Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DMZ to INSIDE Communication

From: Victor Williams <vbwilliams () neb rr com>
Date: Thu, 11 Oct 2007 18:30:22 -0500
You need to apply an access list on your DMZ that allows it to talk to 
servers on the inside...in this case specifically an SMTP server.  That 
means another access-group line as well as an accompanying access-list.

chris mr wrote:

Hello,

I have an ASA5505 and I'm stumped.  

I have a IIS SMTP server on the DMZ and it is able to communicate with OUTSIDE smtp servers on port 25.  I want it to 
be able to communicate with INSIDE smtp servers, however the packets get dropped.  
WEBSERVER:gt1023---------->DMZ>>>INSIDE---xx--->EXCHANGE:25

Here is the setup:

Interfaces/Vlans:
-Outside 
        security=0
        IP 75.xx.yy.233
-Outside1 
        security=0 ( backup ISP )
        IP 12.xx.yy.154
-Inside 
        security=100
        IP 200.xx.yy.158
-DMZ 
        security=50
        IP 192.168.2.1



Here is my relevant setup:
name 192.168.2.2 WEBSERVER_nat  >> on DMZ interface
name 192.168.2.3 WEBSERVER_nat1 >> on DMZ interfce
name 75.xx.yy.234 WEBSERVER_real >> public IP of web server
name 12.xx.yy.155 WEBSERVER_real1 >> public IP of web server (round-robin DNS setup)
name 200.xx.yy.10 GATEWAY >> MS ISA server on Inside interface
name 200.xx.yy.11 EXCHANGE >> MS Exchange on Inside interface

global (outside1) 2 interface
global (DMZ) 2 interface
global (outside) 2 interface

nat (inside) 2 GATEWAY 255.255.255.255
nat (inside) 2 EXCHANGE 255.255.255.255

static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside1) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (DMZ,outside1) WEBSERVER_real1 WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
static (DMZ,inside) WEBSERVER_real1 WEBSERVER_nat1 netmask 255.255.255.255
static (DMZ,outside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255 tcp 0 25
static (DMZ,inside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255

access-group ACLIN in interface outside1
access-group ACLIN in interface outside

access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside log
access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside log
access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside log
access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside1 log
access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside1 log
access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside1 log
access-list ACLIN extended permit tcp any host 75.xx.yy.233 object-group INSIDE_services (smtp)
access-list ACLIN extended permit tcp any host 12.xx.yy.154 object-group INSIDE_services (smtp)
access-list ACLIN extended permit icmp any object-group DMZ (WEBSERVER_real and _real1) object-group DMZ_icmp log
access-list ACLIN extended permit icmp any interface outside object-group OUTSIDE_icmp (echo/reply)
access-list ACLIN extended permit icmp any interface outside1 object-group OUTSIDE_icmp
access-list ACLIN extended permit tcp any object-group DMZ object-group DMZ_services (http/https/ftp)
access-list ACLIN extended permit tcp any eq domain object-group DMZ log
access-list ACLIN extended permit udp any eq domain object-group DMZ log
access-list ACLIN extended deny ip any any log


       
____________________________________________________________________________________
Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545469
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

  


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: