Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: allowing incoming messeges to SMTP Server

allowing incoming messeges to SMTP Server 10 years 4 months ago #27466

hello everyone, I have the following design:

DSL Modem
ASA 5505 ---- FrontEnd Exhange 2007(SMTP Server)

could you please guide me on the procedures that I need to make in order to allow the incoming messeges from our ISP to pass through the router, the ASA, to our SMTP Server.

our ISP will simply forward(relay) to us the smtp traffic so the incoming mails will not be stored on our ISP server they will just simply forwad any incoming messges to us to be received and store on our SMTP Server.

I want to know what is the way I shoudl think of to make this happen. what should I allow to pass from outside to inside to my SMTP server.

do I only have to create an ACL on the router and ASA to pass traffic coming on port 25 to our SMTP server?

Re: allowing incoming messeges to SMTP Server 10 years 4 months ago #27482

Hello Sys-halt ,

Regarding your network design if the firewall is doing the NAT then you would have to create a NAT or a PAT translation ( depending on your requirements ) .

Consider a scenario like this :

ASA 5505(Translations) ---- FrontEnd Exhange 2007(SMTP Server)

ie the translations are done by the firewall and not by the router .

i . Say your internal email servers ip is .
ii. Say you have a public ip x.x.x.x
iii. Say you need to direct traffic on port z (pop or imap) . And assuming that you have an outside acl already configured as outside_acl .

According to this scenario in which the firewall is doing the nat translations you will need the following statements on th firewall .

1.static (inside,outside) tcp x.x.x.x z z netnask
( this statement redirects all traffic that hits the public ip x.x.x.x on port a to server ) port z .
2.You need appropriate access list on the outside interface to permit traffic
access-list outside_acl permit tcp any host x.x.x.x eq z

These two statements are sufficient considering the firewall .

If you have any questions please let me know .


Re: allowing incoming messeges to SMTP Server 10 years 4 months ago #27494

hello patiot, thanks for your reply really appreciated. I will work on it today once I get work.

yes my firewall is doing a nat for the inside and dmz1 interfaces to the outside interface.

my outside interface has ip of connected to my router inside interface of and then natting from my router to the Internet.

I did kind off tried what you have suggested.

I was trying also to allow remote desktop connection from out to in:

access-list 110 extended permit tcp any host eq 3389
static (dmz1,outside) netmask
access-group 110 in interface outside

my smtp server ip is:
my external ASA interface ip is:

so I was trying to allow RDP from outside interface to my smtp server through the ASA

I thought first if this worked fine, I would do the same access-list to allow smtp traffic of port 25.

Re: allowing incoming messeges to SMTP Server 10 years 4 months ago #27495

I have read that since I am doing NAT on the Firewall, I have to create a mapped IP address and not using my firewall outside IP.

like if my outside IP is I would have to create a mapped IP in the same subnet as like and map this IP to my internal server.

but I don't know what that suppose to mean. how to create a mapped IP on my firewall external interface.

is this idea true?.

Re: allowing incoming messeges to SMTP Server 10 years 4 months ago #27496

okay I just found an article on Cisco website talking about PIIX/ASA NAT and PAT, Document ID: 64758. I found that the mapped IP is nothing than one of the global pool range I made during NAT creation. I did a NAT pool range from on my outside interface of the ASA, so a mapped IP address is one of the specified IPs range I made, like

so it sound like I have to map this ip and not use my ASA real IP interface the :-)

I should try this soon. thanks all for your help. I will get back to you soon.

Re: allowing incoming messeges to SMTP Server 10 years 4 months ago #27497

Creating a pool on the outside is also correct but it is not mandatory to create a pool .

You can just perform a static without even defining a pool .

Say you have an ip on the outside

you can just forget about the pool and define a static :

static (inside,outside) inside-ip netmask

access-list 110 extended permit tcp any host eq port-that-you- want .

In your situation it seems that you have multiple outside ip`s so you can create a static nat instead of a PAT .

  • Page:
  • 1
  • 2
Time to create page: 0.103 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup