[c-nsp] Cisco ASA 5510 DMZ Zone mail server not access Internet

Md. Jahangir Hossain jrjahangir at yahoo.com
Thu Nov 22 14:24:32 EST 2012 

Dear Honorable Friend:
 

Wishes all are fine.

I faced some difficulties about Cisco
ASA firewall. The problem details are:
 
I configured on my ASA 5510 dmz
zone and put my mail server in this zone. i configured nat rule with public
address which i received from my ISP as well as configured ACL rule. 
 
My  Mail server cannot access the internet. My ISP
is registered in dns zone A record on my public IP 119.x.x.86, MX record and
TXT record, but i can't access to internet from my mail server.
 
My Mail server ip address
192.168.100.10 which static nat with 119.x.x.85.
But I can access internet from one
of workstation which ip is 192.168.100.50 which static nat with 119.x.x.83. Need your suggestion for resolved this issue.

 


My configuration of asa 5510 is:
 

hostname
ciscoasa
domain-name
cisco.com
dns-guard
!
interface
Ethernet0/0
description
Server_Zone
 nameif dmz
 security-level 50
 ip address 192.168.100.1 255.255.255.0 
!
interface
Ethernet0/1
 description Local_Lan
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.248.0 
!
interface
Ethernet0/2
 description ISP_Connectivity
 nameif outside
 security-level 0
 ip address 119.x.x.82 255.255.255.240 
 
interface
Ethernet0/3
 description Connection between Firewall to
Router
 nameif Firewall2Router
 security-level 100
 ip address 172.x.x.1 255.255.255.252 
!
boot
system disk0:/asa822-k8.bin
ftp
mode passive
clock
timezone MAWT 6
dns
server-group DefaultDNS
domain-name
cisco.com
same-security-traffic
permit inter-interface
access-list
outside_access_in extended permit ip any any 
access-list
dmz_access_in extended permit ip any any 
access-list
inside_access_in extended permit ip any any 
access-list
Firewall2Router_access_in extended permit ip any any 
access-list
Firewall2Router_access_out extended permit ip any any 
access-list
inside_access_out extended permit ip any any 
access-list
dmz_access_out extended permit ip any any 
access-list
outside_access_out extended permit ip any any 
pager
lines 24
logging
enable
mtu
dmz 1500
mtu
inside 1500
mtu
outside 1500
icmp
unreachable rate-limit 1 burst-size 1
asdm
image disk0:/asdm-632.bin
no
asdm history enable
arp
timeout 14400
global
(outside) 1 interface
nat (inside) 1 192.168.0.0
255.255.248.0
nat (inside) 0 access-list
inside_nat0_outbound
 
static
(dmz,outside) 119.x.x.83 192.168.100.100 netmask 255.255.255.255 
static
(dmz,outside) 119.x.x.85 192.168.100.50 netmask 255.255.255.255 
access-group
dmz_access_in in interface dmz
access-group
dmz_access_out out interface dmz
access-group
inside_access_in in interface inside
access-group
inside_access_out out interface inside
access-group
outside_access_in in interface outside
access-group
outside_access_out out interface outside
access-group
Firewall2Router_access_in in interface Firewall2Router
access-group
Firewall2Router_access_out out interface Firewall2Router
route
outside 0.0.0.0 0.0.0.0 119.x.x.81 1
 
class-map
inspection_default
 match default-inspection-traffic
!
!
policy-map
type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map
global_policy
 class inspection_default
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect sip  
  inspect xdmcp 
  inspect icmp error 
!
service-policy
global_policy global
prompt
hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome at cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic
monthly
  subscribe-to-alert-group configuration
periodic monthly
  subscribe-to-alert-group telemetry periodic
daily
 
ciscoasa# show version 
Cisco Adaptive Security Appliance
Software Version 8.2(2) 
Device Manager Version 6.3(2)
Compiled on Mon 11-Jan-10 14:19 by
builders
System image file is
"disk0:/asa822-k8.bin"
Config file at boot was
"startup-config"
Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron
1600 MHz
Internal ATA Compact Flash, 256MB
 
Licensed features for this
platform:
Maximum Physical Interfaces    : Unlimited 
Maximum VLANs                  : 100       
Inside Hosts                   : Unlimited 
Failover                       : Active/Active
VPN-DES                        : Enabled   
VPN-3DES-AES                   : Enabled   
Security Contexts              : 2         
GTP/GPRS                       : Disabled  
SSL VPN Peers                  : 2         
Total VPN Peers                : 250       
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled  
AnyConnect for Cisco VPN Phone :
Disabled  
AnyConnect Essentials          : Disabled  
Advanced Endpoint Assessment   : Disabled  
UC Phone Proxy Sessions        : 2         
Total UC Proxy Sessions        : 2         
Botnet Traffic Filter          : Disabled  
 
This platform has an ASA 5510
Security Plus license.





Thanks
Jahangir

More information about the cisco-nsp mailing list