Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection?

Hi.

I have a Edge Transport Server (192.168.2.10) in my DMZ zone (192.168.2.0) that need access Exchange 2007 Hub server (192.168.1.10) which sits on the inside network (192.168.1.0) on port 25 (smtp). I have tried to add the following two rules:

static (inside,DMZ) tcp 192.168.1.10 smtp 192.168.1.10 smtp netmask

255.255.255.255 access-list dmz-access-in permit tcp host 192.168.2.10 host 192.168.1.10 eq 25

The result is that the Edge Transport Server can now telnet to

192.168.1.10 on port 25 - SUCCESS. The only downside is, that the Edge Transport Server no longer have access to the internet (outside interface) and thereby can't send mails outside the organisation. What am I doing wrong - it must be said that I am not an Cisco expert :)

Regards Morten.

------------------------------------------------------------------------------------------------------------------ ASA Version 7.2(3) ! hostname pix1 domain-name ************** names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address **************** ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/2 nameif DMZ security-level 50 ip address 192.168.2.1 255.255.255.0 ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address 172.16.1.1 255.255.255.0 management-only !

access-list ikke-nat extended permit ip 192.168.1.0 255.255.255.0

192.168.128.0 255.255.255.0 access-list fra-remote extended permit icmp any any echo-reply access-list fra-remote extended permit icmp any any time-exceeded access-list fra-remote extended permit icmp any any unreachable access-list fra-remote extended permit ip 192.168.128.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list fra-remote extended permit tcp any interface outside eq smtp access-list fra-remote extended permit tcp any interface outside eq pop3 access-list fra-remote extended permit tcp any interface outside eq https access-list fra-remote extended permit tcp any interface outside eq www

mtu outside 1500 mtu inside 1500 mtu DMZ 1500 mtu management 1500

ip local pool vpn-scope 192.168.128.2-192.168.128.20 icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo-reply outside icmp permit any unreachable outside asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 nat-control

global (outside) 1 interface global (DMZ) 1 interface

nat (inside) 0 access-list ikke-nat nat (inside) 1 192.168.1.0 255.255.255.0 static (inside,outside) tcp interface https 192.168.1.8 https netmask

255.255.255.255 static (inside,outside) tcp interface pop3 192.168.1.8 pop3 netmask 255.255.255.255 static (inside,outside) tcp interface smtp 192.168.1.8 smtp netmask 255.255.255.255 access-group fra-remote in interface outside

route outside 0.0.0.0 0.0.0.0 89.233.4.153 1 route inside 192.168.1.7 255.255.255.255 192.168.1.1 1

----------------------------------------------------------------------------------------------------