Hello Everyone, I am trying to bring up a new mail server in the dmz. I would like dmz mail server to receive mail for our domain, store messages in users' mailboxes, then forward messages inward to inside mail server. Below is an example of my running-config. I believe i need to include this line: static (inside,dmz) 10.1.1.1 inside_mail netmask 255.255.255.255 However when I do I receive: INFO: Global address overlaps w/ NAT exempt configuration I feel like there may be more ways than one to make this work, but need a little help. Communication is up between internal subnets - my problem lies within the ASA configuration. I am open to any advice or suggestions and appreciate your time, David.
ASA Version 7.0(6) ! hostname hostname domain-name domain.org enable password password encrypted names name 192.168.1.0 lan1 description lan1 network name 192.168.2.8 inside_mail description inside_mail mail server name 192.168.2.0 lan2 description lan2 network name 192.168.3.0 lan3 description lan3 network name 10.1.1.1 dmz_mail description dmz_mail mail server dns-guard ! interface Ethernet0/0 speed 100 nameif outside security-level 0 ip address 200.200.200.2 255.255.255.0 ! interface Ethernet0/1 speed 100 duplex full nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet0/2 speed 100 duplex full nameif dmz security-level 50 ip address 10.1.1.1 255.255.255.0 ! interface Management0/0 shutdown nameif management security-level 100 ip address 192.168.200.1 255.255.255.0 management-only ! passwd password encrypted ftp mode passive clock timezone EST -5 clock summer-time EDT recurring access-list outside_access_in remark outside access in to imap server access-list outside_access_in extended permit tcp any host
200.200.200.10 eq imap4 access-list outside_access_in remark outside access in to https server access-list outside_access_in extended permit tcp any host 200.200.200.10 eq https access-list outside_access_in remark outside access in to smtp server (dmz) access-list outside_access_in extended permit tcp any host 200.200.200.11 eq smtp access-list inside_out_smtp remark inside access out for smtp server access-list inside_out_smtp extended permit tcp host inside_mail any eq smtp access-list inside_out_smtp remark block all outbound smtp traffic except server access-list inside_out_smtp extended deny tcp any any eq smtp access-list inside_out_smtp remark allow all outbound traffic access-list inside_out_smtp extended permit ip any any access-list inside_outbound_nat0_acl extended permit ip any lan1 255.255.255.0 access-list vpn_splitTunnelAcl standard permit any access-list dmz_access_in remark allow dmz smtp server inbound traffic access-list dmz_access_in extended permit ip host dmz_mail host inside_mail pager lines 24 logging from-address snipped-for-privacy@domain.org logging recipient-address snipped-for-privacy@domain.org level errors logging host inside 192.168.1.5 logging permit-hostdown mtu outside 1500 mtu inside 1500 mtu management 1500 mtu dmz 1500 ip local pool vpn 192.168.1.200-192.168.1.209 mask 255.255.255.0 ip verify reverse-path interface outside asdm image disk0:/asdm506.bin asdm location workstation 255.255.255.255 inside no asdm history enable arp timeout 14400 nat-control global (outside) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside) 200.200.200.10 inside_mail netmask 255.255.255.255 static (dmz,outside) 200.200.200.11 dmz_mail netmask 255.255.255.255 access-group outside_access_in in interface outside access-group inside_out_smtp in interface inside access-group dmz_access_in in interface dmz route outside 0.0.0.0 0.0.0.0 200.200.200.1 1 route inside lan3 255.255.255.0 192.168.1.3 1 route inside lan2 255.255.255.0 192.168.1.3 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute