Solved

ASA 5520 configuration for Exchange server

Posted on 2011-02-16
18
585 Views
Last Modified: 2012-06-21
I have currently set up an Exchangeserver 2003 in the INSIDE interface of my ASA 5520, I have an SMTP connector for all my external email to an Email Gate in a different interface called MAIL, and then from this second interface I connect to internet through OUTSIDE interface to WEBSENSE, a hosting provider.

I want to remove the intermediate step, and connect the Exchange server with the SMTP connector right to the hosting provider.

I know I have to set up the SMTP connector to the smart host of my hosting, WEBSENSE(the same I had in the email gate)

These are the ACLs I have currently running:

INSIDE interface:
access-list acl_inside extended permit tcp host xx.xx.16.202 host xx.xx.100.199 eq smtp     //to MAIL interface, internal NIC


MAIL interface
access-list mail_access_in extended permit tcp host 192.168.100.99 any eq smtp                    // external NIC in the mail Gate server

access-list mail_access_in extended permit tcp host xx.xx.100.199 host xx.xx.16.202 eq smtp // connection from exchangeserver in INSIDE

access-list mail_access_out extended permit tcp host xx.xx.16.202 host xx.xx.100.199 eq smtp         // connection to exchangeser in INSIDE

access-list tfs_access_out extended permit tcp object-group Websense_Servers_ref host xx.xx.100.99 eq smtp        //connection to my web hosting from mail gate server external NIC

OUTSIDE interface

access-list acl_outside extended permit tcp object-group Websense_Servers host xx.xx.245.141 eq smtp             // connection for web hosting WEBSENSE from internet to send emails to my email gate server in MAIL interface, to his public ip address


I'd like to have all incoming email directly addressed to my exchangeserver, and all outgoing email sent to WEBSENSE servers, with no mail gate server in the middle.

I tried changing NAT, so the public address now translate to my exchangeserver, and created ACLs to permit traffic INSIDE-OUTSIDE for smtp, but I couldn't make it work.

What am I doing wrong?
0
Comment
Question by:japinrem
  • 9
  • 7
  • 2
18 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34906101
Could you post a more complete (sanitized) configuration?
We could have a look at that then.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34907145
I would guess that the Static NAT may not be setup correctly.   But as Ernie said, please post the sanitized config.
0
 

Author Comment

by:japinrem
ID: 34907189

This is my complete config from ASA, I hope this is enough to have a better picture of my configuration.

access-list acl_outside extended permit tcp any host xx.xx.245.146 eq www
access-list acl_outside extended permit tcp object-group Websense_Servers host xx.xx.245.141 eq smtp
access-list acl_outside extended deny ip any any

access-list acl_inside extended permit tcp host xx.xx.16.202 host xx.xx.100.199 eq smtp   //connection to mail gate server
access-list acl_inside extended permit tcp xx.xx.16.0 255.255.255.0 object-group Websense_Servers object-group websense
access-list acl_inside extended permit udp object-group Inside_Domain_Servers object-group Dns_Servers eq domain

access-list mail_access_in extended permit tcp host xx.xx.100.99 any eq smtp
access-list mail_access_in extended permit tcp host xx.xx.100.99 object-group Websense_Servers eq smtp
access-list mail_access_in extended permit tcp host xx.xx.100.199 host 25.101.16.202 eq smtp
access-list tfs_access_in extended permit udp host xx.xx.100.99 object-group Dns_Servers eq domain
access-list mail_access_in extended permit tcp host xx.xx.100.99 object-group Websense_Servers

access-list outside_access_out extended permit udp host xx.xx.245.141 object-group Dns_Servers eq domain
access-list outside_access_out extended permit tcp host xx.xx.245.143 object-group Websense_Servers object-group websense
access-list outside_access_out extended permit udp host xx.xx.245.143 object-group Dns_Servers eq domain
access-list outside_access_out extended permit tcp host xx.xx.245.141 object-group Websense_Servers
access-list tfs_access_out extended permit tcp object-group Websense_Servers_ref host xx.xx.100.99 eq smtp

NAT

static (mail,outside) xx.xx.245.141 xx.xx.100.99 netmask 255.255.255.255
static (mail,inside) xx.xx.100.199 xx.xx.100.199 netmask 255.255.255.255
static (inside,mail) xx.xx.16.202 xx.xx.16.202 netmask 255.255.255.255



What I want to do is avoid the intermediate step with the MAIL interface and connect my exchange server right to OUTSIDE and internet
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34907255
ok,

first remove:
static (mail,outside) xx.xx.245.141 xx.xx.100.99 netmask 255.255.255.255
static (mail,inside) xx.xx.100.199 xx.xx.100.199 netmask 255.255.255.255
static (inside,mail) xx.xx.16.202 xx.xx.16.202 netmask 255.255.255.255


And replace that with:
static (inside,outside) xx.xx.245.141 xx.xx.16.202 netmask 255.255.255.255

assuming here that xx.xx.245.141is the public and xx.xx.16.202 is the private address of your mailserver.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34907261
Oops, too fast.
So wait, there is more :)
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 34907337
There has to be more to the config than just this....
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34907429
There was (submit button was stuck ;)

For the access lists:

access-list acl_outside extended permit tcp any host xx.xx.245.146 eq www
access-list acl_outside extended permit tcp object-group Websense_Servers host xx.xx.245.141 eq smtp

Those should be ok.

access-list acl_outside extended deny ip any any

You could remove this, there allways is an implicit 'deny all' at the end of an access list.

