cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
589
Views
0
Helpful
5
Replies

ACL for front end and back end mail server

sboivin
Level 1
Level 1

I have my front end email server on a dmz that needs to query my back end mail server.

If you look at the VISIO drawing i have here you can see my network.

http://66.162.19.153/

Im not sure where to put the access list. Do i create the access list and then apply it to out the inside interface?

5 Replies 5

Patrick Laidlaw
Level 4
Level 4

Hello,

So your going to create a couple of access-lists if your trying to allow mail in from outside to the DMZ mail server and then have it relay mail to your inside e-mail server. I've created three basic access-lists below one allowing only mail to the DMZ server one allowing the DMZ server to only send mail to the inside mail server and one to allow everything inside out.

access-list IN_DMZ permit tcp host 172.16.1.10 host 192.168.1.23 eq smtp

access-list IN_DMZ deny ip any any

access-list IN_OUTSIDE permit tcp any host 172.16.1.10 eq smtp

access-list IN_OUTSIDE deny ip any any

access-list IN_INSIDE permit ip any any

access-group IN_DMZ in interface dmz

access-group IN_OUTSIDE in interface outside

access-group IN_INSIDE in interface inside

Hope this helps.

Patrick

Patrick

People from outside are only connecting to the FE mail server via HTTPS. I already have that configured on the outside acl. My concern is the FE server requestion information fron the BE server. The FE server needs SMTP access to the BE server.

So set it up like this so that your only using the dmz access-list in my example.

nat (dmz, inside) 172.16.1.10 172.16.1.10

access-list IN_DMZ permit tcp host 172.16.1.10 host 192.168.1.23 eq smtp

access-list IN_DMZ deny ip any any

access-group IN_DMZ in interface dmz

This will allow your server to only initiate connections via smtp to your mail server.

Please rate any posts that are helpful.

Patrick

flaggmd
Level 1
Level 1

It depend totally on who makes your mail servers and what services you are running. If your front-end is Exchange and you running OWA, POP etc.. you need a bunch of ports open. If you are only routing SMTP with the front end then you should only need SMTP open. You also need to make sure you have good DNS resolution. Let me know and I can try to help.

It is a MS Exchange email server. I was trying to keep the post as simple as possible by just saying smtp. I am aware of the other ports that need to be open on the acl. Im just trying to grasp the concept of the dmz to inside acl. I will take a better look at it now. TY