kumo_chan
asked on
ASA is blocking e-mail between internal networks
Hello Everyone.
First thanks for the help which is really appreciated.
I currently have a device within a network that I would like to send e-mails through one of our e-mail servers on the DMZ; however I cant make it happen. The Diagram is the following:
Net A >>>>>> GATEWAY>>>>>>>FIREWALL>>>> >>>DMZ
Net A can successfully reach the firewall IP on the link between the gateway and the firewall itself. However when I try to send the e-mail or ping the e-mail server it fails.
The interface on which the packet from Net A is coming from (NET), has a Security level of 60, whereas the Interface for the DMZ (DMZ), has a security level of 10. I thought the communication should just happen but I am afraid that the NAT rule for the E-mail Server is interfering.
The E-mail server is being translated to the Net A with a public address which I think is my issue but I am not sure. I cant change this rule as I have other networks using the translation.
static (DMZ,NET) PUBLIC-IP 10.8.1.5 netmask 255.255.255.255
I cant change this rule and I want to keep Net A as a private network that will jut have access to the e-mail server.
I applied a packet tracer sourcing from the NET interface with the Net A addressing and it works if I use the public IP on the command, but not if I use the private one. It shows the message of Action: DROP, and it seems to be due to the translation.
Is there any way I can give access to this network to the private address of the e-mail server? so the network can send e-mail without any internet access to the network ?
Cheers!!!!
First thanks for the help which is really appreciated.
I currently have a device within a network that I would like to send e-mails through one of our e-mail servers on the DMZ; however I cant make it happen. The Diagram is the following:
Net A >>>>>> GATEWAY>>>>>>>FIREWALL>>>>
Net A can successfully reach the firewall IP on the link between the gateway and the firewall itself. However when I try to send the e-mail or ping the e-mail server it fails.
The interface on which the packet from Net A is coming from (NET), has a Security level of 60, whereas the Interface for the DMZ (DMZ), has a security level of 10. I thought the communication should just happen but I am afraid that the NAT rule for the E-mail Server is interfering.
The E-mail server is being translated to the Net A with a public address which I think is my issue but I am not sure. I cant change this rule as I have other networks using the translation.
static (DMZ,NET) PUBLIC-IP 10.8.1.5 netmask 255.255.255.255
I cant change this rule and I want to keep Net A as a private network that will jut have access to the e-mail server.
I applied a packet tracer sourcing from the NET interface with the Net A addressing and it works if I use the public IP on the command, but not if I use the private one. It shows the message of Action: DROP, and it seems to be due to the translation.
Is there any way I can give access to this network to the private address of the e-mail server? so the network can send e-mail without any internet access to the network ?
Cheers!!!!
you should add a nat rule from the inside to the dmz network that translates the destination ip (external) to the dmz ip.
ASKER
Hello Henkva!
Thanks for the help. I just have a question regarding this. Wouldn't this affect the users that are using the current translation?
Thanks again!
Cheers
Thanks for the help. I just have a question regarding this. Wouldn't this affect the users that are using the current translation?
Thanks again!
Cheers
Can you post your full (sanitized) config. It makes it somewhat easier to understand.
And from what network would you like to get to the internal ip, from NET A or ...?
And from what network would you like to get to the internal ip, from NET A or ...?
command is something like:
ena
conf t
no inspect smtp
no inspect pop3
no inspect imap
^D
copy running- config startup- config
ena
conf t
no inspect smtp
no inspect pop3
no inspect imap
^D
copy running- config startup- config
ASKER
Hello
thanks both for the answer:
Please Henkva find attached the current configuration in place:
//Gateway for some internal networks to the internet
interface GigabitEthernet0/2.51
description TRANSIT
vlan 51
nameif INTERNALCLIENTS
security-level 60
ip address 192.168.70.7 255.255.255.248
!
// DMZ Network interface
interface GigabitEthernet0/1.51
description DMZ NETWORK
vlan 51
nameif DMZ
security-level 10
ip address 10.8.2.1 255.255.255.0
!
// New network that needs to send e-mail but it shouldn't have public access
object-group network NEW-NETWORK
network-object 192.168.75.0 255.255.255.0
//Current Transalations
static (DMZ,INTERNALCLIENTS) mailserver_public 10.8.2.6 netmask 255.255.255.255
static (DMZ,OUTSIDE) mailserver_public 10.8.2.6 netmask 255.255.255.255
the first translation is also used by other customers therefore I would like to check whether there is a chance that the new network can send e-mail directly to the internal ip of the server. If this is not possible I think the next step will be making an interface just for the new network on the ASA and put a new translation in place ???
And Gheist, wouldn't remove those commands make my network a bit vulnerable?
Cheers!!
thanks both for the answer:
Please Henkva find attached the current configuration in place:
//Gateway for some internal networks to the internet
interface GigabitEthernet0/2.51
description TRANSIT
vlan 51
nameif INTERNALCLIENTS
security-level 60
ip address 192.168.70.7 255.255.255.248
!
// DMZ Network interface
interface GigabitEthernet0/1.51
description DMZ NETWORK
vlan 51
nameif DMZ
security-level 10
ip address 10.8.2.1 255.255.255.0
!
// New network that needs to send e-mail but it shouldn't have public access
object-group network NEW-NETWORK
network-object 192.168.75.0 255.255.255.0
//Current Transalations
static (DMZ,INTERNALCLIENTS) mailserver_public 10.8.2.6 netmask 255.255.255.255
static (DMZ,OUTSIDE) mailserver_public 10.8.2.6 netmask 255.255.255.255
the first translation is also used by other customers therefore I would like to check whether there is a chance that the new network can send e-mail directly to the internal ip of the server. If this is not possible I think the next step will be making an interface just for the new network on the ASA and put a new translation in place ???
And Gheist, wouldn't remove those commands make my network a bit vulnerable?
Cheers!!
What version do you run at your ASA. This is important for the NAT options we have.
To be clear, you want clients form the 192.168.75.0/24 network to be able to connect to 10.8.2.6 port 25? Correct?
And 192.168.75.0 is routed via an IP in INTERNALCLIENTS?
To be clear, you want clients form the 192.168.75.0/24 network to be able to connect to 10.8.2.6 port 25? Correct?
And 192.168.75.0 is routed via an IP in INTERNALCLIENTS?
ASKER
Hello henkva,
ASA is version 8.2 not on the 9s yet.
Yes I want the network 192.168.75.0 to be able to send e-mail through 10.8.2.6 but without having access to outside.
I have some other networks arriving to that interface....
Yes 192.168.75.0 is routed via an IP in INTERNAL CLIENTS...
Do you think the easiest way could be to create a subinterface on the ASA just for the 192.168.75.0? so I dont affect all the other networks ?
Thanks!!!
Cheers
ASA is version 8.2 not on the 9s yet.
Yes I want the network 192.168.75.0 to be able to send e-mail through 10.8.2.6 but without having access to outside.
I have some other networks arriving to that interface....
Yes 192.168.75.0 is routed via an IP in INTERNAL CLIENTS...
Do you think the easiest way could be to create a subinterface on the ASA just for the 192.168.75.0? so I dont affect all the other networks ?
Thanks!!!
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello henkva!
Thanks for the help I will do that!
cheers
Thanks for the help I will do that!
cheers