ASA 5520 configuration for Exchange server

I have currently set up an Exchangeserver 2003 in the INSIDE interface of my ASA 5520, I have an SMTP connector for all my external email to an Email Gate in a different interface called MAIL, and then from this second interface I connect to internet through OUTSIDE interface to WEBSENSE, a hosting provider.

I want to remove the intermediate step, and connect the Exchange server with the SMTP connector right to the hosting provider.

I know I have to set up the SMTP connector to the smart host of my hosting, WEBSENSE(the same I had in the email gate)

These are the ACLs I have currently running:

INSIDE interface:
access-list acl_inside extended permit tcp host xx.xx.16.202 host xx.xx.100.199 eq smtp     //to MAIL interface, internal NIC


MAIL interface
access-list mail_access_in extended permit tcp host 192.168.100.99 any eq smtp                    // external NIC in the mail Gate server

access-list mail_access_in extended permit tcp host xx.xx.100.199 host xx.xx.16.202 eq smtp // connection from exchangeserver in INSIDE

access-list mail_access_out extended permit tcp host xx.xx.16.202 host xx.xx.100.199 eq smtp         // connection to exchangeser in INSIDE

access-list tfs_access_out extended permit tcp object-group Websense_Servers_ref host xx.xx.100.99 eq smtp        //connection to my web hosting from mail gate server external NIC

OUTSIDE interface

access-list acl_outside extended permit tcp object-group Websense_Servers host xx.xx.245.141 eq smtp             // connection for web hosting WEBSENSE from internet to send emails to my email gate server in MAIL interface, to his public ip address


I'd like to have all incoming email directly addressed to my exchangeserver, and all outgoing email sent to WEBSENSE servers, with no mail gate server in the middle.

I tried changing NAT, so the public address now translate to my exchangeserver, and created ACLs to permit traffic INSIDE-OUTSIDE for smtp, but I couldn't make it work.

What am I doing wrong?
japinremAsked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
Ok.

So you want to get rid of the xx.xx.100.99 and xx.xx.100.199 and get everything to the 25.101.16.202.

Then it should be like this.

Remove the other statics and replace them with:
static (inside,outside) xx.xx.245.141 xx.xx.16.202 netmask 255.255.255.255

Your inside and outside accesslists should look like this:
access-list acl_outside extended permit tcp any host xx.xx.245.146 eq www
access-list acl_outside extended permit tcp object-group Websense_Servers host xx.xx.245.141 eq smtp

acess-list acl_inside extended permit tcp host 25.101.16.202 any eq smtp
access-list acl_inside extended permit udp object-group Inside_Domain_Servers object-group Dns_Servers eq domain
access-list acl_inside extended permit tcp xx.xx.16.0 255.255.255.0 object-group Websense_Servers object-group websense  


0
 
Ernie BeekExpertCommented:
Could you post a more complete (sanitized) configuration?
We could have a look at that then.
0
 
MikeKaneCommented:
I would guess that the Static NAT may not be setup correctly.   But as Ernie said, please post the sanitized config.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
japinremAuthor Commented:

This is my complete config from ASA, I hope this is enough to have a better picture of my configuration.

access-list acl_outside extended permit tcp any host xx.xx.245.146 eq www
access-list acl_outside extended permit tcp object-group Websense_Servers host xx.xx.245.141 eq smtp
access-list acl_outside extended deny ip any any

access-list acl_inside extended permit tcp host xx.xx.16.202 host xx.xx.100.199 eq smtp   //connection to mail gate server
access-list acl_inside extended permit tcp xx.xx.16.0 255.255.255.0 object-group Websense_Servers object-group websense
access-list acl_inside extended permit udp object-group Inside_Domain_Servers object-group Dns_Servers eq domain

access-list mail_access_in extended permit tcp host xx.xx.100.99 any eq smtp
access-list mail_access_in extended permit tcp host xx.xx.100.99 object-group Websense_Servers eq smtp
access-list mail_access_in extended permit tcp host xx.xx.100.199 host 25.101.16.202 eq smtp
access-list tfs_access_in extended permit udp host xx.xx.100.99 object-group Dns_Servers eq domain
access-list mail_access_in extended permit tcp host xx.xx.100.99 object-group Websense_Servers

access-list outside_access_out extended permit udp host xx.xx.245.141 object-group Dns_Servers eq domain
access-list outside_access_out extended permit tcp host xx.xx.245.143 object-group Websense_Servers object-group websense
access-list outside_access_out extended permit udp host xx.xx.245.143 object-group Dns_Servers eq domain
access-list outside_access_out extended permit tcp host xx.xx.245.141 object-group Websense_Servers
access-list tfs_access_out extended permit tcp object-group Websense_Servers_ref host xx.xx.100.99 eq smtp

