Firewall Wizards mailing list archives
Re: DMZ to INSIDE Communication
From: Victor Williams <vbwilliams () neb rr com>
Date: Thu, 11 Oct 2007 18:30:22 -0500
You need to apply an access list on your DMZ that allows it to talk to servers on the inside...in this case specifically an SMTP server. That means another access-group line as well as an accompanying access-list. chris mr wrote:
Hello, I have an ASA5505 and I'm stumped. I have a IIS SMTP server on the DMZ and it is able to communicate with OUTSIDE smtp servers on port 25. I want it to be able to communicate with INSIDE smtp servers, however the packets get dropped. WEBSERVER:gt1023---------->DMZ>>>INSIDE---xx--->EXCHANGE:25 Here is the setup: Interfaces/Vlans: -Outside security=0 IP 75.xx.yy.233 -Outside1 security=0 ( backup ISP ) IP 12.xx.yy.154 -Inside security=100 IP 200.xx.yy.158 -DMZ security=50 IP 192.168.2.1 Here is my relevant setup: name 192.168.2.2 WEBSERVER_nat >> on DMZ interface name 192.168.2.3 WEBSERVER_nat1 >> on DMZ interfce name 75.xx.yy.234 WEBSERVER_real >> public IP of web server name 12.xx.yy.155 WEBSERVER_real1 >> public IP of web server (round-robin DNS setup) name 200.xx.yy.10 GATEWAY >> MS ISA server on Inside interface name 200.xx.yy.11 EXCHANGE >> MS Exchange on Inside interface global (outside1) 2 interface global (DMZ) 2 interface global (outside) 2 interface nat (inside) 2 GATEWAY 255.255.255.255 nat (inside) 2 EXCHANGE 255.255.255.255 static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255 static (inside,outside1) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255 static (DMZ,outside1) WEBSERVER_real1 WEBSERVER_nat netmask 255.255.255.255 tcp 0 25 static (DMZ,inside) WEBSERVER_real1 WEBSERVER_nat1 netmask 255.255.255.255 static (DMZ,outside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255 tcp 0 25 static (DMZ,inside) WEBSERVER_real WEBSERVER_nat netmask 255.255.255.255 access-group ACLIN in interface outside1 access-group ACLIN in interface outside access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside log access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside log access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside log access-list ACLIN extended deny ip 10.0.0.0 255.0.0.0 interface outside1 log access-list ACLIN extended deny ip 192.168.0.0 255.255.0.0 interface outside1 log access-list ACLIN extended deny ip 172.16.0.0 255.255.0.0 interface outside1 log access-list ACLIN extended permit tcp any host 75.xx.yy.233 object-group INSIDE_services (smtp) access-list ACLIN extended permit tcp any host 12.xx.yy.154 object-group INSIDE_services (smtp) access-list ACLIN extended permit icmp any object-group DMZ (WEBSERVER_real and _real1) object-group DMZ_icmp log access-list ACLIN extended permit icmp any interface outside object-group OUTSIDE_icmp (echo/reply) access-list ACLIN extended permit icmp any interface outside1 object-group OUTSIDE_icmp access-list ACLIN extended permit tcp any object-group DMZ object-group DMZ_services (http/https/ftp) access-list ACLIN extended permit tcp any eq domain object-group DMZ log access-list ACLIN extended permit udp any eq domain object-group DMZ log access-list ACLIN extended deny ip any any log ____________________________________________________________________________________ Be a better Globetrotter. Get better travel answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545469 _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- DMZ to INSIDE Communication chris mr (Oct 11)
- Re: DMZ to INSIDE Communication Darden, Patrick S. (Oct 12)
- Re: DMZ to INSIDE Communication Victor Williams (Oct 12)
- <Possible follow-ups>
- Re: DMZ to INSIDE Communication chris mr (Oct 15)
- Re: DMZ to INSIDE Communication Anthony (Oct 19)