cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
908
Views
0
Helpful
4
Replies

Need to allow SMTP on ASA

ajay chauhan
Level 7
Level 7

Hi I want to give SMTP acccess to one of the machine in DMZ zone .I am going to allow DMZ access-list IN for port 25 .do i need to allow return traffic in ASA .or editing access list IN in DMZ and patting will allow me to access SMTP on internet.

please explain thanks

1 Accepted Solution

Accepted Solutions

Yes 'return' traffic will be allowed.

No need to worry.

Regards

Farrukh

View solution in original post

4 Replies 4

Farrukh Haroon
VIP Alumni
VIP Alumni

Ajay, you just need to permit it in the outside >> dmz direction. The remaining (dmz>>outside) return traffic will automatically be permitted due to the 'stateful' nature of the firewall.

As long as your DMZ server has higher security level than outside, it will also be able to 'send' outbound email (provided proper NAT rules are there).

Have a look at:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Regards

Farrukh

Hi Farrukh,

Thanks for your reply but mail server is not sitting in DMZ zone .....this is application server sitting in DMZ on which i need to just configure sending mail to outside .

This will not be a static natting I will pat it with same IP as i do for Inside hosts .

In this case traffic from DMZ >>>Outside on port 25 will be allowed but what about return traffic .

will it allow by default or i need to add any inspect rule.

Please explain

Yes 'return' traffic will be allowed.

No need to worry.

Regards

Farrukh

Hi Ajay,

If you dont have an ACL applied to DMZ atm, you dont need to specifically permit a traffic originated from a higher security level interface destined to a lower security interface.

Firewall is a statefull device and will permit return traffic by default. you dont need extra ACLs.

If you have an ACL applied to dmz for other(filtering purpoeses) you should specifically enter permit for smtp outbound, since the ACL has an implicit deny

Regards

Review Cisco Networking for a $25 gift card