Options
I would allow access to an Exchange server in Trusted network to DMZ
Nico Rosberg
Registered Users Posts: 2 ■□□□□□□□□□
Hello,
ASA 5510
Trusted network = 10.1.1.0
DMZ network = 10.2.2.0
Ip address of Exchange Server = 10.1.1.11
IP address of Webserver = 10.2.2.2
Unused address in DMZ = 10.2.2.30
Current config entries related to DMZ:
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.2.2.1 255.255.255.0
access-list dmz extended deny ip any 10.1.0.0 255.255.0.0
access-list dmz extended permit ip any any
static (dmz,outside) xx.xx.xx.83 10.2.2.2 netmask 255.255.255.255
global (dmz) 10 interface
nat (dmz) 10 0.0.0.0 0.0.0.0
access-group dmz in interface dmz
I would like to add the following entries to enable the web server in the DMZ to access the Exchange server using SMTP:
static (inside,DMZ) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
access-list DMZ extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
Will this work? There should not be any violation related to "one ACL to one interface in one direction" is that correct?
Thanks!
ASA 5510
Trusted network = 10.1.1.0
DMZ network = 10.2.2.0
Ip address of Exchange Server = 10.1.1.11
IP address of Webserver = 10.2.2.2
Unused address in DMZ = 10.2.2.30
Current config entries related to DMZ:
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.2.2.1 255.255.255.0
access-list dmz extended deny ip any 10.1.0.0 255.255.0.0
access-list dmz extended permit ip any any
static (dmz,outside) xx.xx.xx.83 10.2.2.2 netmask 255.255.255.255
global (dmz) 10 interface
nat (dmz) 10 0.0.0.0 0.0.0.0
access-group dmz in interface dmz
I would like to add the following entries to enable the web server in the DMZ to access the Exchange server using SMTP:
static (inside,DMZ) 10.2.2.30 10.1.1.11 netmask 255.255.255.255
access-list DMZ extended permit tcp host 10.2.2.2 host 10.2.2.30 eq smtp
Will this work? There should not be any violation related to "one ACL to one interface in one direction" is that correct?
Thanks!