Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
334
Views
0
Helpful
2
Replies

Nat to Web/Mail Server in DMZ - How to access servers Externally

brian.linton
Level 1
Level 1

‎03-23-2016 04:18 PM - edited ‎03-12-2019 12:32 AM

I have a web and mail server in the DMZ (two separate IP addresses).

I have a single External IP from my ISP, so I use Port Forwarding to direct traffic to each server depending on the port.

I can access the web server by typing www.domainname.com.

However, unsure how to access the mail server: mail.domainname.com, when I type this I reach the web server.

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎03-24-2016 12:36 AM

How are you testing the mail-server? You have to access it with the port that you forward to your mail-server (most likely tcp/25). That can be done with telnet or nc:

nc mail.domainname.com 25
telnet mail.domainname.com 25
0 Helpful

brian.linton
Level 1
Level 1
In response to Karsten Iwen

‎03-24-2016 04:15 PM

Hi,

I can ssh to the Mail server. 

nc isn't giving me a response for Port 25

See the configuration below,  000.123.456.789 represents the external IP, while 192.168.70.1 is the mail server, sitting in a DMZ.

: Saved
:
ASA Version 8.4(4)1
!
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 000.123.456.789 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.60.1 255.255.255.0
!
interface Ethernet0/3
nameif dmz2
security-level 50
ip address 192.168.70.1 255.255.255.0
!

object network inside-subnet
subnet 192.168.50.0 255.255.255.0
object network dmz-net
subnet 192.168.60.0 255.255.255.0
object network http_server
host 192.168.60.2
object network EmailServ
host 192.168.70.2
object network dmz2-subnet

object network Emailssh
host 192.168.70.2

object network http_serverhttps
host 192.168.60.2

access-list Outside_Access_In extended permit tcp any object http_server eq www
access-list Outside_Access_In extended permit tcp any object EmailServ eq smtp
access-list Outside_Access_In extended permit tcp any object http_serverhttps eq
access-list Outside_Access_In extended permit tcp any object Emailssh eq 1

pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu dmz2 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network inside-subnet
nat (inside,outside) dynamic interface
object network dmz-net
nat (dmz,outside) dynamic interface
object network http_server
nat (dmz,outside) static interface service tcp www www
object network EmailServ
nat (dmz2,outside) static interface service tcp smtp smtp
object network Emailssh
nat (dmz2,outside) static interface service tcp ssh ssh
object network dmz2-subnet
nat (dmz2,outside) dynamic interface
object network http_serverhttps
nat (dmz,outside) static interface service tcp https https
access-group Outside_Access_In in interface outside
route outside 0.0.0.0 0.0.0.0 000.123.456.788 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8
!
dhcpd address 192.168.50.20-192.168.50.50 inside
dhcpd enable inside
!
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9643e1e2f43a8454958e36188bbe0931
: end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card