Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4601
Views
0
Helpful
5
Replies

Email Port Open for ASA5505

Go to solution
Tang-Suan Tan
Level 1
Level 1

‎01-17-2012 06:50 PM - edited ‎03-11-2019 03:15 PM

Hi all ;

Just posted a question that when I want to let email to come through the ASA5505 from outside to DMZ and Inside network, are the below command lines correct and good enough?

access-list  outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq imap4

access-list outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq pop3

access-list outside_DMZ extended permit tcp outside-network-ip dmz-network-ip eq smtp

access-list outside_inside extended permit tcp outside-network-ip inside-network-ip eq imap4

access-list outside_inside extended permit tcp outside-network-ip inside-network-ip eq pop3

access-list outside_inside extended permit tcp outside-network-ip inside-network-ip eq smtp

access-group outside_DMZ in interface outside

access-group outside _inside interface outside

Are there any other TCP ports want to be allowed and other command lines need to be added?

Thanks!

Regards,

tangsuan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Tang-Suan Tan

‎01-18-2012 08:38 PM

Hello Tang,

Depend of your email server,

Just in case:

  • Email Ports


    • For networks, a port means an endpoint to a logical connection. The port number identifies what type of port it is. Here are the default email ports for:

      POP3 - port 110
      IMAP - port 143
      SMTP - port 25
      HTTP - port 80
      Secure SMTP (SSMTP) - port 465
      Secure IMAP (IMAP4-SSL) - port 585
      IMAP4 over SSL (IMAPS) - port 993
      Secure POP3 (SSL-POP) - port 995

    Rate helpful posts

    Julio

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC

    View solution in original post

    0 Helpful
    5 Replies 5

    Go to solution
    Julio Carvajal
    VIP Alumni
    VIP Alumni

    ‎01-17-2012 08:34 PM

    Hello Tang,

    You will need to do a static one to one from the inside host to the outside and from the dmz host to the outside or you could use port-forwarding ( only for inbound connections)

    Regarding the ACLs you only need one access-group so on the same ACL create the statements to access both servers (inside and dmz) from the outside.Remember you can only have one access-group per direction on each interface.

    Rate helpful posts

    Regards,

    Julio

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC
    0 Helpful

    Go to solution
    Tang-Suan Tan
    Level 1
    Level 1
    In response to Julio Carvajal

    ‎01-18-2012 12:28 AM

    Hi Jcarvaja :

    Thanks for your reply!

    1. For inside to outside, I have used a dynamic nat as below :

    nat (inside) 20 192.168.100.0 255.255.255.0

    global (outside) 20 192.168.50.171-192.168.50.180

    As such, it should be not necessary for static one to one from inside to outside, right?

    2. For dmz to outside, I use the static nat and so each individual mapped IP is need to create. For example :

    static (dmz,outside) 192.168.20.x 192.168.50.x netmask 255.255.255.255

    whereby 192.168.20.x is host at outside network and 192.168.50.x is at dmz network. This will be ok, right?

    3. As for the ACL, I can group all the hosts (servers or stations) at dmz and inside and applied one ALC as below :

    access-list Email_in extended permit tcp object-group Outside_Network object-group hosts_dmz_inside eq smtp

    access-list Email_in extended permit tcp object-group Outside_Network object-group hosts_dmz_inside eq pop3

    access-list Email_in extended permit tcp object-group Outside_Network object-group hosts_dmz_inside eq imap4

    Let me know is it any problem, thanks!

    regards,

    tangsuan

    0 Helpful

    Go to solution
    Julio Carvajal
    VIP Alumni
    VIP Alumni
    In response to Tang-Suan Tan

    ‎01-18-2012 11:01 AM

    Hello Tang,

    That's it! That is what I meant before.

    Glad I could help!

    You can test it and let me know, I will be more than glad to help.

    Regards,

    Julio

    Rate all posts that helps!!

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC
    0 Helpful

    Go to solution
    Tang-Suan Tan
    Level 1
    Level 1
    In response to Julio Carvajal

    ‎01-18-2012 07:30 PM

    Hi Jcarvaja and all :

    Are the three ports : smtp, imap4 and pop3 enough for the email traffic?

    Any other ports or services that I should also added in?

    thanks and regards,

    tangsuan

    Hi Jcarvaja :

    Many tahnks for the other ports reference for the Email access.

    You already helped a lot on this question.

    regards,

    tangsuan

    0 Helpful

    Go to solution
    Julio Carvajal
    VIP Alumni
    VIP Alumni
    In response to Tang-Suan Tan

    ‎01-18-2012 08:38 PM

    Hello Tang,

    Depend of your email server,

    Just in case:

  • Email Ports


    • For networks, a port means an endpoint to a logical connection. The port number identifies what type of port it is. Here are the default email ports for:

      POP3 - port 110
      IMAP - port 143
      SMTP - port 25
      HTTP - port 80
      Secure SMTP (SSMTP) - port 465
      Secure IMAP (IMAP4-SSL) - port 585
      IMAP4 over SSL (IMAPS) - port 993
      Secure POP3 (SSL-POP) - port 995

    Rate helpful posts

    Julio

    Julio Carvajal
    Senior Network Security and Core Specialist
    CCIE #42930, 2xCCNP, JNCIP-SEC
    0 Helpful
    Customers Also Viewed These Support Documents
    Review Cisco Networking for a $25 gift card