- Posts: 3
- Thank you received: 0
Help allowing SMTP/IMAP through Cisco 5510
We are using the ASDM gui to access the router/firewall hardware via management port. Please be aware that nobody here has any significant experience working with it, either the gui or the command line.
My company has asked us to setup an internal email sever for one domain of the 2 it owns. Inside the network, any mail client can connect to the email server, and it can even send traffic out to other mail servers.
But, as you can imagine, port 25 is closed to anyone outside the network. From the research we have done both on this site and elsewhere, we have come to understand that 1) there must be a rule to allow smtp traffic through the firewall and 2) that traffic must be properly routed to the private internal email server address.
What I don't understand is how the Cisco hardware interfaces with our internal DNS servers. We setup a access rule to allow any external host using smtp port 25 to see our public external IP address, and thought that the Cisco hardware would be able to see our internal DNS records and properly forward this traffic to our email server.
Other people say that we must create some sort of NAT rule, to map our external IP address directly to the private internal IP address of the mail server, but we are hesitant to do this because 1) we are afraid ALL traffic to our external IP will end up mapped to the email server and/or 2) even if we specify only smtp/imap services to use the NAT as configured, ALL smtp traffic will go to the email server, which we do not want bc we have smtp traffic for a different 3rd part email provider on our network as well.
If anyone could offer some tips or link, we'd be very grateful. Essentially: we want email traffic for ONE domain of a few, to be properly allowed to pass and route to the corresponding Internal email server we've setup, and to do so using the gui.
Cheers,
jay
I think I know what you want to do but let me confirm a few things ok ?
and thought that the Cisco hardware would be able to see our internal DNS records and properly forward this traffic to our email server.
Do you mean you want to use your MX record (like mail.company.com) on your internal network to send mail ? If this is the case you will need to use DNS doctoring. Because mail.company.com points to the outside IP adres of the ASA you cant use it from the inside network. The ASA will see this as an IP spoofing attack and block it unless you use the dns keyword at the end of your static NAT translation.
Other people say that we must create some sort of NAT rule, to map our external IP address directly to the private internal IP address of the mail server
Yes this is true. In order to use DNS doctoring on the ASA you will need to make a so called 1 on 1 translation. This means 1 external IP address for 1 internal IP address.
we are afraid ALL traffic to our external IP will end up mapped to the email server
No worries here you will still need to allow traffic with an access-list. By default there is a security level of 0 on the outside interface and a security level of 100 on the inside. Traffic can always go from high to low but never from low to high unless configured otherwise.
even if we specify only smtp/imap services to use the NAT as configured, ALL smtp traffic will go to the email server, which we do not want bc we have smtp traffic for a different 3rd part email provider on our network as well.
If you have a range of public IP addresses you can just pick a different one for yourself or the 3rd party mail server. Just keep in mind that you have to change the MX records if you switch IP addresses.
we want email traffic for ONE domain of a few, to be properly allowed to pass and route to the corresponding Internal email server we've setup,
Again this is possible with the use of access-lists.
and to do so using the gui.
Well umm...yea there's this nice thing in the gui under the tools section... It's called command line interface
If you can confirm this is what you want then I can help you.
Regards,
Ron
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The website and domain in question is hosted by hostmonster.com at the moment. I have successfully setup the DNS's MX record there to point to our network's public IP address. I've used checkdns.com to verify it attempts to connect to it, and port 25 times out.
We will only be hosting the email for this particular domain. Inside our network, I've setup our DNS server (a windows 2003 server machine) with a zone for mail.thedomain.com: an A record mail.thedomain.com for the internal static IP address; and MX record to mail.thedomain.com pointing toward that A record. I also setup the DNS on the server machine that will host the mail (Mac OS X Snow leopard) to accept responsibility for the domain's mail). Inside our network, it works like a charm - we can send mail to each other, and it can also send mail out to the world.
Do you mean you want to use your MX record (like mail.company.com) on your internal network to send mail ? If this is the case you will need to use DNS doctoring. Because mail.company.com points to the outside IP adres of the ASA you cant use it from the inside network. The ASA will see this as an IP spoofing attack and block it unless you use the dns keyword at the end of your static NAT translation.
I follow what you mean about ip spoofing, but am a bit confused because the mail server does in fact work inside the network, and sends mail out (higher to lower security is always allowed implicitly if I've read correctly). Do you mean that because the mail.thedomain.com DNS records I setup exist inside our network, that it interprets the mail.thedomain.com traffic from hostmonster's DNS as an ip spoof?
Yes this is true. In order to use DNS doctoring on the ASA you will need to make a so called 1 on 1 translation. This means 1 external IP address for 1 internal IP address.
Ok, is DNS Doctoring a program native to the Cisco software, or is it something that needs to be installed like a plugin on top; or is it simply a term for creating a certain policy/rule? I haven't seen it in the ASDM gui.
As far as making the 1-1 translation, I think this means a NAT rule for the external ip to the machine's internal ip. If I do this, will it not direct all traffic for the public address to the mail machine? I cannot take complete ownership of the external ip address's ports because other services are configured to use it. It looks like my company owns a block of IP address - would you suggest taking ownership of one ip from the block and creating a permanent 1 to 1 NAT translation? I don't know if I am authorized to do this at my company, lol.
In addition, my boss said that the Cisco hardware interacts with the DNS server on our network, and our DNS entries should automatically tell it what to do with the traffic and NATing wouldn't be necessary.
No worries here you will still need to allow traffic with an access-list. By default there is a security level of 0 on the outside interface and a security level of 100 on the inside. Traffic can always go from high to low but never from low to high unless configured otherwise.
Ah ok I think I see what you mean. Even if we map port 25 SMTP traffic for the external ip to our internal machine for mail.thedomain.com, the email traffic for a second domain we have here won't have issues contacting ITS external email server (rackspace is the host). But, what if we setup a second email server on our network to takeover that second domain? Wouldn't this static NAT connection be a problem?
If you have a range of public IP addresses you can just pick a different one for yourself or the 3rd party mail server. Just keep in mind that you have to change the MX records if you switch IP addresses.
Going back to what I mentioned above, we will eventually want to internalize the email for BOTH domains we own, on 2 different machines. It seems you are suggesting the best way to prepare for that is, as mentioned above, to specifically grab 1 ip from the range/block we own, and dedicate it for the traffic for each domain. Sounds correct?
Again this is possible with the use of access-lists.
That's the part I think we got right. We created a rule to allow only SMTP traffic for the external ip address to reach the internal mail server; yet the port still times out. Again, the boss says the firewall/router checks out DNS server and should know to route the traffic to it. Inside our network, I can telnet a smtp session to mail.thedomain.com, so the internal DNS seems setup correctly. In the end, it seems like I will have to tell him he's wrong and that we must create a NAT rule of some kind... ?
Or maybe, The internal DNS records are completely off. I'd think the way we set it up as mentioned wayabove would be correct.
Well umm...yea there's this nice thing in the gui under the tools section... It's called command line interface
Yeh see, the reason we want to use the gui is so we can immediately undo any wrong changes we make. I don't have enough knowledge of the ASA command line to be able to do it. To highlight what Cisco newbs we are and give you a chuckle, here's an example: we accidentally created a rule in our testing that subverted the implicit rule to allow higher>lower security traffic, thereby taking down the internet company wide. With the gui we immediately undid it - at the command line we may have been screwed.
Cheers Ron and thanks for your input, I know I write walls of text but I'm trying to be thorough.
If you can send email to each other and to others but cant receive it its probally a configuration error in the ASA. Could you please post the configuration of the ASA (go to tools -> command line -> show run). Don't forget to mask out the important stuff like passwords and external IP addresses.
To answer your question about DNS doctoring. It's just a term that we (as in people working at the company here) use alot. It not something that you have to install. All you need to do is add the "dns" keyword at the end of your static NAT configuration in the CLI.
Regards,
ron
*edit*
That's the part I think we got right. We created a rule to allow only SMTP traffic for the external ip address to reach the internal mail server; yet the port still times out.
There's your problem. You need to make the access list like this:
[code:1]access-list outside_smtp_in permit tcp any host "external ip" eq 25[/code:1]
This way you allow anyone on the internet to send mail to the external ip address you configure in the access list. And because you made a static NAT translation the ASA will forward the traffic to the correct inside host.
You could also change the any command to specific IP addressses but theres a whole lot of SMTP servers out there....
Currently working as Cisco Engineer at Neon-Networking.
Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
I will also get a copy of the ASA config posted as you requested with private data masked. I am also thinking of posting a masked screenshot of GUI areas we're dealing with so everyone who prefers (to learn) this interface might be able to find some answers.
Stay tuned...