ASA is blocking e-mail between internal networks

Hello Everyone.

First thanks for the help which is really appreciated.

I currently have a  device within a network that I would like to send e-mails through one of our e-mail servers on the DMZ; however I cant make it happen.   The Diagram is the following:

Net  A  >>>>>> GATEWAY>>>>>>>FIREWALL>>>>>>>DMZ

Net A  can successfully reach the firewall IP on the link between the gateway and the firewall itself.  However when I try to send the e-mail or ping the e-mail server it fails.

The interface on which the packet from   Net A is coming from  (NET),  has a Security level of 60, whereas the Interface for the DMZ (DMZ), has a security level of 10.  I thought the communication should just happen but I am afraid that the NAT rule for the E-mail Server  is interfering.

The E-mail server is being translated to the  Net A  with a public address which I think is my issue  but I am not sure.   I cant change this rule  as I have other networks  using the translation.

static (DMZ,NET) PUBLIC-IP  10.8.1.5 netmask 255.255.255.255

 I cant change this rule and I want to keep Net A as a private network that will jut have access to the e-mail server.

I applied a packet tracer sourcing from the NET interface  with the Net A addressing and it works if I  use the public IP on the command, but not if I use the private one. It shows the message of   Action: DROP, and it seems to be due to the translation.

Is there any way I can give access to this network to the private address of the e-mail server?  so the network can send e-mail without any internet access to the network ?

Cheers!!!!
kumo_chanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henk van AchterbergSr. Technical ConsultantCommented:
you should add a nat rule from the inside to the dmz network that translates the destination ip (external) to the dmz ip.
0
kumo_chanAuthor Commented:
Hello Henkva!

Thanks for the help. I just have a question regarding this. Wouldn't this affect the users that are using the current translation?

Thanks again!

Cheers
0
Henk van AchterbergSr. Technical ConsultantCommented:
Can you post your full (sanitized) config. It makes it somewhat easier to understand.

And from what network would you like to get to the internal ip, from NET A or ...?
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

gheistCommented:
command is something like:
ena
conf t
no inspect smtp
no inspect pop3
no inspect imap
^D
copy running- config startup- config
0
kumo_chanAuthor Commented:
Hello
thanks both  for the answer:

Please  Henkva find attached the current configuration in place:
       //Gateway for some internal networks  to the internet
interface GigabitEthernet0/2.51
 description TRANSIT
 vlan 51
 nameif INTERNALCLIENTS
 security-level 60
 ip address 192.168.70.7 255.255.255.248
!

  // DMZ Network interface
interface GigabitEthernet0/1.51
 description  DMZ NETWORK
 vlan 51
 nameif DMZ
 security-level 10
 ip address 10.8.2.1 255.255.255.0
!
  // New network that needs to send e-mail but it shouldn't have  public access
object-group network NEW-NETWORK
 network-object 192.168.75.0 255.255.255.0

//Current Transalations
static (DMZ,INTERNALCLIENTS) mailserver_public 10.8.2.6 netmask 255.255.255.255
static (DMZ,OUTSIDE) mailserver_public 10.8.2.6 netmask 255.255.255.255


the first translation is  also used by other customers therefore I would like to check whether there is a chance that   the   new network  can send e-mail directly to the internal ip of the server. If this is not possible I think  the next step will be making an interface just for the new network on the ASA and put a new translation in place ???

And Gheist, wouldn't remove those commands make my network a bit vulnerable?


Cheers!!
0
Henk van AchterbergSr. Technical ConsultantCommented:
What version do you run at your ASA. This is important for the NAT options we have.

To be clear, you want clients form the 192.168.75.0/24 network to be able to connect to 10.8.2.6 port 25? Correct?

And 192.168.75.0 is routed via an IP in INTERNALCLIENTS?
0
kumo_chanAuthor Commented:
Hello henkva,

ASA is version 8.2 not on the 9s yet.

Yes I want the network 192.168.75.0 to be able to send e-mail through 10.8.2.6 but without having access to outside.

I have some other networks arriving to that interface....

Yes 192.168.75.0 is  routed via an IP in INTERNAL CLIENTS...

Do you think the easiest way could be to create a subinterface on the ASA just for the 192.168.75.0? so I dont affect all the other networks ?

Thanks!!!

Cheers
0
Henk van AchterbergSr. Technical ConsultantCommented:
It would be easier to make a subinterface so you can make different NAT statements for that network. Also it makes it easier with access list.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kumo_chanAuthor Commented:
Hello henkva!

Thanks for the help I will do that!

cheers
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.