Mail server not accessible through domain name from Inside network
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2007 05:54 AM - edited 03-11-2019 04:37 AM
Hi,
I have the following problem;
I have installed an ASA firewall on my Internet perimeter which protects our users and mail server.
The mail server is now not accessible through the web browser (mail.ourdomain.com). I have allowed all the necessary ports (25, 110, 80) and static PAT to the ports.
The mail server has the same public IP address as the Firewall outside interface.
I have also tried DNS docturing to no avail.
What am I missing?
access-list IF_OUTSIDE_IN extended permit tcp any host x.x.x.x object-group MAIL_SERVICES log
access-list IF_OUTSIDE_IN extended permit tcp any host x.x.x.x eq www
access-list IF_OUTSIDE_IN extended permit icmp any any object-group ICMP_SERVICES
MAIL_SERVICES = 25, 110
interface Ethernet0/0
nameif IF_OUTSIDE
security-level 0
ip address x.x.x.x 255.255.255.248
mail.ourdomain.com = x.x.x.x
global (IF_OUTSIDE) 1 interface
nat (IF_INSIDE) 1 0.0.0.0 0.0.0.0
static (IF_INSIDE,IF_OUTSIDE) tcp interface pop3 y.y.y.y pop3 netmask 255.255.255.255
static (IF_INSIDE,IF_OUTSIDE) tcp interface smtp y.y.y.y smtp netmask 255.255.255.255
static (IF_INSIDE,IF_OUTSIDE) tcp interface www y.y.y.y www netmask 255.255.255.255 dns
y.y.y.y = Mail server Private
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2007 05:57 AM
Forgot to mention, Mail server can't send or receive mail to the world.
Users can browse the Internet using;
nat-control
global (IF_OUTSIDE) 1 interface
nat (IF_INSIDE) 1 0.0.0.0 0.0.0.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2007 07:39 AM
I would start from the beginning, if the MX record really points to x.x.x.x by ping mail.yourdomain.com . You permitted ICMP so you should get replies.
A sanitized config of ASA would be really helpfull.
