topic Pix DMZ to Inside access in Network Security

Pix DMZ to Inside access

exigent — Fri, 21 Feb 2020 06:12:18 GMT

I have a smtp bastion host on a DMZ in a PIX 515. The DMZ needs to be able to send mail to a host on the inside network. Assume the following scenario:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 175.0.0.1 255.255.255.224

ip address inside 100.0.0.1 255.255.255.0

ip address dmz 192.168.1.1 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

global (dmz) 1 interface

DMZ server IP= 192.168.1.2

INSIDE server IP=100.0.0.2

Inside hosts can access DMZ server but I need the DMZ server to be able to send e-mail on port 25 back to an inside server.

Thanks in advance!

Re: Pix DMZ to Inside access

albadger — Tue, 13 Aug 2002 22:34:53 GMT

For access from an interface of lower security to one of higher security, you will need to configure a static translation and appropriate access-lists.

In your example above, you would need something like:

static (inside,dmz) 100.0.0.2 100.0.0.2 netmask 255.255.255.255 -> so that the DMZ users can recognise the server on the inside using the 100.0.0.2 address

and then:

access-list 101 permit tcp host 192.168.1.2 host 100.0.0.2 eq 25

you would then need to apply the access-list to the interface using:

access-group 101 in interface dmz

Note: the access-list will block all other traffic from going through the DMZ interface so you will need to make sure you permit any other necessary traffic, regardless of the destination (inside or outside).

Please see the following sample configuration: http://www.cisco.com/warp/customer/110/mailserver_in.html - it is for outside access to an inside SMTP server, but the same theory applies because it is still lower security level to higher security level.

Re: Pix DMZ to Inside access

exigent — Wed, 14 Aug 2002 01:58:47 GMT

Thanks! That worked!!

Re: Pix DMZ to Inside access

mjones — Tue, 20 Aug 2002 06:13:07 GMT

you need a static and a conduit to the inside from the dmz. If you are using ACL's the same rules apply

static (dmz,inside) etc.

access-list inside permit tcp (dmz) to (Inside) eq 25

conduit permit tcp (dmz) to (Inside) eq 25