Solved: DMZ static nat Pt II

Azubuike Obiora · ‎06-14-2013

OK i know the first part of the situation is solved and I'm grateful to Jouni who elaborated me on it. But I have yet another pending situation that I could use a help here and really wouldn't mind been told this is where i got it all wrong.

So finally I could reach the Server on the DMZ from outside via the static nat. Yay!!! But I have some services that needs to be reached on the mailserver on the DMZ side of the network.

Services like:

dns 53, 193

smtp 25

My question is, do i place the access list to permit these service from outside to dmz like this below ?

access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix

access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain

access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp

OR THIS

access-list outside_access_dmz extended permit udp any eq dnsix object DMZ_MAILEDGE_SERVER eq dnsix

access-list outside_access_dmz extended permit udp any eq domain object DMZ_MAILEDGE_SERVER eq domain

access-list outside_access_dmz extended permit tcp any eq smtp object DMZ_MAILEDGE_SERVER eq smtp

Which direction would be more appropriate to go via? I have done both ways but no result.

Also from the front end mail server, If i try to ping the internet say a domain name like www.yahoo.com, it would only resolve the name but the ping are not going thru.

Thanks for your advice in advance.

I say this not to undermine anybody's help, Jouni please if you see this I would also appreciate your contribution too!

Cheers!

Teddy

Jouni Forss · ‎06-14-2013

Hi,

If you are allowing traffic from the Internet then you will be using the ACL that is attached to the "outside" interface in the direction "in"

So I would presume in your case the ACL to use would be this

access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix

access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain

access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp

To confirm we could use "show run access-group" command and check its output to make sure we are using the correct ACL.

I would imagine you have atleast the following in the output

access-group outside_access_in in interface outside

If you cant ICMP from the DMZ server to the Internet then I would suggest testing it with "packet-tracer" command

packet-tracer input dmz icmp 172.16.1.2 8 0 8.8.8.8

Also the very basic configurations to add if not yet added would be

policy-map global_policy

class inspection_default

inspect icmp error

inspect icmp

Enabling the ICMP Inspection allows the ASA to allow the ICMP Echo reply to get back from the Internet through the ASA to the host that originally sent the ICMP Echo message.

If we cant solve the problem with the above or get enough information with the "packet-tracer" command we might need to have a look at the configurations.

- Jouni

View solution in original post

Jouni Forss · ‎06-14-2013

Hi,

If you are allowing traffic from the Internet then you will be using the ACL that is attached to the "outside" interface in the direction "in"

So I would presume in your case the ACL to use would be this

access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix

access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain

access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp

To confirm we could use "show run access-group" command and check its output to make sure we are using the correct ACL.

I would imagine you have atleast the following in the output

access-group outside_access_in in interface outside

If you cant ICMP from the DMZ server to the Internet then I would suggest testing it with "packet-tracer" command

packet-tracer input dmz icmp 172.16.1.2 8 0 8.8.8.8

Also the very basic configurations to add if not yet added would be

policy-map global_policy

class inspection_default

inspect icmp error

inspect icmp

Enabling the ICMP Inspection allows the ASA to allow the ICMP Echo reply to get back from the Internet through the ASA to the host that originally sent the ICMP Echo message.

If we cant solve the problem with the above or get enough information with the "packet-tracer" command we might need to have a look at the configurations.

- Jouni

Azubuike Obiora · ‎06-14-2013

HI Jouni,

Thanks once more again for your explanation. It was super helpful to me. I actually just wanted a senior person to go via my configs and vet them for me. I'm so glad you did.

After doing just as directed, everything came to live! The messaging folks were able to send the mail they needed to as test mail and "Inspect icmp error" helped with the dmz server getting response back. My earlier thoughts was that the global icmp inspection would have sufficied for everything since it was globally applied. But I've learned a great deal today!

Thanks a million Jouni! You rock!

Teddy