NAT

static (mail,outside) xx.xx.245.141 xx.xx.100.99 netmask 255.255.255.255
static (mail,inside) xx.xx.100.199 xx.xx.100.199 netmask 255.255.255.255
static (inside,mail) xx.xx.16.202 xx.xx.16.202 netmask 255.255.255.255



What I want to do is avoid the intermediate step with the MAIL interface and connect my exchange server right to OUTSIDE and internet
0
 
Ernie BeekExpertCommented:
ok,

first remove:
static (mail,outside) xx.xx.245.141 xx.xx.100.99 netmask 255.255.255.255
static (mail,inside) xx.xx.100.199 xx.xx.100.199 netmask 255.255.255.255
static (inside,mail) xx.xx.16.202 xx.xx.16.202 netmask 255.255.255.255


And replace that with:
static (inside,outside) xx.xx.245.141 xx.xx.16.202 netmask 255.255.255.255

assuming here that xx.xx.245.141is the public and xx.xx.16.202 is the private address of your mailserver.
0
 
Ernie BeekExpertCommented:
Oops, too fast.
So wait, there is more :)
0
 
MikeKaneCommented:
There has to be more to the config than just this....
0
 
Ernie BeekExpertCommented:
There was (submit button was stuck ;)

For the access lists:

access-list acl_outside extended permit tcp any host xx.xx.245.146 eq www
access-list acl_outside extended permit tcp object-group Websense_Servers host xx.xx.245.141 eq smtp

Those should be ok.

access-list acl_outside extended deny ip any any

You could remove this, there allways is an implicit 'deny all' at the end of an access list.

Remove this one:
access-list acl_inside extended permit tcp host xx.xx.16.202 host xx.xx.100.199 eq smtp   //connection to mail gate server

These can stay
access-list acl_inside extended permit tcp xx.xx.16.0 255.255.255.0 object-group Websense_Servers object-group websense
access-list acl_inside extended permit udp object-group Inside_Domain_Servers object-group Dns_Servers eq domain


And add:

access-list acl_inside extended permit tcp host xx.xx.16.202 host 25.101.16.202 eq smtp  


Oh, and looking at thos accesslists..... Do you have only access lists going IN to the interfaces (I hope so)?
0
 
japinremAuthor Commented:
MikeKane

I wanted to keep the comment not so long, so I pasted only the relevant information from the running configuration. At least that was my intention, that´s why I didn´t posted some other ACLs as the one for my WSUS server and Antivirus server.

erniebeek:

I didn´t configure the ASA in the beginning, so I want to improve what I found, although of course I'm not an expert at all. If you have any advice about the access lists I posted, just let me know.

I think I understand almost everything you said except the one I have to add.

the address starting with 25.101., which I forgot to change for xxx, is the internal address for my exchange server, and the xx.xx.245.141 is public one, currently assigned to my mail gate.

So If I add that ACL what would I get?
0
 
japinremAuthor Commented:
erniebeek:

Sorry, I just realized you gave me the NAT change in your previous comment.

Thanks, I'll try this after working hours and let you know the results
0
 
Ernie BeekExpertCommented:
Just to make sure, can you give me an overview of what ip address belongs to what server?
0
 
japinremAuthor Commented:
INSIDE INTERFACE

EXCHANGESERVER:  25.101.16.202

MAIL INTERFACE

Mail Gate Server: internal IP xx.xx.100.199 -----connected to EXCHANGE
                             internal IP: xx.xx.100.99 ------connected to OUTSIDE interface
                             public IP: xx.xx.245.141

0
 
japinremAuthor Commented:
I'll try this this evening when nobody is at work.

I have a question about this ACL you posted:

acess-list acl_inside extended permit tcp host 25.101.16.202 any eq smtp

this will permit any connection from my exchange server to internet for email, this is what I understand,
but I'll have a SMTP connector to send only to certain servers in Websense, could I restrict this to only a group of servers? I see in my current configuration this line:

access-list mail_access_in extended permit tcp host xx.xx.100.99 any eq smtp

would this be the equivalent to the new ACL you're suggesting?

thank you
0
 
Ernie BeekExpertCommented:
Yes, I made the equivalent of the setup you had.

But you can restrict it. If object-group Websense_Servers defines the public addresses of those servers you could also set it up as:
acess-list acl_inside extended permit tcp host 25.101.16.202 object-group Websense_Servers eq smtp
0
 
japinremAuthor Commented:
OK, thank you, I'll try the most restrictive first, and if that doesn't work I'll go with the first one.
0
 
Ernie BeekExpertCommented:
Good, let me know how this works out.
0
 
japinremAuthor Commented:
Hi,
I tried last friday and it worked OK., I was able to send and receive external emails.
Thank you so much for you help.
I'll close the question.
0
 
Ernie BeekExpertCommented:
Good job! Glad I could help and thx for the points :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.