setting up dmz => private access for smtp

[leprikon]

setup :


outside :xxx.xxx.xxx.xxx
private 192.168.1.100 exchange
dmz 10.0.1.100 iis smtp

currently i can get from private to dmz
(telnet 10.0.1.100:25 from 192.168.1.100)

when trying to telnet from 10.0.1.100 to 192.168.1.100 the syslog display that its just denied (no acl defined in error - i can't tell which interface has the problem)

what should the setup be to allow this ? I tried setting up a static (inside,dmz) but it wouldn't take because of the levels.

I need the iis smtp service on dmz to relay to exchange and vice versa.

 

[yizhar]

HI.

You can do it like this:
static (inside,dmz) 10.0.1.101 192.168.1.100
access-list fromdmz permit tcp host 10.0.1.100 host 10.0.1.101 eq smtp
access-list fromdmz deny ip any host 10.0.1.101
access-list fromdmz deny ip any 192.168.1.0 255.255.255.0

(if you need Internet access from the DMZ network):
access-list fromdmz permit ip any any
(It can be better practice to refine this and only permit specific ports from DMZ to the Internet).

access-group fromdmz in interface dmz

Using the above example, the IIS SMTP server will need to be configured to use 10.0.1.101 as the destination for incoming mail.
An alternate option is to use:
static (inside,dmz) 192.168.1.100 192.168.1.100
access-list fromdmz permit tcp host 10.0.1.100 host 192.168.1.100 eq smtp
...

Then the dmz will access Exchange using 192.168.1.100


A more secure solution is to pull mail from inside (connection initiated from Exchange to mail relay), instead of push from dmz to inside. This is common when using linux mail relay servers and using a 3rd party utility like PopBeamer on the Exchange server to collect mail from mail relay.


Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar