General discussion

Locked

ASA Firewall/DMZ issue

By Computer Geek ·
Our network has a DMZ outside of an ASA Firewall. Our mail server sits on the DMZ but we have another mail server internally that was just added. The problem is the external DMZ email server cannot communicate to the internal email server. Anyone know how to configure the ASA to allow mail going from the DMZ email server to the internal server?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to ASA Firewall/DMZ issue

Most likely the SMTP port 25 is closed.

You can follow the steps here to query it http://www.cni.org/pub/inetroom/SMTP.html

Collapse -

by Computer Geek In reply to

The internal mail server is able to receive mail for all other sources (external as well as from others using the same server). It is only from the mail server outside the firewall in our DMZ that is not reaching the internal mail server.

Collapse -

by BFilmFan In reply to ASA Firewall/DMZ issue

Is there a connector to the external email server?

And what mail program are you using?

Collapse -

by Computer Geek In reply to

The internal mail server is Exchange (2000), the external (DMZ) server is Postfix.

I'm not sure what you mean by connector. It only goes to the DMZ. There's no route into the network itself.

Collapse -

by mshavrov In reply to ASA Firewall/DMZ issue

Since you didn't put the Firewall Vendor, I assume it's Cisco.

Standard scenarion for the firewall installation includes the "outside" interface with a security level 1, "inside" interface with a security level 100, and "dmz" with a security level between 1 and 100. You automatically permit any traffic from the higher security level to lower (with appropriate NAT translations configured).

To allow traffic from the lower security level to higher security level you have to create a rules for specific traffic. So, if your DMZ-Mail server have to communicate with the LAN-MAIL server, you have to either create a Static NAT Translation (or configure no-NAT), and add rules to permit required traffic.

Good luck,

Mike
----
CCSP, CCNP, CCDP, Security+, MCSE W2K, MCSE+I, etc.
http://www.ciscoheadsetadapter.com

Collapse -

by Computer Geek In reply to

Actually we finally found the correct rule to enter. It did involve creating a static route. Thank you for your help.

Collapse -

by Computer Geek In reply to ASA Firewall/DMZ issue

This question was closed by the author

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums