By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,320 Members | 2,224 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 446,320 IT Pros & Developers. It's quick & easy.

2 Cisco ASA 5510's, an Exchange Edge Server, a DMZ, and a minefield.

P: 15


Disclaimer
Before you ask why I don't just put everything on the 192.168.1.0/24 network, let me just say I do this on another person's will.

Info:
For purposes of this question I will refer to "Internal Network" as the 192.168.0.0/24 located on the inside interface of the internal ASA
Domain names and public Ip's changed for protection of the client.
Domain names changed to domain, public IP's represented by xxx.xxx.xxx.###


Objective:
To Setup Edge/Web Services that can communicate through 2 ASA 5510's to the Internal network. Allowing me to use the Edge server on the perimeter
To be able to hit the internet from all network points.
To be able to ping internally from any location to any location but not outside_in
To be able to maintain remote access to the internal servers
To not be laughed at for not putting the servers on the inside of the external ASA (hehe)

From the DMZ to the "Internal Network" (the main challenge, not working)
DNS
ICMP
tcp/50389
upd/50636
SMTP (to the internal exchange server)

From the Internal Network to the DMZ (everything currently is working, but as other changes might cause this to close I will need the following)
ICMP
tcp/50389
udp/50636
HTTP
HTTPS
SMTP (from the internal exchange server)

All networks should have outbound access "outside" to the world

From the Outside in to the "internal network"
3389 (Working but if you have me change something elsewhere to break it, please fix it :))

From the outside to the DMZ
SMTP
http
https
(perhaps more later but for now this is it)

Current Status:
Currently I can ping into the DMZ from the Internal Network
From the DMZ I can ping to 192.168.1.2
I can see http from the internal network on the DMZ
All networks currently can browse the internet.
RDP all the way in to the Internal network, works.

I would like to point out that I will make it a point to post working configs once this is finished.
I also appreciate any help offered.


The External ASA
Expand|Select|Wrap|Line Numbers
  1. ASA Version 8.0(2) 
  2. !
  3. hostname external
  4. domain-name domain.local
  5. enable password sg5gh5uh45g6 encrypted
  6. names
  7. dns-guard
  8. !
  9. interface Ethernet0/0
  10.  nameif outside
  11.  security-level 0
  12.  ip address xxx.xxx.xxx.82 255.255.255.248 
  13. !
  14. interface Ethernet0/1
  15.  nameif inside
  16.  security-level 49
  17.  ip address 192.168.1.1 255.255.255.0 
  18. !
  19. interface Ethernet0/2
  20.  shutdown
  21.  no nameif
  22.  no security-level
  23.  no ip address
  24. !
  25. interface Ethernet0/3
  26.  nameif dmz
  27.  security-level 40
  28.  ip address 10.10.10.1 255.255.255.0 
  29. !
  30. interface Management0/0
  31.  shutdown
  32.  no nameif
  33.  no security-level
  34.  no ip address
  35.  management-only
  36. !
  37. passwd iG0FMG.8O3nPFSqf encrypted
  38. boot system disk0:/asa802-k8.bin
  39. boot config disk0:/flash
  40. ftp mode passive
  41. clock timezone CST -5
  42. dns domain-lookup outside
  43. dns domain-lookup inside
  44. dns domain-lookup dmz
  45. dns server-group Internal
  46.  name-server 192.168.0.11
  47.  name-server 192.168.0.13
  48.  domain-name domain.local
  49. dns-group Internal
  50. same-security-traffic permit inter-interface
  51. object-group protocol TCPUDP
  52.  protocol-object udp
  53.  protocol-object tcp
  54. object-group service rdp tcp
  55.  port-object eq 3389
  56. object-group service DM_INLINE_TCP_1 tcp
  57.  port-object eq 50000
  58.  port-object eq 50001
  59. object-group service DM_INLINE_TCP_2 tcp
  60.  port-object eq 50000
  61.  port-object eq 50001
  62. access-list dmz-in extended permit tcp any host 10.10.10.10 eq smtp 
  63. access-list dmz-in extended permit tcp any host 10.10.10.10 eq www 
  64. access-list dmz-in extended permit tcp any host 10.10.10.10 eq https 
  65. access-list dmz-in extended permit icmp any any 
  66. access-list dmz-in extended permit ip 10.10.10.0 255.255.255.0 any 
  67. access-list dmz_access_in extended permit ip 10.10.10.0 255.255.255.0 any 
  68. access-list outside_access_in extended permit tcp any any eq 3389 
  69. access-list inside_access_in extended permit icmp any any 
  70. access-list inside_access_in extended permit ip any any 
  71. pager lines 24
  72. logging enable
  73. logging asdm informational
  74. mtu outside 1500
  75. mtu inside 1500
  76. mtu dmz 1500
  77. no failover
  78. icmp unreachable rate-limit 1 burst-size 1
  79. icmp permit any inside
  80. icmp permit any dmz
  81. asdm image disk0:/asdm-602.bin
  82. no asdm history enable
  83. arp timeout 14400
  84. global (outside) 1 interface
  85. global (inside) 2 interface
  86. global (dmz) 3 interface
  87. nat (inside) 1 0.0.0.0 0.0.0.0
  88. nat (dmz) 1 0.0.0.0 0.0.0.0
  89. static (dmz,outside) tcp interface smtp 10.10.10.10 smtp netmask 255.255.255.255 
  90. static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255 
  91. static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 
  92. access-group outside_access_in in interface outside
  93. access-group inside_access_in in interface inside
  94. access-group dmz-in in interface dmz
  95. route outside 0.0.0.0 0.0.0.0 74.117.105.81 1
  96. timeout xlate 3:00:00
  97. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  98. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  99. timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  100. timeout uauth 0:05:00 absolute
  101. dynamic-access-policy-record DfltAccessPolicy
  102. aaa authorization command LOCAL 
  103. aaa authorization exec authentication-server
  104. http server enable
  105. http 192.168.0.0 255.255.255.0 inside
  106. http 10.10.10.0 255.255.255.0 dmz
  107. http 192.168.1.0 255.255.255.0 inside
  108. no snmp-server location
  109. no snmp-server contact
  110. snmp-server enable traps snmp authentication linkup linkdown coldstart
  111. no crypto isakmp nat-traversal
  112. telnet xxx.xxx.xxx.0 255.255.255.0 outside
  113. telnet 0.0.0.0 0.0.0.0 inside
  114. telnet timeout 5
  115. ssh 0.0.0.0 0.0.0.0 outside
  116. ssh 192.168.1.0 255.255.255.0 inside
  117. ssh timeout 5
  118. console timeout 0
  119. threat-detection basic-threat
  120. threat-detection statistics access-list
  121. !
  122. class-map inspection_default
  123.  match default-inspection-traffic
  124. !
  125. !
  126. policy-map type inspect dns migrated_dns_map_1
  127.  parameters
  128.   message-length maximum 512
  129. policy-map global_policy
  130.  class inspection_default
  131.   inspect dns migrated_dns_map_1 
  132.   inspect ftp 
  133.   inspect h323 h225 
  134.   inspect h323 ras 
  135.   inspect rsh 
  136.   inspect rtsp 
  137.   inspect esmtp 
  138.   inspect sqlnet 
  139.   inspect skinny  
  140.   inspect sunrpc 
  141.   inspect xdmcp 
  142.   inspect sip  
  143.   inspect netbios 
  144.   inspect tftp 
  145.   inspect http 
  146. !
  147. service-policy global_policy global
  148. ntp server 192.43.244.18 source outside prefer
  149. username admin password sfdgfgs45g5gh45h== nt-encrypted privilege 15
  150. prompt hostname context 
  151.  

The Internal ASA
Expand|Select|Wrap|Line Numbers
  1. ASA Version 8.0(2) 
  2. !
  3. hostname internal
  4. domain-name domain.local
  5. enable password f443fg5sg45g encrypted
  6. names
  7. name 10.10.10.10 nlf-srv-004 description Front End Server
  8. name 192.168.0.11 nlf-srv-001 description DC1
  9. name 192.168.0.12 nlf-srv-002 description Exchange
  10. dns-guard
  11. !
  12. interface Ethernet0/0
  13.  nameif outside
  14.  security-level 50
  15.  ip address 192.168.1.2 255.255.255.0 
  16. !
  17. interface Ethernet0/1
  18.  nameif inside
  19.  security-level 100
  20.  ip address 192.168.0.1 255.255.255.0 
  21. !
  22. interface Ethernet0/2
  23.  shutdown
  24.  no nameif
  25.  no security-level
  26.  no ip address
  27. !
  28. interface Ethernet0/3
  29.  shutdown
  30.  no nameif
  31.  no security-level
  32.  no ip address
  33. !
  34. interface Management0/0
  35.  shutdown
  36.  no nameif
  37.  no security-level
  38.  no ip address
  39. !
  40. passwd sg45g5g45g45 encrypted
  41. boot system disk0:/asa802-k8.bin
  42. ftp mode passive
  43. clock timezone CST -6
  44. clock summer-time CDT recurring
  45. dns domain-lookup outside
  46. dns domain-lookup inside
  47. dns server-group DefaultDNS
  48.  domain-name domain.local
  49. dns server-group Internal
  50.  name-server nlf-srv-001
  51.  name-server 192.168.0.13
  52.  domain-name domain.local
  53. dns-group Internal
  54. same-security-traffic permit inter-interface
  55. object-group protocol TCPUDP
  56.  protocol-object udp
  57.  protocol-object tcp
  58. access-list out-in extended permit icmp any any 
  59. access-list out-in extended permit tcp any any eq smtp 
  60. access-list out-in extended permit tcp any any eq 3389 
  61. access-list out-in extended permit ip any any 
  62. access-list inside extended permit tcp any host nlf-srv-002 eq smtp 
  63. access-list inside extended permit ip xxx.xxx.xxx.80 255.255.255.248 192.168.0.0 255.255.255.0 
  64. access-list inside extended permit ip any any 
  65. access-list inside extended permit icmp any any 
  66. pager lines 24
  67. logging enable
  68. logging console debugging
  69. logging asdm informational
  70. mtu outside 1500
  71. mtu inside 1500
  72. no failover
  73. icmp unreachable rate-limit 1 burst-size 1
  74. icmp permit any outside
  75. icmp permit any inside
  76. asdm image disk0:/asdm-602.bin
  77. no asdm history enable
  78. arp timeout 14400
  79. global (outside) 1 interface
  80. global (inside) 2 interface
  81. nat (inside) 1 0.0.0.0 0.0.0.0
  82. static (inside,outside) tcp interface 3389 nlf-srv-001 3389 netmask 255.255.255.255 
  83. access-group out-in in interface outside
  84. access-group inside in interface inside
  85. route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
  86. timeout xlate 3:00:00
  87. timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  88. timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  89. timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  90. timeout uauth 0:05:00 absolute
  91. dynamic-access-policy-record DfltAccessPolicy
  92. http server enable
  93. http 192.168.0.0 255.255.255.0 inside
  94. no snmp-server location
  95. no snmp-server contact
  96. snmp-server enable traps snmp authentication linkup linkdown coldstart
  97. no crypto isakmp nat-traversal
  98. telnet 0.0.0.0 0.0.0.0 outside
  99. telnet 192.168.0.0 255.255.255.0 inside
  100. telnet timeout 5
  101. ssh 0.0.0.0 0.0.0.0 outside
  102. ssh 192.168.0.0 255.255.255.0 inside
  103. ssh timeout 5
  104. console timeout 0
  105. management-access inside
  106. dhcpd address 192.168.0.50-192.168.0.150 inside
  107. dhcpd dns nlf-srv-001 192.168.0.13 interface inside
  108. dhcpd enable inside
  109. !
  110. threat-detection basic-threat
  111. threat-detection statistics access-list
  112. !
  113. class-map inspection_default
  114.  match default-inspection-traffic
  115. !
  116. !
  117. policy-map type inspect dns migrated_dns_map_1
  118.  parameters
  119.   message-length maximum 512
  120. policy-map global_policy
  121.  class inspection_default
  122.   inspect dns migrated_dns_map_1 
  123.   inspect ftp 
  124.   inspect h323 h225 
  125.   inspect h323 ras 
  126.   inspect rsh 
  127.   inspect rtsp 
  128.   inspect esmtp 
  129.   inspect sqlnet 
  130.   inspect skinny  
  131.   inspect sunrpc 
  132.   inspect xdmcp 
  133.   inspect sip  
  134.   inspect netbios 
  135.   inspect tftp 
  136.   inspect http 
  137. policy-map gloabl_policy
  138.  class inspection_default
  139. !
  140. service-policy global_policy global
  141. ntp server 192.43.244.18 source outside prefer
  142. prompt hostname context 
  143.  
May 12 '10 #1
Share this Question
Share on Google+
10 Replies


sicarie
Expert Mod 2.5K+
P: 4,677
Just out of curiosity, why do you want to allow ICMP inbound? That's a security issue that you'll probably want to avoid... it's generally not a good idea unless there's something specific you're doing that for
May 17 '10 #2

P: 15
I don't, its only internal. Not from the outside in.
May 17 '10 #3

sicarie
Expert Mod 2.5K+
P: 4,677
Hmm, maybe I'm not reading this right - what do you still need help with? What's not working?
May 18 '10 #4

P: 15
Mainly this
Expand|Select|Wrap|Line Numbers
  1. From the DMZ to the "Internal Network" (the main challenge, not working)
  2. DNS
  3. ICMP
  4. tcp/50389
  5. upd/50636
  6. SMTP (to the internal exchange server)
  7.  
  8. From the Internal Network to the DMZ (everything currently is working, but as other changes might cause this to close I will need the following)
  9. ICMP
  10. tcp/50389
  11. udp/50636
  12. HTTP
  13. HTTPS
  14. SMTP (from the internal exchange server)
  15.  
May 18 '10 #5

sicarie
Expert Mod 2.5K+
P: 4,677
Hmmm, well ping uses ICMP, so allowing ICMP both ways will allow ping which is probably not the best idea - what are you trying to do with ICMP? Is there another way (such as reporting purposes, what about syslog, or AD reporting?)

The first two will be easiest - this link might help build the rules - what have you tried so far?

(Please also take a look at page 7 section 3 concerning the ICMP issue)
May 19 '10 #6

P: 15
There is no ICMP going to the outside world, only from the inside of the internal ASA to the DMZ behind the external ASA.

The ultimate problem is communication from the DMZ to the inside of the internal ASA.
May 20 '10 #7

sicarie
Expert Mod 2.5K+
P: 4,677
Did that link make sense? Were you able to create the two tcp/udp rules?
May 20 '10 #8

P: 15
Rules were never a problem, I finally resolved the issue.

I was missing a static route from the DMZ to the Gateway of the "Internal" network.
I will post a final "cleaned up" config of both routers next week highlighting examples of key elements.
May 22 '10 #9

sicarie
Expert Mod 2.5K+
P: 4,677
Glad you were able to figure that out - sorry I wasn't able to understand your question!
May 24 '10 #10

P: 15
No worries sicarie, as promised here is what was ultimately missing and how one can do it themselves.

We must follow basic routing rules for internal networks. So if you had multiple routes and paths they must be defined, but if we are restricting traffic on any of those interfaces we must make exceptions.

This is the external config (modified for usable data)
Expand|Select|Wrap|Line Numbers
  1. ASA Version 8.0(2) 
  2. !
  3. hostname external
  4. names
  5. dns-guard
  6. !
  7. interface Ethernet0/0
  8.  nameif outside
  9.  security-level 0
  10.  ip address xxx.xxx.xxx.82 255.255.255.248 
  11. !
  12. interface Ethernet0/1
  13.  nameif inside
  14.  security-level 49
  15.  ip address 192.168.1.1 255.255.255.0 
  16. !
  17. interface Ethernet0/2
  18.  shutdown
  19.  no nameif
  20.  no security-level
  21.  no ip address
  22. !
  23. interface Ethernet0/3
  24.  nameif dmz
  25.  security-level 40
  26.  ip address 10.10.10.1 255.255.255.0 
  27. !
  28.  
  29. dns domain-lookup outside
  30. dns domain-lookup inside
  31. dns domain-lookup dmz
  32. dns server-group DefaultDNS
  33.  name-server 192.168.0.11
  34.  name-server 192.168.0.13
  35.  domain-name domain.local
  36. dns-group Internal
  37. same-security-traffic permit inter-interface
  38.  
  39. access-list dmz-in extended permit tcp host 10.10.10.10 host 192.168.0.12 eq 135 
  40. access-list dmz-in extended permit tcp host 10.10.10.10 host 192.168.0.12 eq smtp 
  41. access-list dmz-in extended permit tcp host 10.10.10.10 host 192.168.0.12 eq 50389 
  42. access-list dmz-in extended permit udp host 10.10.10.10 host 192.168.0.12 eq 50636 
  43. access-list dmz-in extended permit object-group TCPUDP host 10.10.10.10 host 192.168.0.11 eq domain 
  44. access-list dmz-in extended permit object-group TCPUDP host 10.10.10.10 host 192.168.0.13 eq domain 
  45. access-list dmz-in extended permit ip host 10.10.10.10 host 192.168.0.12 
  46. access-list dmz-in extended deny ip any 192.168.0.0 255.255.255.0 
  47. access-list dmz-in extended permit ip 10.10.10.0 255.255.255.0 any 
  48.  
  49. access-list outside_access_in extended permit tcp any any eq 3389 
  50. access-list outside_access_in extended permit tcp any any eq www 
  51. access-list outside_access_in extended permit tcp any any eq smtp 
  52. access-list outside_access_in extended permit tcp any any eq https 
  53.  
  54. access-list inside_access_in extended permit tcp host 10.10.10.10 host 192.168.1.2 eq smtp 
  55. access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 host 10.10.10.10 eq smtp 
  56. access-list inside_access_in extended deny tcp any any eq smtp 
  57. access-list inside_access_in extended permit ip any any 
  58.  
  59. access-list nat0 extended permit ip host 192.168.0.11 host 10.10.10.10 
  60. access-list nat0 extended permit ip host 192.168.0.12 host 10.10.10.10 
  61. access-list nat0 extended permit ip host 192.168.0.13 host 10.10.10.10 
  62.  
  63. global (outside) 1 interface
  64. global (inside) 2 interface
  65. global (dmz) 3 interface
  66.  
  67. nat (inside) 0 access-list nat0
  68. nat (inside) 1 0.0.0.0 0.0.0.0
  69. nat (dmz) 1 0.0.0.0 0.0.0.0
  70.  
  71. static (dmz,outside) tcp interface smtp 10.10.10.10 smtp netmask 255.255.255.255 
  72. static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255 
  73. static (dmz,outside) tcp interface www 10.10.10.10 www netmask 255.255.255.255 
  74. static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 
  75. static (dmz,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 
  76. static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 
  77.  
  78. access-group outside_access_in in interface outside
  79. access-group inside_access_in in interface inside
  80. access-group dmz-in in interface dmz
  81.  
  82. route outside 0.0.0.0 0.0.0.0 74.117.105.81 1
  83. route inside 192.168.0.0 255.255.255.0 192.168.1.2 1
  84.  
And this is the internal config (also modified for usage)
Expand|Select|Wrap|Line Numbers
  1. ASA Version 8.0(2) 
  2. !
  3. hostname internal
  4. names
  5. name 10.10.10.10 srv-4 description Front End Server
  6. name 192.168.0.11 srv-1 description DC1
  7. name 192.168.0.12 srv-2 description Exchange
  8. name 192.168.0.13 srv-3 description DC2
  9.  
  10. dns-guard
  11. !
  12. interface Ethernet0/0
  13.  nameif outside
  14.  security-level 50
  15.  ip address 192.168.1.2 255.255.255.0 
  16. !
  17. interface Ethernet0/1
  18.  nameif inside
  19.  security-level 100
  20.  ip address 192.168.0.1 255.255.255.0 
  21. !
  22.  
  23. dns domain-lookup outside
  24. dns domain-lookup inside
  25. dns server-group DefaultDNS
  26.  domain-name domain.local
  27. dns server-group External
  28.  name-server xxx.xxx.xxx.xxx
  29.  name-server xxx.xxx.xxx.xxx
  30. dns server-group Internal
  31.  name-server srv-1
  32.  name-server srv-3
  33.  domain-name domain.local
  34. dns-group Internal
  35. same-security-traffic permit inter-interface
  36.  
  37. access-list out-in extended permit tcp any any eq 3389 
  38. access-list out-in extended permit tcp any any eq smtp 
  39. access-list out-in extended permit ip any any 
  40.  
  41. access-list inside extended permit tcp host srv-2 host srv-4 eq smtp 
  42. access-list inside extended deny tcp any any eq smtp 
  43. access-list inside extended permit ip any any 
  44.  
  45. access-list nat0 extended permit ip host srv-1 host srv-4 
  46. access-list nat0 extended permit ip host srv-2 host srv-4 
  47. access-list nat0 extended permit ip host srv-3 host srv-4 
  48.  
  49. global (outside) 1 interface
  50. global (inside) 2 interface
  51.  
  52. nat (inside) 0 access-list nat0
  53. nat (inside) 1 0.0.0.0 0.0.0.0
  54.  
  55. static (inside,outside) tcp interface 3389 srv-1 3389 netmask 255.255.255.255 
  56. static (inside,outside) tcp interface https srv-2 https netmask 255.255.255.255 
  57. static (inside,outside) tcp 192.168.1.0 domain 192.168.0.0 domain netmask 255.255.255.0 
  58. static (outside,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 
  59.  
  60. access-group out-in in interface outside
  61. access-group inside in interface inside
  62.  
  63. route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
  64.  
You will notice a couple of major points.
First,
Expand|Select|Wrap|Line Numbers
  1. route inside 192.168.0.0 255.255.255.0 192.168.1.2 1
A route to the network through another security appliance must be established, otherwise our traffic won't know where to go.

Next we need to create some exceptions so it will allow that traffic to pass correctly.
Expand|Select|Wrap|Line Numbers
  1. access-list nat0 extended permit ip host 192.168.0.11 host 10.10.10.10 
  2. access-list nat0 extended permit ip host 192.168.0.12 host 10.10.10.10 
  3. access-list nat0 extended permit ip host 192.168.0.13 host 10.10.10.10 
This allows traffic to come from these 3 servers and talk to our DMZ server

Next we need to assign that access list to an interface.
Expand|Select|Wrap|Line Numbers
  1. nat (inside) 0 access-list nat0
This is where are servers are in relation to THIS ASA.

We repeat the exceptions on the internal ASA but it does not require a route, as we have already established one by ending at the "inside interface" of the "external ASA"

Expand|Select|Wrap|Line Numbers
  1. access-list nat0 extended permit ip host srv-1 host srv-4 
  2. access-list nat0 extended permit ip host srv-2 host srv-4 
  3. access-list nat0 extended permit ip host srv-3 host srv-4 
And as before, we must associate that with an interface
Expand|Select|Wrap|Line Numbers
  1. nat (inside) 0 access-list nat0
Allowing our traffic to reach the servers.

This is secure as we have limited that connection to only occur between hosts and not entire networks.

Remember that order of precedence on access-lists determines flow.

For example
Expand|Select|Wrap|Line Numbers
  1. access-list inside extended permit tcp host srv-2 host srv-4 eq smtp 
  2. access-list inside extended deny tcp any any eq smtp 
  3. access-list inside extended permit ip any any 
Starting at the top, the first line says that SMTP traffic can go from srv-2 to srv-4. The 2nd line says to deny all smtp traffic. Since the first line takes place first that is allowed.

Lastly, you can reach the "Internal" network from all the way outside by defining static paths and restricting them by access-lists.

So now, I can RDP to my internal servers. My servers can communicate via restricted paths to the DMZ/Edge Server, and vice versa all of the mail flow that is required.

All networks can hit the internet.
This is a recommended setup by the way to prevent against infected machines from sending out email from inside your network.

I removed the ICMP as I was finished with its uses, but simply adding in the correct access-lists enables imcp traffic from location to location again.

Hopefully this will help someone.
May 27 '10 #11

Post your reply

Sign in to post your reply or Sign up for a free account.