06-14-2013 10:06 AM - edited 03-11-2019 06:58 PM
OK i know the first part of the situation is solved and I'm grateful to Jouni who elaborated me on it. But I have yet another pending situation that I could use a help here and really wouldn't mind been told this is where i got it all wrong.
So finally I could reach the Server on the DMZ from outside via the static nat. Yay!!! But I have some services that needs to be reached on the mailserver on the DMZ side of the network.
Services like:
dns 53, 193
smtp 25
My question is, do i place the access list to permit these service from outside to dmz like this below ?
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
OR THIS
access-list outside_access_dmz extended permit udp any eq dnsix object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_dmz extended permit udp any eq domain object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_dmz extended permit tcp any eq smtp object DMZ_MAILEDGE_SERVER eq smtp
Which direction would be more appropriate to go via? I have done both ways but no result.
Also from the front end mail server, If i try to ping the internet say a domain name like www.yahoo.com, it would only resolve the name but the ping are not going thru.
Thanks for your advice in advance.
I say this not to undermine anybody's help, Jouni please if you see this I would also appreciate your contribution too!
Cheers!
Teddy
Solved! Go to Solution.
06-14-2013 10:23 AM
Hi,
If you are allowing traffic from the Internet then you will be using the ACL that is attached to the "outside" interface in the direction "in"
So I would presume in your case the ACL to use would be this
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
To confirm we could use "show run access-group" command and check its output to make sure we are using the correct ACL.
I would imagine you have atleast the following in the output
access-group outside_access_in in interface outside
If you cant ICMP from the DMZ server to the Internet then I would suggest testing it with "packet-tracer" command
packet-tracer input dmz icmp 172.16.1.2 8 0 8.8.8.8
Also the very basic configurations to add if not yet added would be
policy-map global_policy
class inspection_default
inspect icmp error
inspect icmp
Enabling the ICMP Inspection allows the ASA to allow the ICMP Echo reply to get back from the Internet through the ASA to the host that originally sent the ICMP Echo message.
If we cant solve the problem with the above or get enough information with the "packet-tracer" command we might need to have a look at the configurations.
- Jouni
06-14-2013 10:23 AM
Hi,
If you are allowing traffic from the Internet then you will be using the ACL that is attached to the "outside" interface in the direction "in"
So I would presume in your case the ACL to use would be this
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
To confirm we could use "show run access-group" command and check its output to make sure we are using the correct ACL.
I would imagine you have atleast the following in the output
access-group outside_access_in in interface outside
If you cant ICMP from the DMZ server to the Internet then I would suggest testing it with "packet-tracer" command
packet-tracer input dmz icmp 172.16.1.2 8 0 8.8.8.8
Also the very basic configurations to add if not yet added would be
policy-map global_policy
class inspection_default
inspect icmp error
inspect icmp
Enabling the ICMP Inspection allows the ASA to allow the ICMP Echo reply to get back from the Internet through the ASA to the host that originally sent the ICMP Echo message.
If we cant solve the problem with the above or get enough information with the "packet-tracer" command we might need to have a look at the configurations.
- Jouni
06-14-2013 11:26 AM
HI Jouni,
Thanks once more again for your explanation. It was super helpful to me. I actually just wanted a senior person to go via my configs and vet them for me. I'm so glad you did.
After doing just as directed, everything came to live! The messaging folks were able to send the mail they needed to as test mail and "Inspect icmp error" helped with the dmz server getting response back. My earlier thoughts was that the global icmp inspection would have sufficied for everything since it was globally applied. But I've learned a great deal today!
Thanks a million Jouni! You rock!
Teddy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide