11-06-2012 06:39 AM - edited 03-11-2019 05:19 PM
i configured on my asa 5510 dmz zone and put my mail server in this zone. i configured nat rule with public address which i received from my ISP and i configured ACL rule. my configuration of asa 5510 is:
[quote]
Result of the command: "show runn"
: Saved
:
ASA Version 8.4(2)
!
hostname asa5510
domain-name domen.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.178 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.10 255.255.255.0
!
interface Ethernet0/2
description Mreza za virtualne masine- mail server, wsus....
nameif DMZ
security-level 50
ip address 172.16.20.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name dri.local
object network VPN-POOL
subnet 192.168.50.0 255.255.255.0
description VPN Client pool
object network LAN-NETWORK
subnet 192.168.0.0 255.255.255.0
description LAN Network
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network 192.168.0.10
host 192.168.0.10
object service ssl
service tcp destination eq 465
object service tls
service tcp destination eq 995
object network mail_server
host 172.16.20.200
object service StartTLS
service tcp destination eq 587
object service admin_port
service tcp destination eq 1000
object service ODMR
service tcp destination eq 366
object service SSL-IMAP
service tcp destination eq 993
object network remote
host 172.16.20.200
object network test
host 192.168.0.22
object network mail
host 172.16.20.200
object-group network PAT-SOURCE-NETWORKS
description Source networks for PAT
network-object 192.168.0.0 255.255.255.0
object-group service DM_INLINE_SERVICE_2
service-object tcp
service-object tcp destination eq pop3
service-object tcp destination eq smtp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp
service-object icmp echo-reply
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object mail_server
access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.22
access-list outside_dmz extended permit tcp any host 178.254.133.179 eq smtp
access-list outside_dmz extended permit tcp any host 178.254.133.179 eq pop3
ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL
!
object network mail_server
nat (DMZ,outside) static x.x.x.179
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.177 1
timeout xlate 3:00:00
[/quote]
But, my client cannot access my mail server. Which rules i need put that my mail server works?
11-06-2012 07:00 AM
the NAT-statement is in place and the ACL allows SMTP, thats fine. (In fact, you allow all TCP to the DMZ-server because of "service object tcp" in the group DM_INLINE_SERVICE_2; that should be removed).
Can your server access the Internet?
If that works you can try disabling the SMTP-inspection with
no fixup protocol smtp 25
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-06-2012 07:10 AM
my server cannot access the internet. my ISP is registered in dns zone A record on my public IP x,x,x,179, MX record and TXT record, but i can't access to internet from my mail server
11-06-2012 07:12 AM
my mail server must have the access to the internet? i can't search web page from web browser
11-06-2012 07:14 AM
ok, that is a different situation. Then start troubleshooting your connection from the ASA to the server:
1) can they ping each other?
2) Switchport-config corect where your server is connected?
3) IP-config on mail-server correct?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-06-2012 07:27 AM
1)yes, i can ping each other
3)my mail server have address 172.16.20.200 mask 255.255.255.0 gateway 172.16.20.1 dns 172.16.20.1. asa have configuration 172.16.20.1 mask 255.255.255.0
2) switchportport-config, where i see that configuration?
11-06-2012 07:37 AM
when i use packet trace i receive picture like that my firewall is configured ok. what do you think?
11-06-2012 07:45 AM
the packet-tracer looks fine. How do you test if you mail-server is reachable from the internet?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-06-2012 07:39 AM
configure a different DNS server on the mail-server, not the 172.16.20.1. The ASA doesn't work as a DNS-server.
configure the following command:
fixup protocol icmp
and try to ping an address on the internet (like 8.8.8.8). Does that work?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-06-2012 07:45 AM
i receive request time out
11-06-2012 07:49 AM
yes, you allow only traffic to an internal server, try to add the following line and ping again to 8.8.8.8:
access-list DMZ_access_in extended permit icmp any any echo
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-06-2012 12:42 PM
again nothing request time out.i changed dns server. i puted dns server in my inside lan where's lan have internet. this dns server is integrated with active directory. my users have dns server with address 192.168.0.20 and they have internet. when i ping for exampe www.google.com i receive address of google but i don't have ping request time out. i put this dns sever like temporary solution. can i enable dhcp server and dns server on my asa 5510 firewall and i use dns of asa?
11-07-2012 04:46 AM
Based on your config above the inside clients can't connect to the internet (no NAT for internal network). You say you can access the internet from the internal network. Are there any other devices outside of the ASA or inside providing access to the internet?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-07-2012 12:55 AM
I searched configuration of my Ethernet 0/2 and on ethernet0/2 is not configured VLAN and there's not switch port. Maybe this is problem.
11-07-2012 01:33 AM
On your ASA the interface is configured. And you say you can ping the ASA from the server. So there shouldn't be a problem. Unless you have another system with IP 172.16.20.1 that was replying when you tested it.
Please enable icmp-debug on the ASA:
asa# deb icmp trace
asa# term mon
and ping the 172.16.20.1 again from the server. If you see a log-message the connection between the server and the ASA is fine.
And please provide the output of the following command:
asa# packet-tracer input DMZ icmp 172.16.20.200 8 0 1.2.3.4
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide