01-24-2006 06:52 AM - edited 02-20-2020 09:35 PM
I have my front end email server on a dmz that needs to query my back end mail server.
If you look at the VISIO drawing i have here you can see my network.
Im not sure where to put the access list. Do i create the access list and then apply it to out the inside interface?
01-24-2006 10:14 AM
Hello,
So your going to create a couple of access-lists if your trying to allow mail in from outside to the DMZ mail server and then have it relay mail to your inside e-mail server. I've created three basic access-lists below one allowing only mail to the DMZ server one allowing the DMZ server to only send mail to the inside mail server and one to allow everything inside out.
access-list IN_DMZ permit tcp host 172.16.1.10 host 192.168.1.23 eq smtp
access-list IN_DMZ deny ip any any
access-list IN_OUTSIDE permit tcp any host 172.16.1.10 eq smtp
access-list IN_OUTSIDE deny ip any any
access-list IN_INSIDE permit ip any any
access-group IN_DMZ in interface dmz
access-group IN_OUTSIDE in interface outside
access-group IN_INSIDE in interface inside
Hope this helps.
Patrick
01-24-2006 10:57 AM
Patrick
People from outside are only connecting to the FE mail server via HTTPS. I already have that configured on the outside acl. My concern is the FE server requestion information fron the BE server. The FE server needs SMTP access to the BE server.
01-24-2006 01:45 PM
So set it up like this so that your only using the dmz access-list in my example.
nat (dmz, inside) 172.16.1.10 172.16.1.10
access-list IN_DMZ permit tcp host 172.16.1.10 host 192.168.1.23 eq smtp
access-list IN_DMZ deny ip any any
access-group IN_DMZ in interface dmz
This will allow your server to only initiate connections via smtp to your mail server.
Please rate any posts that are helpful.
Patrick
01-24-2006 01:53 PM
It depend totally on who makes your mail servers and what services you are running. If your front-end is Exchange and you running OWA, POP etc.. you need a bunch of ports open. If you are only routing SMTP with the front end then you should only need SMTP open. You also need to make sure you have good DNS resolution. Let me know and I can try to help.
01-24-2006 05:42 PM
It is a MS Exchange email server. I was trying to keep the post as simple as possible by just saying smtp. I am aware of the other ports that need to be open on the acl. Im just trying to grasp the concept of the dmz to inside acl. I will take a better look at it now. TY
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide