ASA 8.3及更高版本:內部網路上的郵件(SMTP)伺服器訪問配置示例
簡介
此示例配置演示如何設定ASA安全裝置以訪問位於內部網路上的郵件(SMTP)伺服器。
請參閱ASA 8.3及更高版本:有關如何設定ASA安全裝置以訪問位於DMZ網路上的郵件/SMTP伺服器的詳細資訊,請參閱DMZ上的郵件(SMTP)伺服器訪問配置示例。
請參閱ASA 8.3及更高版本:外部網路上的郵件(SMTP)伺服器訪問配置示例,用於設定ASA安全裝置以訪問位於外部網路上的郵件/SMTP伺服器。
必要條件
需求
本文件沒有特定需求。
採用元件
本文中的資訊係根據以下軟體和硬體版本:
-
運行8.3及更高版本的思科自適應安全裝置(ASA)。
-
採用Cisco IOS®軟體版本12.4(20)T的Cisco 1841路由器
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
設定
本節提供用於設定本文件中所述功能的資訊。
網路圖表
本檔案會使用以下網路設定:
注意:此配置中使用的IP編址方案在Internet上不能合法路由。這些地址是在實驗室環境中使用的RFC 1918地址。
本示例中使用的網路設定包含具有內部網路(192.168.1.0/24)和外部網路(209.164.3.0/30)的ASA。 IP地址為209.64.3.5的郵件伺服器位於內部網路中。
組態
本檔案會使用以下設定:
| ASA |
|---|
ASA#show run : Saved : ASA Version 8.3(1) ! hostname ASA enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 shutdown no nameif no security-level no ip address ! interface Ethernet1 shutdown no nameif no security-level no ip address ! interface Ethernet2 shutdown no nameif no security-level no ip address ! !--- Define the IP address for the inside interface. interface Ethernet3 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! !--- Define the IP address for the outside interface. interface Ethernet4 nameif outside security-level 0 ip address 209.164.3.1 255.255.255.252 ! interface Ethernet5 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive !--- Create an access list that permits Simple !--- Mail Transfer Protocol (SMTP) traffic from anywhere !--- to the host at 209.164.3.5 (our server). The name of this list is !--- smtp. Add additional lines to this access list as required. !--- Note: There is one and only one access list allowed per !--- interface per direction, for example, inbound on the outside interface. !--- Because of limitation, any additional lines that need placement in !--- the access list need to be specified here. If the server !--- in question is not SMTP, replace the occurrences of SMTP with !--- www, DNS, POP3, or whatever else is required. access-list smtp extended permit tcp any host 209.164.3.5 eq smtp pager lines 24 mtu inside 1500 mtu outside 1500 no failover no asdm history enable arp timeout 14400 !--- Specify that any traffic that originates inside from the !--- 192.168.2.x network NATs (PAT) to 209.164.3.129 if !--- such traffic passes through the outside interface. object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 nat (inside,outside) dynamic 209.164.3.129 !--- Define a static translation between 192.168.2.57 on the inside and !--- 209.164.3.5 on the outside. These are the addresses to be used by !--- the server located inside the ASA. object network obj-192.168.2.57 host 192.168.2.57 nat (inside,outside) static 209.164.3.5 !--- Apply the access list named smtp inbound on the outside interface. access-group smtp in interface outside !--- Instruct the ASA to hand any traffic destined for 192.168.x.x !--- to the router at 192.168.1.2. route inside 192.168.0.0 255.255.0.0 192.168.1.2 1 !--- Set the default route to 209.164.3.2. !--- The ASA assumes that this address is a router address. route outside 0.0.0.0 0.0.0.0 209.164.3.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! !--- SMTP/ESMTP is inspected as "inspect esmtp" is included in the map. policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! !--- SMTP/ESMTP is inspected as "inspect esmtp" is included in the map. service-policy global_policy global Cryptochecksum:f96eaf0268573bd1af005e1db9391284 : end |
| 路由器B |
|---|
Current configuration: ! version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname 2522-R5 ! enable secret 5 $1$N0F3$XE2aJhJlCbLWYloDwNvcV. ! ip subnet-zero ! ! ! ! ! interface Ethernet0 !--- Sets the IP address of the Ethernet interface to 209.164.3.2. ip address 209.164.3.2 255.255.255.252 ! interface Serial0 !--- Instructs the serial interface to use !--- the address of the Ethernet interface when the need arises. ip unnumbered ethernet 0 ! interface Serial1 no ip address no ip directed-broadcast ! ip classless !--- Instructs the router to send all traffic !--- destined for 209.164.3.x to 209.164.3.1. ip route 209.164.3.0 255.255.255.0 209.164.3.1 !--- Instructs the router to send !--- all other remote traffic out serial 0. ip route 0.0.0.0 0.0.0.0 serial 0 ! ! line con 0 transport input none line aux 0 autoselect during-login line vty 0 4 exec-timeout 5 0 password ww login ! end |
註:路由器A的配置未新增。您只需為介面上提供IP地址,並將預設網關設定為192.168.1.1(即ASA的內部介面)。
ESMTP TLS配置
注意:如果您對電子郵件通訊使用傳輸層安全(TLS)加密,則ASA中的ESMTP檢查功能(預設情況下啟用)會丟棄資料包。要允許啟用TLS的電子郵件,請按照此輸出所示禁用ESMTP檢查功能。如需詳細資訊,請參閱Cisco錯誤ID CSCtn08326。
ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)#class inspection_default ciscoasa(config-pmap-c)#no inspect esmtp ciscoasa(config-pmap-c)#exit ciscoasa(config-pmap)#exit
注意:在ASA 8.0.3版及更高版本中,可使用allow-tls命令來允許啟用了inspect esmtp的TLS電子郵件,如下所示:
policy-map type inspect esmtp tls-esmtp parameters allow-tls inspect esmtp tls-esmtp
驗證
目前沒有適用於此組態的驗證程序。
疑難排解
logging buffered 7命令將消息定向到ASA控制檯。如果與郵件伺服器的連線存在問題,請檢查控制檯調試消息以找到傳送站和接收站的IP地址以確定問題。
相關資訊
修訂記錄
| 修訂 | 發佈日期 | 意見 |
|---|---|---|
1.0 |
25-Nov-2019 |
初始版本 |
意見