Mail forwarding through Cisco ASA 5540

NiiKristall0915 · ‎04-06-2020

I am not a specialist in Cisco. How to enable access from Internet to mail server in local network through Cisco ASA 5540?

Please, help me.

marce1000 · ‎04-06-2020

- You will at least need to familiar yourself about how to configure policies on your ASA and then allow access to your SMTP server, preferably on a DMZ, which for instance can forward email to the Intranet mail server.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Cristian Matei · ‎04-06-2020

Hi,

1. If the SMTP server has a public IP address assigned, you just need to allow traffic from the Internet to the STMP server IP address of x.x.x.x on TCP port 25; you do this via your inbound ACL applied on the outside interface, or via the global ACL (depends on your current implementation).

2. If the SMTP server has a private IP address, additional to the above required firewall policy, you also need to configure static NAT, ideally static PAT (so only for TCP port 25); recommended is to use object NAT for this, here's an example to use as a reference.

Regards,

Cristian Matei.

NiiKristall0915 · ‎04-06-2020

I need an access to the local server from mail clients outside of the local network.

Cristian Matei · ‎04-06-2020

Hi,

My previous reply still applies, the same things need to be done.

Regards,

Cristian Matei.

balaji.bandi · ‎04-06-2020

@Cristian Matei have provided the right information what you looking to deploy. have a look and make necessary changes and test it. and give inputs if not working.,

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

NiiKristall0915 · ‎04-17-2020

access-list ACL_GLOBAL extended permit ip any any log
access-list ACL_GLOBAL extended permit icmp any any
access-list LIMIT_Office_Net extended permit ip object router.domain.ru any
access-list LIMIT_Office_Net extended permit ip any object router.domain.ru
access-list LIMIT_Office_Net extended permit ip any host 192.168.150.8 inactive
access-list LIMIT_Office_Net extended permit ip host 192.168.151.182 any inactive
access-list LIMIT_Office_Net extended permit ip any host 192.168.151.182 inactive
access-list LIMIT_Office_Net extended permit ip host 192.168.148.136 any inactive
access-list LIMIT_Office_Net extended permit ip any host 192.168.148.136 inactive
access-list LIMIT_Office_Net extended permit ip host 192.168.148.2 any inactive
access-list LIMIT_Office_Net extended permit ip any host 192.168.148.2 inactive
access-list ACL_AnyConnect-VPN-SPLIT standard permit 192.168.144.0 255.255.248.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list LIMIT_Office_Conn extended deny ip object router.domain.ru any
access-list LIMIT_Office_Conn extended permit ip any any
access-list INSIDE_access_in extended permit ip any object mail.domain.ru
access-list INSIDE_access_in extended permit tcp object mail.domain.ru any eq smtp
access-list INSIDE_access_in extended permit tcp any object mail.domain.ru eq smtp
access-list INSIDE_access_in extended permit tcp any object post.r52.ru eq smtp
access-list INSIDE_access_in extended deny tcp 192.168.144.0 255.255.248.0 any eq smtp
access-list ACL_INSIDE extended permit udp host 192.168.144.0 any eq 55777
access-list ACL_OUTSIDE extended permit udp any host 192.168.144.0 eq 55777
nat (INSIDE-5,INET-5) source static mail.domain.ru interface service any smtp
nat (INSIDE-5,INET-5) source static any any destination static NETWORK_OBJ_172.16.55.0_24 NETWORK_OBJ_172.16.55.0_24 no-proxy-arp route-lookup
nat (INSIDE-5,INET-5) source dynamic any interface
access-group INSIDE_access_in in interface INSIDE-5
access-group ACL_GLOBAL global

What I have to add?

Vishnu Vardhan S · ‎04-17-2020

Try allowing port 25 on the ASA. Make sure you have internet connectivity.

Please do not hesitate to click the STAR button if you are satisfied with my answer.