Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA5505 NAT internal access to local mail server

Status
Not open for further replies.

tokyogwb

IS-IT--Management
Mar 5, 2011
1
JP
I have setup an ASA 5505 firewall with DMZ which hosts a mail server.
From outside there is full access to the mail server and it is recieving emails.
However, I am not able to access this server from inside although I have full access to internet and other outside resources.

Here is the config.
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name domain-name.com
enable password dqNVmGv0M1aiohVM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.250 255.255.255.248
ospf cost 10
!
interface Vlan5
nameif dmz
security-level 50
ip address 192.168.123.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 5
!
interface Ethernet0/7
switchport access vlan 5
!
ftp mode passive
clock timezone JST 9
access-list Mail extended permit tcp any 192.168.123.0 255.255.255.0 eq pop3
access-list Mail extended permit tcp any 192.168.123.0 255.255.255.0 eq smtp
access-list Mail extended permit tcp any 192.168.123.0 255.255.255.0 eq 32000
access-list Mail extended permit tcp any 192.168.123.0 255.255.255.0 eq 587
access-list RemoteDT extended permit tcp any 192.168.123.0 255.255.255.0 object-group RemoteDT
access-list RemoteDT extended permit tcp any xxx.xxx.xxx.248 255.255.255.248 object-group RemoteDT
access-list Radmin extended permit tcp any 192.168.123.0 255.255.255.0 object-group Radmin
access-list Radmin extended permit tcp any 192.168.1.0 255.255.255.0 object-group Radmin
access-list dmz_access_in extended permit ip xxx.xxx.xxx.248 255.255.255.248 any

access-list dmz_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list dmz_access_in extended permit ip any any
access-list inside_access_in extended permit ip any xxx.xxx.xxx.248 255.255.255.248
access-list inside_access_in extended permit ip any 192.168.123.0 255.255.255.0

access-list outside_access_in extended permit ip any host xxx.xxx.xxx.251
access-list outside_access_in extended permit ip any host xxx.xxx.xxx.252
access-list outside_access_in extended permit ip any host xxx.xxx.xxx.253
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) xxx.xxx.xxx.252 192.168.123.3 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.xxx.253 192.168.123.4 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.251 192.168.1.2 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.150 inside
dhcpd dns 192.168.1.2 211.129.14.139 interface inside
dhcpd lease 40000 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e0c4edf41a0d239705fd7a8d30e3e3b7
: end
ciscoasa#

Can anyone help me with this?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top