src dmz:192.168.252.12 dst outside:98.137.11.164 (type 8, code 0) by access-group "dmz2in" [0x0, 0x0]
I think the traffic is moving in this way
DMZ (dns request) to (Internal DNS server) to (external Forwarders) then I think the reply is trying to directly connect to our mail server in the DMZ.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide