allowing incoming messeges to SMTP Server

hello everyone, I have the following design:

DSL Modem

---

Router2801

---

ASA 5505 ---- FrontEnd Exhange 2007(SMTP Server)

could you please guide me on the procedures that I need to make in order to allow the incoming messeges from our ISP to pass through the router, the ASA, to our SMTP Server.

our ISP will simply forward(relay) to us the smtp traffic so the incoming mails will not be stored on our ISP server they will just simply forwad any incoming messges to us to be received and store on our SMTP Server.

I want to know what is the way I shoudl think of to make this happen. what should I allow to pass from outside to inside to my SMTP server.

do I only have to create an ACL on the router and ASA to pass traffic coming on port 25 to our SMTP server?

Hello Sys-halt ,

Regarding your network design if the firewall is doing the NAT then you would have to create a NAT or a PAT translation ( depending on your requirements ) .

Consider a scenario like this :

ASA 5505(Translations) ---- FrontEnd Exhange 2007(SMTP Server)

ie the translations are done by the firewall and not by the router .

i . Say your internal email servers ip is 192.168.10.10 .
ii. Say you have a public ip x.x.x.x
iii. Say you need to direct traffic on port z (pop or imap) . And assuming that you have an outside acl already configured as outside_acl .


According to this scenario in which the firewall is doing the nat translations you will need the following statements on th firewall .

1.static (inside,outside) tcp x.x.x.x z 192.168.10.10 z netnask 255.255.255.255
( this statement redirects all traffic that hits the public ip x.x.x.x on port a to 192.168.10.10(email server ) port z .
2.You need appropriate access list on the outside interface to permit traffic
access-list outside_acl permit tcp any host x.x.x.x eq z



These two statements are sufficient considering the firewall .

If you have any questions please let me know .

Thanks
Patiot

hello patiot, thanks for your reply really appreciated. I will work on it today once I get work.

yes my firewall is doing a nat for the inside and dmz1 interfaces to the outside interface.

my outside interface has ip of 172.17.1.1 connected to my router inside interface of 172.17.1.2. and then natting from my router to the Internet.


I did kind off tried what you have suggested.

I was trying also to allow remote desktop connection from out to in:

access-list 110 extended permit tcp any host 172.17.1.1 eq 3389
static (dmz1,outside) 172.17.1.1 192.168.1.3 netmask 255.255.255.255
access-group 110 in interface outside

my smtp server ip is: 192.168.1.3
my external ASA interface ip is: 172.17.1.1

so I was trying to allow RDP from outside interface to my smtp server through the ASA

I thought first if this worked fine, I would do the same access-list to allow smtp traffic of port 25.

I have read that since I am doing NAT on the Firewall, I have to create a mapped IP address and not using my firewall outside IP.

like if my outside IP is 172.17.1.1 I would have to create a mapped IP in the same subnet as like 172.17.1.5 and map this IP to my internal server.

but I don't know what that suppose to mean. how to create a mapped IP on my firewall external interface.

is this idea true?.

okay I just found an article on Cisco website talking about PIIX/ASA NAT and PAT, Document ID: 64758. I found that the mapped IP is nothing than one of the global pool range I made during NAT creation. I did a NAT pool range from 172.17.1.100-172.17.1.150 on my outside interface of the ASA, so a mapped IP address is one of the specified IPs range I made, like 172.17.1.110

so it sound like I have to map this ip and not use my ASA real IP interface the 172.17.1.1

I should try this soon. thanks all for your help. I will get back to you soon.

Creating a pool on the outside is also correct but it is not mandatory to create a pool .

You can just perform a static without even defining a pool .

Say you have an ip on the outside 172.17.1.149

you can just forget about the pool and define a static :

static (inside,outside) 172.17.1.149 inside-ip netmask 255.255.255.0

access-list 110 extended permit tcp any host 172.17.1.149 eq port-that-you- want .

In your situation it seems that you have multiple outside ip`s so you can create a static nat instead of a PAT .

Thanks
Patiot