cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

DMZ to inside access ISSUE !! ...assitance appreciated

Hari_gedda
Beginner
Beginner

Allow the web  server(193.170.4.2) in DMZ to communicate with the our exchange server(10.77.51.87) internally via SMTP..for which I used access-list acl-dmz permit tcp host 193.170.4.2 host 10.77.51.87 eq smtp but it did not work. Is it because of the deny ip line in acl-outbound..or the nat ..please clarify. FYi ...here is the configuration.

PIX_6.3(5)_515#

access-group acl-inbound in interface outside

access-group acl-outbound in interface inside

access-group acl-dmz in interface dmz1

PIX_6.3(5)_515#

PIX_6.3(5)_515# sh access-list acl-outbound | in deny

access-list acl-outbound line 86 deny ip 10.0.0.0 255.0.0.0 193.170.4.0 255.255.255.0 (hitcnt=1209)

access-list acl-outbound line 90 deny ip any any (hitcnt=1014022)

PIX_6.3(5)_515#

PIX_6.3(5)_515#

PIX_6.3(5)_515# sh access-list acl-dmz

access-list acl-dmz; 2 elements

access-list acl-dmz line 1 permit udp host 193.170.4.2 host 198.6.1.4 eq domain (hitcnt=5625)

access-list acl-dmz line 2 permit ip host 193.170.4.2 any (hitcnt=1089)

PIX_6.3(5)_515#

PIX_6.3(5)_515#

PIX_6.3(5)_515# sh nat

nat (inside) 0 access-list nonat

nat (inside) 1 10.77.51.80 255.255.255.255 0 0

nat (inside) 1 10.77.51.81 255.255.255.255 0 0

nat (inside) 1 10.77.51.87 255.255.255.255 0 0

nat (inside) 2 10.76.0.0 255.255.0.0 0 0

PIX_6.3(5)_515#

PIX_6.3(5)_515# sh run | in static

static (inside,outside) tcp 195.99.136.85 smtp 10.77.51.87 smtp netmask 255.255.255.255 0 0

static (inside,outside) 195.99.136.81 10.77.51.58 netmask 255.255.255.255 0 0

static (inside,outside) 195.99.136.84 10.77.51.38 netmask 255.255.255.255 0 0

static (dmz1,outside) 212.140.175.173 193.170.4.2 netmask 255.255.255.255 0 0

static (dmz1,inside) 212.140.175.173 193.170.4.2 netmask 255.255.255.255 0 0

static (inside,dmz1) 10.76.0.0 10.76.0.0 netmask 255.255.0.0 0 0

PIX_6.3(5)_515#

PIX_6.3(5)_515#

PIX_6.3(5)_515# sh run | in global

global (outside) 1 195.99.136.85

global (outside) 2 interface

PIX_6.3(5)_515#

PIX_6.3(5)_515#

11 REPLIES 11

Tarik Admani
Advocate
Advocate

hari,

Your best bet is to post this in article in the firewall section.

Thanks,

Tarik Admani
*Please rate helpful posts*

Thanks Tarik...Have moved it to Firewall space..

Hi Hari,

can you please share the complete configuration, it woudl be easier to corelate things with it.

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao

Can I ask  you your email id ...will share the config to you.

You can p.m. me here...

Thanks,
Varun Rao
Security Team,
Cisco TAC

Thanks,
Varun Rao