Wednesday, February 22, 2012

ASA 8.3+ / Exchange Edge in DMZ Example

confronted with a totally redesign of the NAT commands, and a fuzzy understanding of how ACLs work on non-outside interfaces, I spent a good 6-8 hours on this task.  something tells me there's a more elegant way to do this w/o the ACL dmz_access_in.  The beauty of the CLI is that it will on ly take about 15 minutes to execute from here on out for future projects!  cheers-

ASA Version 8.4(2)

!disable ESMTP fixup or you will get comm errors between the exchange servers

policy-map global_policy
class inspection_default
no inspect esmtp

interface Vlan1
 nameif inside
 security-level 100
 ip address %InsideInterfaceIP%
interface Vlan2
 nameif outside
 security-level 0
 ip address %OutsideInterfaceIP%
interface Vlan90
 nameif DMZ
 security-level 50
 ip address %DmzInterfaceIP%

object network obj_any
object network %obj-InsideSubnet%
 subnet %InsideSubnet%
object network %obj-DmzSubnet%
 subnet %DmzSubnet%
object network Exch-Edge
 host %ExchangeEdgeServerIP%
object network Exch-Hub
 host %ExchangeHubServerIP%

access-list dmz_allow_in extended permit tcp object Exch-Edge object Exch-Hub eq smtp
access-list dmz_allow_in extended permit tcp object Exch-Edge object Exch-Hub eq 50389
access-list dmz_allow_in extended deny ip object %obj-DmzSubnet% object %obj-InsideSubnet%

access-list dmz_allow_in extended permit ip object %obj-DmzSubnet% any
access-list outside_access_in extended permit tcp any object Exch-Edge eq smtp

object network %obj-InsideSubnet%
 nat (inside,outside) dynamic interface
object network obj-
 nat (inside,outside) dynamic interface
object network %obj-DmzSubnet%
 nat (DMZ,outside) dynamic interface
object network Exch-Edge
 nat (DMZ,outside) static %AvailablePublicIPAddress%
object network Exch-Hub
 nat (inside,DMZ) static Exch-Hub service tcp smtp smtp

access-group outside_access_in in interface outside
access-group dmz_allow_in in interface DMZ
route outside %DefaultGateway% 1


On the Hub server, execute the following in powershell:

you should get something like: 
RunspaceId                  : 37d7fde9-8ed4-48d6-a90c-f0c9255b1d13
SyncStatus                  : Normal
UtcNow                      : 2/23/2012 7:05:39 PM
Name                        : EdgeServerName
LeaseHolder                 : CN=,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrati
                              ve Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 2/23/2012 7:34:29 PM
LastSynchronizedUtc         : 2/23/2012 7:04:29 PM
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
RemoteDomainStatus          : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Skipped
CredentialRecords           : Number of credentials 3
CookieRecords               : Number of cookies 2