You need to apply an access list on your DMZ that allows it to talk to
servers on the inside...in this case specifically an SMTP server. That
means another access-group line as well as an accompanying access-list.

chris mr wrote:
> Hello,
>
> I have an ASA5505 and I'm stumped.
>
> I have a IIS SMTP server on the DMZ and it is able to communicate with OUTSIDE smtp servers on port 25. I want it to be able to communicate with INSIDE smtp servers, however the packets get dropped.
> WEBSERVER:gt1023---------->DMZ>>>INSIDE---xx--->EXCHANGE:25
>
> Here is the setup:
>
> Interfaces/Vlans:
> -Outside
> security=0
> IP 75.xx.yy.233
> -Outside1
> security=0 ( backup ISP )
> IP 12.xx.yy.154
> -Inside
> security=100
> IP 200.xx.yy.158
> -DMZ
> security=50
> IP 192.168.2.1
>
>
>
> Here is my relevant setup:
> name 192.168.2.2 WEBSERVER_nat >> on DMZ interface
> name 192.168.2.3 WEBSERVER_nat1 >> on DMZ interfce
> name 75.xx.yy.234 WEBSERVER_real >> public IP of web server
> name 12.xx.yy.155 WEBSERVER_real1 >> public IP of web server (round-robin DNS setup)
> name 200.xx.yy.10 GATEWAY >> MS ISA server on Inside interface
> name 200.xx.yy.11 EXCHANGE >> MS Exchange on Inside interface
>
> global (outside1) 2 interface
> global (DMZ) 2 interface
> global (outside) 2 interface
>
> nat (inside) 2 GATEWAY 255.255.255.255
> nat (inside) 2 EXCHANGE 255.255.255.255
>
> static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
> static (inside,outside1) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
> static (DMZ,outside1) WEBSERVER_real1 WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
> static (DMZ,inside) WEBSERVER_real1 WEBSERVER_nat1 netmask 255.255.255.255
> static (DMZ,outside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
> static (DMZ,inside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255
>
> access-group ACLIN in interface outside1
> access-group ACLIN in interface outside
>
> access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside log
> access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside log
> access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside log
> access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside1 log
> access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside1 log
> access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside1 log
> access-list ACLIN extended permit tcp any host 75.xx.yy.233 object-group INSIDE_services (smtp)
> access-list ACLIN extended permit tcp any host 12.xx.yy.154 object-group INSIDE_services (smtp)
> access-list ACLIN extended permit icmp any object-group DMZ (WEBSERVER_real and _real1) object-group DMZ_icmp log
> access-list ACLIN extended permit icmp any interface outside object-group OUTSIDE_icmp (echo/reply)
> access-list ACLIN extended permit icmp any interface outside1 object-group OUTSIDE_icmp
> access-list ACLIN extended permit tcp any object-group DMZ object-group DMZ_services (http/https/ftp)
> access-list ACLIN extended permit tcp any eq domain object-group DMZ log
> access-list ACLIN extended permit udp any eq domain object-group DMZ log
> access-list ACLIN extended deny ip any any log
>
>
>
> __________________________________________________ __________________________________
> Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
> http://answers.yahoo.com/dir/?link=list&sid=396545469
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards
>
>


_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailma...rewall-wizards