ASA is blocking e-mail between internal networks

Posted on 2013-10-16
Medium Priority
Last Modified: 2013-10-29
Hello Everyone.

First thanks for the help which is really appreciated.

I currently have a  device within a network that I would like to send e-mails through one of our e-mail servers on the DMZ; however I cant make it happen.   The Diagram is the following:

Net  A  >>>>>> GATEWAY>>>>>>>FIREWALL>>>>>>>DMZ

Net A  can successfully reach the firewall IP on the link between the gateway and the firewall itself.  However when I try to send the e-mail or ping the e-mail server it fails.

The interface on which the packet from   Net A is coming from  (NET),  has a Security level of 60, whereas the Interface for the DMZ (DMZ), has a security level of 10.  I thought the communication should just happen but I am afraid that the NAT rule for the E-mail Server  is interfering.

The E-mail server is being translated to the  Net A  with a public address which I think is my issue  but I am not sure.   I cant change this rule  as I have other networks  using the translation.

static (DMZ,NET) PUBLIC-IP netmask

 I cant change this rule and I want to keep Net A as a private network that will jut have access to the e-mail server.

I applied a packet tracer sourcing from the NET interface  with the Net A addressing and it works if I  use the public IP on the command, but not if I use the private one. It shows the message of   Action: DROP, and it seems to be due to the translation.

Is there any way I can give access to this network to the private address of the e-mail server?  so the network can send e-mail without any internet access to the network ?

Question by:kumo_chan
  • 4
  • 4
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39580918
you should add a nat rule from the inside to the dmz network that translates the destination ip (external) to the dmz ip.

Author Comment

ID: 39581210
Hello Henkva!

Thanks for the help. I just have a question regarding this. Wouldn't this affect the users that are using the current translation?

Thanks again!

LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39582115
Can you post your full (sanitized) config. It makes it somewhat easier to understand.

And from what network would you like to get to the internal ip, from NET A or ...?
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

LVL 62

Expert Comment

ID: 39584441
command is something like:
conf t
no inspect smtp
no inspect pop3
no inspect imap
copy running- config startup- config

Author Comment

ID: 39586596
thanks both  for the answer:

Please  Henkva find attached the current configuration in place:
       //Gateway for some internal networks  to the internet
interface GigabitEthernet0/2.51
 description TRANSIT
 vlan 51
 security-level 60
 ip address

  // DMZ Network interface
interface GigabitEthernet0/1.51
 description  DMZ NETWORK
 vlan 51
 nameif DMZ
 security-level 10
 ip address
  // New network that needs to send e-mail but it shouldn't have  public access
object-group network NEW-NETWORK

//Current Transalations
static (DMZ,INTERNALCLIENTS) mailserver_public netmask
static (DMZ,OUTSIDE) mailserver_public netmask

the first translation is  also used by other customers therefore I would like to check whether there is a chance that   the   new network  can send e-mail directly to the internal ip of the server. If this is not possible I think  the next step will be making an interface just for the new network on the ASA and put a new translation in place ???

And Gheist, wouldn't remove those commands make my network a bit vulnerable?

LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39598048
What version do you run at your ASA. This is important for the NAT options we have.

To be clear, you want clients form the network to be able to connect to port 25? Correct?

And is routed via an IP in INTERNALCLIENTS?

Author Comment

ID: 39599747
Hello henkva,

ASA is version 8.2 not on the 9s yet.

Yes I want the network to be able to send e-mail through but without having access to outside.

I have some other networks arriving to that interface....

Yes is  routed via an IP in INTERNAL CLIENTS...

Do you think the easiest way could be to create a subinterface on the ASA just for the so I dont affect all the other networks ?


LVL 12

Accepted Solution

Henk van Achterberg earned 1500 total points
ID: 39609624
It would be easier to make a subinterface so you can make different NAT statements for that network. Also it makes it easier with access list.

Author Closing Comment

ID: 39610544
Hello henkva!

Thanks for the help I will do that!


Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
In the video, one can understand the process of resizing images in single or bulk. Kernel Bulk Image Resizer is an easy to use tool for resizing large number of images. One can add and resize multiple images with this tool in single go. The video sh…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question