Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1367
  • Last Modified:

SMTP Access from 'Inside' to 'DMZ' - Cisco ASA 5510

Hello all,

Over the weekend, I configured our new Cisco ASA 5510 to sit in front of our network.  I followed the Cisco white paper at http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/dmz.html#wp1046205, and so far everything works, with one exception.  The one thing I seem to have a problem with is SMTP access from devices on 'Inside' trying to make an SMTP connection to devices that are on the 'DMZ'.  These are devices like our phone system and other internal servers that need to send mail.

On our ASDM box, I'm seeing the following when a connection attempt is made:
106001: Inbound TCP connection denied from 192.168.1.153/25 to 192.168.1.1/xxxx flags RST on interface dmz

I've played around with different access list entries, but all they did was clear the severity of the message on the ASDM to:
106015: Deny TCP (no connection) from 192.168.1.153/25 to 192.168.1.1/xxx flags RST on interface dmz

Any ideas?

Thanks,
Vincent
: Saved
:
ASA Version 7.0(8) 
!
hostname shasa1
domain-name ourdomain.org
enable password wpnRqZP70FYqBT2N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address x.x.145.146 255.255.255.240 
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.107.2.1 255.255.0.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 speed 100
 duplex full
 nameif management
 security-level 100
 ip address 192.168.100.1 255.255.255.0 
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup management
dns name-server 167.206.7.4
same-security-traffic permit inter-interface
access-list internet extended permit tcp any host x.x.145.157 eq www 
access-list internet extended permit tcp any host x.x.145.156 eq www 
access-list internet extended permit tcp any host x.x.145.155 eq www 
access-list internet extended permit tcp any host x.x.145.153 eq www 
access-list internet extended permit tcp any host x.x.145.153 eq https 
access-list internet extended permit tcp any host x.x.145.153 eq smtp 
access-list internet extended permit tcp any host x.x.145.158 eq ssh 
access-list internet extended permit tcp any host x.x.145.153 eq 3389 
access-list internet extended permit tcp any host x.x.145.155 eq 3389 
access-list internet extended permit icmp any any echo 
access-list internet extended permit ip any host x.x.145.147 
access-list internet extended permit icmp any any echo-reply 
access-list internet extended permit icmp any any source-quench 
access-list internet extended permit icmp any any unreachable 
access-list internet extended permit icmp any any time-exceeded 
access-list internet extended permit tcp any host x.x.145.156 eq ssh 
access-list dmz_in extended permit tcp any host 0.0.0.0 eq 3389 
access-list ping_out extended permit icmp any any echo-reply 
access-list ping_out extended permit icmp any any source-quench 
access-list ping_out extended permit icmp any any unreachable 
access-list ping_out extended permit icmp any any time-exceeded 
access-list ping_in extended permit icmp any any echo 
access-list ping_in extended permit icmp any any echo-reply 
access-list ping_in extended permit icmp any any time-exceeded 
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu dmz 1500
mtu outside 1500
mtu inside 1500
no failover
icmp permit any management
icmp permit any dmz
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (dmz) 10 interface
global (outside) 10 interface
nat (inside) 10 10.107.0.0 255.255.0.0
static (dmz,outside) x.x.145.158 192.168.1.158 netmask 255.255.255.255 
static (dmz,outside) x.x.145.157 192.168.1.157 netmask 255.255.255.255 
static (dmz,outside) x.x.145.156 192.168.1.156 netmask 255.255.255.255 
static (dmz,outside) x.x.145.155 192.168.1.155 netmask 255.255.255.255 
static (dmz,outside) x.x.145.154 192.168.1.154 netmask 255.255.255.255 
static (dmz,outside) x.x.145.153 192.168.1.153 netmask 255.255.255.255 
static (inside,dmz) 10.107.0.0 10.107.0.0 netmask 255.255.255.255 
static (dmz,inside) x.x.145.157 192.168.1.157 netmask 255.255.255.255 
static (dmz,inside) x.x.145.156 192.168.1.156 netmask 255.255.255.255 
static (dmz,inside) x.x.145.155 192.168.1.155 netmask 255.255.255.255 
static (dmz,inside) x.x.145.154 192.168.1.154 netmask 255.255.255.255 
static (dmz,inside) x.x.145.153 192.168.1.153 netmask 255.255.255.255 
static (dmz,dmz) x.x.145.157 x.x.145.157 netmask 255.255.255.255 
static (dmz,dmz) x.x.145.156 x.x.145.156 netmask 255.255.255.255 
static (dmz,dmz) x.x.145.155 x.x.145.155 netmask 255.255.255.255 
static (dmz,dmz) x.x.145.154 x.x.145.154 netmask 255.255.255.255 
static (dmz,dmz) x.x.145.153 x.x.145.153 netmask 255.255.255.255 
access-group internet in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.145.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
http server enable
http 192.168.100.0 255.255.255.0 management
snmp-server location School NOC
no snmp-server contact
snmp-server community ourcommunity
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 dmz
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
ntp server 198.123.30.132 source outside prefer
smtp-server x.x.145.153
Cryptochecksum:2fa628f70d844446f26e40b29b0838c3
: end

Open in new window

0
vraicovi
Asked:
vraicovi
  • 2
1 Solution
 
debuggerauCommented:
Just for a first point, I'd rather see you use 'show tech', so all the passwords are not included..

Secondly, you could be a bit more specific with the accesslist..
access-list dmz_in extended permit tcp any host 192.168.1.1 eq 25

Thirdly, I cant see a route..
route dmz 192.168.1.0 255.255.255.0 192.168.1.1

0
 
JFrederick29Commented:
Does your SMTP server have an allowed list of IP addresses/subnets that can send mail through it?  If so, make sure you are allowing 192.168.1.1 as you are PAT'ing inside traffic to the DMZ interface IP address as it hits the SMTP server.
0
 
debuggerauCommented:
yes, you may need to set a relay address for specific IP addresses that cannot authenticate themselves.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now