problem with mail server in dmz zone

goran ljubic · ‎11-06-2012

i configured on my asa 5510 dmz zone and put my mail server in this zone. i configured nat rule with public address which i received from my ISP and i configured ACL rule. my configuration of asa 5510 is:

[quote]

Result of the command: "show runn"

: Saved

:

ASA Version 8.4(2)

!

hostname asa5510

domain-name domen.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.178 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.10 255.255.255.0

!

interface Ethernet0/2

description Mreza za virtualne masine- mail server, wsus....

nameif DMZ

security-level 50

ip address 172.16.20.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name dri.local

object network VPN-POOL

subnet 192.168.50.0 255.255.255.0

description VPN Client pool

object network LAN-NETWORK

subnet 192.168.0.0 255.255.255.0

description LAN Network

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network 192.168.0.10

host 192.168.0.10

object service ssl

service tcp destination eq 465

object service tls

service tcp destination eq 995

object network mail_server

host 172.16.20.200

object service StartTLS

service tcp destination eq 587

object service admin_port

service tcp destination eq 1000

object service ODMR

service tcp destination eq 366

object service SSL-IMAP

service tcp destination eq 993

object network remote

host 172.16.20.200

object network test

host 192.168.0.22

object network mail

host 172.16.20.200

object-group network PAT-SOURCE-NETWORKS

description Source networks for PAT

network-object 192.168.0.0 255.255.255.0

object-group service DM_INLINE_SERVICE_2

service-object tcp

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp

service-object icmp echo-reply

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object mail_server

access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any

access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.22

access-list outside_dmz extended permit tcp any host 178.254.133.179 eq smtp

access-list outside_dmz extended permit tcp any host 178.254.133.179 eq pop3

ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL

!

object network mail_server

nat (DMZ,outside) static x.x.x.179

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 x.x.x.177 1

timeout xlate 3:00:00

[/quote]

But, my client cannot access my mail server. Which rules i need put that my mail server works?

Karsten Iwen · ‎11-06-2012

the NAT-statement is in place and the ACL allows SMTP, thats fine. (In fact, you allow all TCP to the DMZ-server because of "service object tcp" in the group DM_INLINE_SERVICE_2; that should be removed).

Can your server access the Internet?

If that works you can try disabling the SMTP-inspection with

no fixup protocol smtp 25

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

goran ljubic · ‎11-06-2012

my server cannot access the internet. my ISP is registered in dns zone A record on my public IP x,x,x,179, MX record and TXT record, but i can't access to internet from my mail server

goran ljubic · ‎11-06-2012

my mail server must have the access to the internet? i can't search web page from web browser

Karsten Iwen · ‎11-06-2012

ok, that is a different situation. Then start troubleshooting your connection from the ASA to the server:

1) can they ping each other?

2) Switchport-config corect where your server is connected?

3) IP-config on mail-server correct?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

goran ljubic · ‎11-06-2012

1)yes, i can ping each other

3)my mail server have address 172.16.20.200 mask 255.255.255.0 gateway 172.16.20.1 dns 172.16.20.1. asa have configuration 172.16.20.1 mask 255.255.255.0

2) switchportport-config, where i see that configuration?

goran ljubic · ‎11-06-2012

when i use packet trace i receive picture like that my firewall is configured ok. what do you think?

Karsten Iwen · ‎11-06-2012

the packet-tracer looks fine. How do you test if you mail-server is reachable from the internet?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Karsten Iwen · ‎11-06-2012

configure a different DNS server on the mail-server, not the 172.16.20.1. The ASA doesn't work as a DNS-server.

configure the following command:

fixup protocol icmp

and try to ping an address on the internet (like 8.8.8.8). Does that work?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

goran ljubic · ‎11-06-2012

i receive request time out

Karsten Iwen · ‎11-06-2012

yes, you allow only traffic to an internal server, try to add the following line and ping again to 8.8.8.8:

access-list DMZ_access_in extended permit icmp any any echo

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

goran ljubic · ‎11-06-2012

again nothing request time out.i changed dns server. i puted dns server in my inside lan where's lan have internet. this dns server is integrated with active directory. my users have dns server with address 192.168.0.20 and they have internet. when i ping for exampe www.google.com i receive address of google but i don't have ping request time out. i put this dns sever like temporary solution. can i enable dhcp server and dns server on my asa 5510 firewall and i use dns of asa?

Karsten Iwen · ‎11-07-2012

Based on your config above the inside clients can't connect to the internet (no NAT for internal network). You say you can access the internet from the internal network. Are there any other devices outside of the ASA or inside providing access to the internet?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

goran ljubic · ‎11-07-2012

I searched configuration of my Ethernet 0/2 and on ethernet0/2 is not configured VLAN and there's not switch port. Maybe this is problem.

Karsten Iwen · ‎11-07-2012

On your ASA the interface is configured. And you say you can ping the ASA from the server. So there shouldn't be a problem. Unless you have another system with IP 172.16.20.1 that was replying when you tested it.

Please enable icmp-debug on the ASA:

asa# deb icmp trace

asa# term mon

and ping the 172.16.20.1 again from the server. If you see a log-message the connection between the server and the ASA is fine.

And please provide the output of the following command:

asa# packet-tracer input DMZ icmp 172.16.20.200 8 0 1.2.3.4

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni