I would allow access to an Exchange server in Trusted network to DMZ

Nico Rosberg

Hello,

ASA 5510

Trusted network = 10.1.1.0
DMZ network = 10.2.2.0


Ip address of Exchange Server = 10.1.1.11
IP address of Webserver = 10.2.2.2

Unused address in DMZ = 10.2.2.30

Current config entries related to DMZ:

interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.2.2.1 255.255.255.0

access-list dmz extended deny ip any 10.1.0.0 255.255.0.0
access-list dmz extended permit ip any any

static (dmz,outside) xx.xx.xx.83 10.2.2.2 netmask 255.255.255.255

global (dmz) 10 interface

nat (dmz) 10 0.0.0.0 0.0.0.0

access-group dmz in interface dmz

I would like to add the following entries to enable the web server in the DMZ to access the Exchange server using SMTP:

static (inside,DMZ) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
access-list DMZ extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp

Will this work? There should not be any violation related to "one ACL to one interface in one direction" is that correct?

Thanks!