- Posts: 68
- Thank you received: 0
allowing incoming messeges to SMTP Server
15 years 11 months ago #27507
by sys-halt
Replied by sys-halt on topic Re: allowing incoming messeges to SMTP Server
hi patiot,
while I am working yesterday I did what u suggested to me before but it didn't worked on mine, I guess I probably did something wrong that is blocking what u suggested.
I tried to inspect the packet send by packet tracer of the ASDM software, I did a simulation and it always gives me a NAT problem that is dropping the packet.
one was saying: nat (dmz1) 0 0.0.0.0 0.0.0.0
and when I put a nat: nat (dmz1) 1 0.0.0.0 0.0.0.0
it always stops on it and says packet drop beacuse of this nat.
I forgot to get a copy of the configuration and post it back for inspection. I should do it today hope so and get back to you wit it.
I still think when I try to use ASDM without doing it manually it is missing things up. it throws a lot of deny rules and things specific to it don't know about them.
anyway, thanks for your help. I will try what you told me today and copy the config for inspection.
while I am working yesterday I did what u suggested to me before but it didn't worked on mine, I guess I probably did something wrong that is blocking what u suggested.
I tried to inspect the packet send by packet tracer of the ASDM software, I did a simulation and it always gives me a NAT problem that is dropping the packet.
one was saying: nat (dmz1) 0 0.0.0.0 0.0.0.0
and when I put a nat: nat (dmz1) 1 0.0.0.0 0.0.0.0
it always stops on it and says packet drop beacuse of this nat.
I forgot to get a copy of the configuration and post it back for inspection. I should do it today hope so and get back to you wit it.
I still think when I try to use ASDM without doing it manually it is missing things up. it throws a lot of deny rules and things specific to it don't know about them.
anyway, thanks for your help. I will try what you told me today and copy the config for inspection.
15 years 11 months ago #27515
by Patiot
Replied by Patiot on topic Re: allowing incoming messeges to SMTP Server
Please let me know the source interface and destination interface . A sh run would really help .
Mask sensitive info in the sh run
Mask sensitive info in the sh run
15 years 11 months ago #27521
by sys-halt
Replied by sys-halt on topic Re: allowing incoming messeges to SMTP Server
hii patiot, it works finally:-) thanks for your help it worked fine after I payed attention during the configuration. I was applying your suggestion in the wrong way and then I realized my mistake and the static with access-list you post worked like magic.
I first write erase everything on both the ASA and Router, I was trying to use the SDM and ASDM and they really missed things up with me, so I build them both from CLI carefully.
here is the final design with the working configuration, hope it might be helpful to others.
Dsl Modem- Perimeter Router- ASA 5500 Internal Firewall-Our Server
Real IP x.x.x.x-[:Fa0/0 Perimeter Router Fa0/1:]172.17.1.1
172.17.1.2[E0/0: ASA E0/2:] 192.168.1.1
192.168.1.3 [Server]
I was trying to get from outside my perimeter router passing through my internal ASA firewall to reach my deep inside Server of IP 192.168.1.3.
Perimeter Router Basic Configuration:
1. I have put Public-IP on FastEthernet 0/0
2. I have put Internal non routable IP on FastEthernet 0/1
Here I am allowing remote desktop connection, telnet, and SMTP to our mail server, from outside and mapping them internally to an internal IP of 172.17.1.3 once the Router receives one of these 3 request it will redirect them to the internal network to the ASA firewall then the ASA firewall will handle port forwarding to another internal ip address of the real Server
!
hostname perimeter-router
!
ip name-server Your-DNS-1
ip name-server Your-DNS-2
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address Your-Public-IP Netmask-for-the-IP
ip access-group 100 in
ip nat outside
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 172.17.1.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 Your-Public-Gateway permanent
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.17.1.3 23 Your-Public-IP 23 extendable
ip nat inside source static tcp 172.17.1.3 25 Your-Public-IP 25 extendable
ip nat inside source static tcp 172.17.1.3 3389 Your-Public-IP 3389 extendable
!
access-list 1 permit 172.17.1.0 0.0.0.255
access-list 100 permit tcp any eq 3389 host Your-Public-IP eq 3389
access-list 100 permit tcp any eq telnet host Your-Public-IP eq telnet
access-list 100 permit tcp any eq smtp host Your-Public-IP eq smtp
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit ip any any
!
When the perimeter Router Receives incoming packets on its outside interface it will redirect them to the internal network, the ASA firewall will pick up the packet destined to the IP of 172.17.1.3 and forward it to the internal server of 192.168.1.3 on its dmz interface.
hostname ciscoasa
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif dmz
security-level 20
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address 172.17.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 3
!
access-list 101 extended permit tcp any host 172.17.1.3 eq 3389
access-list 101 extended permit tcp any host 172.17.1.3 eq smtp
access-list 101 extended permit tcp any host 172.17.1.3 eq telnet
global (outside) 1 172.17.1.3 netmask 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 172.17.1.3 192.168.1.3 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 172.17.1.1 1
note: watch out the access-list rule definition on the cisco ASA firewall, here I defined a global pool of one ip address the 172.17.1.3 not a range of ip addresses. Since I have defined only one ip in the global outside address, that means my ASA firewall will do PAT. Watch this carefully because your access-list will not work properly and it could be a major problem. Let me give you an example of what wasted my time so you could benefit of it in the future:
What will not work if you do the following:
global (outside) 1 172.17.1.3 netmask 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
access-list 101 extended permit tcp any 3389 host 172.17.1.3 eq 3389
static (dmz,outside) 172.17.1.3 192.168.1.3 netmask 255.255.255.255
access-group 101 in interface outside
look to this simple access list, what is different is that I added the source port. But since you are already doing PAT by defining a single ip address in the global of 172.17.1.3, it will not let you pass from outside to inside. This is what was killing my time for the past 3 days. Only add the source port if you defined a global pool a range of address as if:
global (outside) 1 172.17.1.3-172.17.1.20 netmask 255.255.255.0
in such case you have to add the source port address for your ASA to function correctly.
thanks again patiot you were a great helper, hope things now will work fine otherwise I will get back to your soon, hehehe:-)
I first write erase everything on both the ASA and Router, I was trying to use the SDM and ASDM and they really missed things up with me, so I build them both from CLI carefully.
here is the final design with the working configuration, hope it might be helpful to others.
Dsl Modem- Perimeter Router- ASA 5500 Internal Firewall-Our Server
Real IP x.x.x.x-[:Fa0/0 Perimeter Router Fa0/1:]172.17.1.1
172.17.1.2[E0/0: ASA E0/2:] 192.168.1.1
192.168.1.3 [Server]
I was trying to get from outside my perimeter router passing through my internal ASA firewall to reach my deep inside Server of IP 192.168.1.3.
Perimeter Router Basic Configuration:
1. I have put Public-IP on FastEthernet 0/0
2. I have put Internal non routable IP on FastEthernet 0/1
Here I am allowing remote desktop connection, telnet, and SMTP to our mail server, from outside and mapping them internally to an internal IP of 172.17.1.3 once the Router receives one of these 3 request it will redirect them to the internal network to the ASA firewall then the ASA firewall will handle port forwarding to another internal ip address of the real Server
!
hostname perimeter-router
!
ip name-server Your-DNS-1
ip name-server Your-DNS-2
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address Your-Public-IP Netmask-for-the-IP
ip access-group 100 in
ip nat outside
!
interface FastEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 172.17.1.1 255.255.255.0
ip nat inside
!
ip route 0.0.0.0 0.0.0.0 Your-Public-Gateway permanent
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.17.1.3 23 Your-Public-IP 23 extendable
ip nat inside source static tcp 172.17.1.3 25 Your-Public-IP 25 extendable
ip nat inside source static tcp 172.17.1.3 3389 Your-Public-IP 3389 extendable
!
access-list 1 permit 172.17.1.0 0.0.0.255
access-list 100 permit tcp any eq 3389 host Your-Public-IP eq 3389
access-list 100 permit tcp any eq telnet host Your-Public-IP eq telnet
access-list 100 permit tcp any eq smtp host Your-Public-IP eq smtp
access-list 100 permit icmp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit ip any any
!
When the perimeter Router Receives incoming packets on its outside interface it will redirect them to the internal network, the ASA firewall will pick up the packet destined to the IP of 172.17.1.3 and forward it to the internal server of 192.168.1.3 on its dmz interface.
hostname ciscoasa
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
nameif dmz
security-level 20
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address 172.17.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 3
!
access-list 101 extended permit tcp any host 172.17.1.3 eq 3389
access-list 101 extended permit tcp any host 172.17.1.3 eq smtp
access-list 101 extended permit tcp any host 172.17.1.3 eq telnet
global (outside) 1 172.17.1.3 netmask 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 172.17.1.3 192.168.1.3 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 172.17.1.1 1
note: watch out the access-list rule definition on the cisco ASA firewall, here I defined a global pool of one ip address the 172.17.1.3 not a range of ip addresses. Since I have defined only one ip in the global outside address, that means my ASA firewall will do PAT. Watch this carefully because your access-list will not work properly and it could be a major problem. Let me give you an example of what wasted my time so you could benefit of it in the future:
What will not work if you do the following:
global (outside) 1 172.17.1.3 netmask 255.255.255.0
nat (dmz) 1 0.0.0.0 0.0.0.0
access-list 101 extended permit tcp any 3389 host 172.17.1.3 eq 3389
static (dmz,outside) 172.17.1.3 192.168.1.3 netmask 255.255.255.255
access-group 101 in interface outside
look to this simple access list, what is different is that I added the source port. But since you are already doing PAT by defining a single ip address in the global of 172.17.1.3, it will not let you pass from outside to inside. This is what was killing my time for the past 3 days. Only add the source port if you defined a global pool a range of address as if:
global (outside) 1 172.17.1.3-172.17.1.20 netmask 255.255.255.0
in such case you have to add the source port address for your ASA to function correctly.
thanks again patiot you were a great helper, hope things now will work fine otherwise I will get back to your soon, hehehe:-)
15 years 11 months ago #27524
by Patiot
Replied by Patiot on topic Re: allowing incoming messeges to SMTP Server
Great news !!! my friend .
Thanks
Patiot
Thanks
Patiot
15 years 4 hours ago #32145
by saintpi
Replied by saintpi on topic One year after - Your post still helps great!
Thanks Sys-Halt.
I applied your config to my situation and it worked like magic. I have been having a nightmare trying to get smtp traffic to my new exchange server which happen to be on the inside LAN behind a PIX firewall just like yours. One change I did was removing the word "extended" from the access-list statement on the PIX. My PIX 515E 6.3 refused to accept it. Also, I had to work without a DMZ but using a different public IP from my network public IP in same subnet.
Thanks a million.
I applied your config to my situation and it worked like magic. I have been having a nightmare trying to get smtp traffic to my new exchange server which happen to be on the inside LAN behind a PIX firewall just like yours. One change I did was removing the word "extended" from the access-list statement on the PIX. My PIX 515E 6.3 refused to accept it. Also, I had to work without a DMZ but using a different public IP from my network public IP in same subnet.
Thanks a million.
Time to create page: 0.126 seconds