DMZ Mail Server to Internal rule help needed

getRdone · ‎09-03-2022

Beginner Question- We are provisioning a mail server in our ASA 5506 DMZ. This mail server uses our internal DNS servers then forwards to external DNS forwarders anything it can't resolve per the mail consultants recommendation. He prefers to use our internal DNS servers

I have a rule I am having great difficulty with in the DMZ firewall rules that would allow any traffic to our internal resources from the mail server (example below)? In the event the mail server get's compromised, the attacker would have access to all assets in the internal network.

DMZ Example Rule:

(DMZ IP) to (ANY) - Allowed (I need to allow all outbound traffic to internet but restrict access to internal assets unless initiated by the internal client)

This rule has to be there or internal mail clients cannot connect to the mail server in the DMZ, I feel like I need to split this up somehow and only allow traffic initiated by an internal asset to flow traffic to the mail server DMZ and back then; all outbound traffic to other mail servers and internet assets should go through as expected. This almost seems like a split tunnel VPN but I am stumped here.

Any thoughts on best practices on what I should do here?

Thanks in advance

MHM Cisco World · ‎09-03-2022

(DMZ IP) to (ANY) - Allowed <<- no need this because the security level of DMZ is higher than the OUT
you need only to allow port or IP in OUT to access DMZ
Note:- the port represent the service need from Sever inside DMZ to handle it.

getRdone · ‎09-03-2022

Beginner - I completely understand OUT and have that limited to only specific incoming ports are open to/from the internet. I feel safe and have scanned it and that is working as expected.

The problem is from the server in the DMZ. DMZ-Incoming

has to have the rule below to get out to the internet and also have access to our internal network clients. If I don't turn on this rule, internal clients cannot access the mail server or resolve anything on the internet from the mail server

MHM Cisco World · ‎09-03-2022

not need ACL what you need is email inspection.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/inspect-basic.html#ID-2092-00000dab

check this guide how to config inspection

Marius Gunnerud · ‎09-03-2022

Are you by chance using DNS rewrite for the internal servers? Does DNS resolve the internal servers to the public IP addresses? Might be that you need to allow access from DMZ to the internal IP addresses of the servers.

--
Please remember to select a correct answer and rate helpful posts

getRdone · ‎09-03-2022

I am not sure it is using rewrite. I think only 1/2 the traffic is working. I am trying hard to understand this and ask the right question here in the forum. When I ping yahoo or google I get an IP address immediately so I think it knows where to go but no reply so It seems like only 1/2 the traffic is getting out and it cannot fully resolve.

I get out to google.com and yahoo.com (I get an IP for them) but only 1/2 way then I am getting this error on the reply so my mail server can never fully resolve the DNS request: The error points to an implicit rule I am very uncomfortable messing with.

4|Sep 03 2022|18:16:26|106023|192.168.252.12||98.137.11.164||Deny icmp src dmz:192.168.252.12 dst outside:98.137.11.164 (type 8, code 0) by access-group "dmz2in" [0x0, 0x0]

I think the traffic is moving in this way

DMZ (dns request) to (Internal DNS server) to (external Forwarders) then I think the reply is trying to directly connect to our mail server in the DMZ.