cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
791
Views
0
Helpful
9
Replies

Static NAT for mail server

hendraeffendi
Level 1
Level 1

I have a problem when publishing my mail server in DMZ. I've already tested by using telnet [public ip of spam filter] 25 and 110 from outside. It is done successfully. But, when I checked into my spam filter message log, no message received from outside. My spam filter act as mail relay agent and located in DMZ. When I fail to use ASA, I switch back to Linux Firewall and I got no problem. Please help me to solve this.

9 Replies 9

Fernando_Meza
Level 7
Level 7

Hi ..

It could be an smtp application inspection issue. Please post your configs without sensitive information .

Hi,

Here is our configuration using nat and access list.

---------------------------

access-list INTERNET extended permit ip any any

access-list INCOMING_MAIL extended permit tcp any host 202.153.30.101 eq smtp

access-list INCOMING_MAIL extended permit tcp any host 202.153.30.101 eq pop3

access-list INCOMING_MAIL extended permit icmp any host 202.153.30.110

access-list INCOMING_MAIL extended permit tcp any host 202.153.30.101 range ftp ftp-data

access-list INCOMING_MAIL extended permit tcp any host 202.153.30.100 eq https

access-list INCOMING_MAIL extended permit tcp any host 202.153.30.101 eq www

pager lines 24

mtu INSIDE 1500

mtu OUTSIDE 1500

icmp permit any INSIDE

icmp permit any OUTSIDE

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

nat-control

global (OUTSIDE) 1 interface

nat (INSIDE) 1 192.168.32.0 255.255.255.0

static (INSIDE,OUTSIDE) tcp 202.153.30.101 smtp 192.168.32.27 smtp netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp 202.153.30.101 pop3 192.168.32.27 pop3 netmask 255.255.255.255

static (INSIDE,OUTSIDE) tcp 202.153.30.100 https 192.168.32.22 https netmask 255.255.255.255

access-group INTERNET in interface INSIDE

access-group INCOMING_MAIL in interface OUTSIDE

route OUTSIDE 0.0.0.0 0.0.0.0 202.153.30.97 1

------------------------

Ignore for https static nat, it is additional functional that is not urgent.

Thanks alot :)

Hi .. that part of the config seems OK. Can you post the whole config

Hi,

I send you full configuration

Please advise

Regards

that is not the full configuration. from the command line type in page 0 and then show run

remove any sensitive information and post the config again

Hi

Sori, I sent you wrong file, here is the right one

Thanks

Hi

Anybody can help me? :)

Hi,

The configuration seems correct. you have to enable logging and check why the pix drop the packets.

I don't think that PIX drop the packet because I've done telnet to public_ip 25 and 110 but not complete successfull. As usual, if we telnet to 25 or 110, there will be welcome message appear from pop3 or smtp service, but in my case, just blank screen. Is it the correct situation? For your information, I've done telnet to 25 and 110 without passing through ASA (directly without static NAT) and welcome screen appeared.