11-05-2007 06:22 PM - edited 03-09-2019 07:14 PM
I have a problem when publishing my mail server in DMZ. I've already tested by using telnet [public ip of spam filter] 25 and 110 from outside. It is done successfully. But, when I checked into my spam filter message log, no message received from outside. My spam filter act as mail relay agent and located in DMZ. When I fail to use ASA, I switch back to Linux Firewall and I got no problem. Please help me to solve this.
11-05-2007 07:43 PM
Hi ..
It could be an smtp application inspection issue. Please post your configs without sensitive information .
11-07-2007 06:20 PM
Hi,
Here is our configuration using nat and access list.
---------------------------
access-list INTERNET extended permit ip any any
access-list INCOMING_MAIL extended permit tcp any host 202.153.30.101 eq smtp
access-list INCOMING_MAIL extended permit tcp any host 202.153.30.101 eq pop3
access-list INCOMING_MAIL extended permit icmp any host 202.153.30.110
access-list INCOMING_MAIL extended permit tcp any host 202.153.30.101 range ftp ftp-data
access-list INCOMING_MAIL extended permit tcp any host 202.153.30.100 eq https
access-list INCOMING_MAIL extended permit tcp any host 202.153.30.101 eq www
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp permit any INSIDE
icmp permit any OUTSIDE
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.32.0 255.255.255.0
static (INSIDE,OUTSIDE) tcp 202.153.30.101 smtp 192.168.32.27 smtp netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 202.153.30.101 pop3 192.168.32.27 pop3 netmask 255.255.255.255
static (INSIDE,OUTSIDE) tcp 202.153.30.100 https 192.168.32.22 https netmask 255.255.255.255
access-group INTERNET in interface INSIDE
access-group INCOMING_MAIL in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 202.153.30.97 1
------------------------
Ignore for https static nat, it is additional functional that is not urgent.
Thanks alot :)
11-07-2007 07:17 PM
Hi .. that part of the config seems OK. Can you post the whole config
11-07-2007 11:39 PM
11-08-2007 11:55 AM
that is not the full configuration. from the command line type in page 0 and then show run
remove any sensitive information and post the config again
11-08-2007 06:07 PM
11-11-2007 08:45 PM
Hi
Anybody can help me? :)
11-11-2007 11:59 PM
Hi,
The configuration seems correct. you have to enable logging and check why the pix drop the packets.
11-12-2007 02:16 AM
I don't think that PIX drop the packet because I've done telnet to public_ip 25 and 110 but not complete successfull. As usual, if we telnet to 25 or 110, there will be welcome message appear from pop3 or smtp service, but in my case, just blank screen. Is it the correct situation? For your information, I've done telnet to 25 and 110 without passing through ASA (directly without static NAT) and welcome screen appeared.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide