Hello,

I have an ASA5505 and I'm stumped.

I have a IIS SMTP server on the DMZ and it is able to communicate with OUTSIDE smtp servers on port 25. I want it to be able to communicate with INSIDE smtp servers, however the packets get dropped.
WEBSERVER:gt1023---------->DMZ>>>INSIDE---xx--->EXCHANGE:25

Here is the setup:

Interfaces/Vlans:
-Outside
security=0
IP 75.xx.yy.233
-Outside1
security=0 ( backup ISP )
IP 12.xx.yy.154
-Inside
security=100
IP 200.xx.yy.158
-DMZ
security=50
IP 192.168.2.1



Here is my relevant setup:
name 192.168.2.2 WEBSERVER_nat >> on DMZ interface
name 192.168.2.3 WEBSERVER_nat1 >> on DMZ interfce
name 75.xx.yy.234 WEBSERVER_real >> public IP of web server
name 12.xx.yy.155 WEBSERVER_real1 >> public IP of web server (round-robin DNS setup)
name 200.xx.yy.10 GATEWAY >> MS ISA server on Inside interface
name 200.xx.yy.11 EXCHANGE >> MS Exchange on Inside interface

global (outside1) 2 interface
global (DMZ) 2 interface
global (outside) 2 interface

nat (inside) 2 GATEWAY 255.255.255.255
nat (inside) 2 EXCHANGE 255.255.255.255

static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside1) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (DMZ,outside1) WEBSERVER_real1 WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
static (DMZ,inside) WEBSERVER_real1 WEBSERVER_nat1 netmask 255.255.255.255
static (DMZ,outside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
static (DMZ,inside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255

access-group ACLIN in interface outside1
access-group ACLIN in interface outside

access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside log
access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside log
access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside log
access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside1 log
access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside1 log
access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside1 log
access-list ACLIN extended permit tcp any host 75.xx.yy.233 object-group INSIDE_services (smtp)
access-list ACLIN extended permit tcp any host 12.xx.yy.154 object-group INSIDE_services (smtp)
access-list ACLIN extended permit icmp any object-group DMZ (WEBSERVER_real and _real1) object-group DMZ_icmp log
access-list ACLIN extended permit icmp any interface outside object-group OUTSIDE_icmp (echo/reply)
access-list ACLIN extended permit icmp any interface outside1 object-group OUTSIDE_icmp
access-list ACLIN extended permit tcp any object-group DMZ object-group DMZ_services (http/https/ftp)
access-list ACLIN extended permit tcp any eq domain object-group DMZ log
access-list ACLIN extended permit udp any eq domain object-group DMZ log
access-list ACLIN extended deny ip any any log



__________________________________________________ __________________________________
Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545469
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards