problem with mail server in dmz zone - Page 3

goran ljubic · ‎11-06-2012

i configured on my asa 5510 dmz zone and put my mail server in this zone. i configured nat rule with public address which i received from my ISP and i configured ACL rule. my configuration of asa 5510 is:

[quote]

Result of the command: "show runn"

: Saved

:

ASA Version 8.4(2)

!

hostname asa5510

domain-name domen.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.178 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.10 255.255.255.0

!

interface Ethernet0/2

description Mreza za virtualne masine- mail server, wsus....

nameif DMZ

security-level 50

ip address 172.16.20.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name dri.local

object network VPN-POOL

subnet 192.168.50.0 255.255.255.0

description VPN Client pool

object network LAN-NETWORK

subnet 192.168.0.0 255.255.255.0

description LAN Network

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network 192.168.0.10

host 192.168.0.10

object service ssl

service tcp destination eq 465

object service tls

service tcp destination eq 995

object network mail_server

host 172.16.20.200

object service StartTLS

service tcp destination eq 587

object service admin_port

service tcp destination eq 1000

object service ODMR

service tcp destination eq 366

object service SSL-IMAP

service tcp destination eq 993

object network remote

host 172.16.20.200

object network test

host 192.168.0.22

object network mail

host 172.16.20.200

object-group network PAT-SOURCE-NETWORKS

description Source networks for PAT

network-object 192.168.0.0 255.255.255.0

object-group service DM_INLINE_SERVICE_2

service-object tcp

service-object tcp destination eq pop3

service-object tcp destination eq smtp

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object tcp

service-object icmp echo-reply

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object mail_server

access-list Split_Tunnel_List extended permit ip 192.168.0.0 255.255.255.0 any

access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 192.168.0.22

access-list outside_dmz extended permit tcp any host 178.254.133.179 eq smtp

access-list outside_dmz extended permit tcp any host 178.254.133.179 eq pop3

ip local pool vpnadrese 192.168.50.1-192.168.50.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN-NETWORK LAN-NETWORK destination static VPN-POOL VPN-POOL

!

object network mail_server

nat (DMZ,outside) static x.x.x.179

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 x.x.x.177 1

timeout xlate 3:00:00

[/quote]

But, my client cannot access my mail server. Which rules i need put that my mail server works?

goran ljubic · ‎11-09-2012

when i ping mail server on adress x.x.x.179 from my pc which is in inside LAN(192.168.0.54). The ping works. traffic on port 25,110,443,444,995,3389 doesn't work. Also, when i disabled in global policy>inspection default ICMP my ping also doesn't works.