Remove this one:
access-list acl_inside extended permit tcp host xx.xx.16.202 host xx.xx.100.199 eq smtp   //connection to mail gate server

These can stay
access-list acl_inside extended permit tcp xx.xx.16.0 255.255.255.0 object-group Websense_Servers object-group websense
access-list acl_inside extended permit udp object-group Inside_Domain_Servers object-group Dns_Servers eq domain


And add:

access-list acl_inside extended permit tcp host xx.xx.16.202 host 25.101.16.202 eq smtp  


Oh, and looking at thos accesslists..... Do you have only access lists going IN to the interfaces (I hope so)?
0
 

Author Comment

by:japinrem
ID: 34907559
MikeKane

I wanted to keep the comment not so long, so I pasted only the relevant information from the running configuration. At least that was my intention, that´s why I didn´t posted some other ACLs as the one for my WSUS server and Antivirus server.

erniebeek:

I didn´t configure the ASA in the beginning, so I want to improve what I found, although of course I'm not an expert at all. If you have any advice about the access lists I posted, just let me know.

I think I understand almost everything you said except the one I have to add.

the address starting with 25.101., which I forgot to change for xxx, is the internal address for my exchange server, and the xx.xx.245.141 is public one, currently assigned to my mail gate.

So If I add that ACL what would I get?
0
 

Author Comment

by:japinrem
ID: 34907607
erniebeek:

Sorry, I just realized you gave me the NAT change in your previous comment.

Thanks, I'll try this after working hours and let you know the results
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34907719
Just to make sure, can you give me an overview of what ip address belongs to what server?
0
 

Author Comment

by:japinrem
ID: 34907797
INSIDE INTERFACE

EXCHANGESERVER:  25.101.16.202

MAIL INTERFACE

Mail Gate Server: internal IP xx.xx.100.199 -----connected to EXCHANGE
                             internal IP: xx.xx.100.99 ------connected to OUTSIDE interface
                             public IP: xx.xx.245.141

0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 34913988
Ok.

So you want to get rid of the xx.xx.100.99 and xx.xx.100.199 and get everything to the 25.101.16.202.

Then it should be like this.

Remove the other statics and replace them with:
static (inside,outside) xx.xx.245.141 xx.xx.16.202 netmask 255.255.255.255

Your inside and outside accesslists should look like this:
access-list acl_outside extended permit tcp any host xx.xx.245.146 eq www
access-list acl_outside extended permit tcp object-group Websense_Servers host xx.xx.245.141 eq smtp

acess-list acl_inside extended permit tcp host 25.101.16.202 any eq smtp
access-list acl_inside extended permit udp object-group Inside_Domain_Servers object-group Dns_Servers eq domain
access-list acl_inside extended permit tcp xx.xx.16.0 255.255.255.0 object-group Websense_Servers object-group websense  


0
 

Author Comment

by:japinrem
ID: 34914105
I'll try this this evening when nobody is at work.

I have a question about this ACL you posted:

acess-list acl_inside extended permit tcp host 25.101.16.202 any eq smtp

this will permit any connection from my exchange server to internet for email, this is what I understand,
but I'll have a SMTP connector to send only to certain servers in Websense, could I restrict this to only a group of servers? I see in my current configuration this line:

access-list mail_access_in extended permit tcp host xx.xx.100.99 any eq smtp

would this be the equivalent to the new ACL you're suggesting?

thank you
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34914114
Yes, I made the equivalent of the setup you had.

But you can restrict it. If object-group Websense_Servers defines the public addresses of those servers you could also set it up as:
acess-list acl_inside extended permit tcp host 25.101.16.202 object-group Websense_Servers eq smtp
0
 

Author Comment

by:japinrem
ID: 34914124
OK, thank you, I'll try the most restrictive first, and if that doesn't work I'll go with the first one.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34914128
Good, let me know how this works out.
0
 

Author Comment

by:japinrem
ID: 34941132
Hi,
I tried last friday and it worked OK., I was able to send and receive external emails.
Thank you so much for you help.
I'll close the question.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34941203
Good job! Glad I could help and thx for the points :)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now