01-23-2011 08:16 AM - edited 03-11-2019 12:38 PM
Hi all, I have a problem with my mail server in the DMZ, after the help provided by this forum, I was able to receive mail to my mail server locate in the DMZ, but i can't sent any email also when I tried to use dig utility to lookup an external domain, I get the message that it can't locate the external domain.
How do I allow all hosts located in the dmz to access internet ?
What I did so far:
Access-list outsidein permit tcp any host 209.160.170.220 eq smtp
Access-list outsidein permit tcp any host 209.160.170.220 eq imap
Access-list outsidein permit tcp any host 209.160.170.220 eq pop3
Access-group outsidein in interface outside
Then I created the static address translation to the outside users:
Static (dmz,outside) tcp 209.160.170.220 smtp 192.180.1.20 smtp netmask 255.255.255.255
Static (dmz,outside) tcp 209.160.170.220 imap 192.180.1.20 imap netmask 255.255.255.255
Static (dmz,outside) tcp 209.160.170.220 pop3 192.180.1.20 pop3 netmask 255.255.255.255
Solved! Go to Solution.
01-23-2011 10:01 AM
Hi,
If you have these commands:
Static (dmz,outside) tcp 209.160.170.220 smtp 192.180.1.20 smtp netmask 255.255.255.255
Static (dmz,outside) tcp 209.160.170.220 imap 192.180.1.20 imap netmask 255.255.255.255
Static (dmz,outside) tcp 209.160.170.220 pop3 192.180.1.20 pop3 netmask 255.255.255.255
It means that inbound traffic destined to 209.160.170.220 that is SMTP, IMAP and POP3 will be redirected to 192.180.1.20 on the same ports.
But if 192.180.1.20 wants to get out to the Internet (on any other port) is not going to be able to use the above commands.
Try this:
nat (dmz) 1 192.180.1.0 255.255.255.0
global (outside) 1 interface
In this way, any host residing on the DMZ (assuming you have a mask of /24), will be able to initiate an outgoing connection to the Internet.
Also check if there's an ACL applied to the DMZ ''sh access-group'' that it allows the outbound traffic.
Hope it helps.
Federico.
01-24-2011 11:35 AM
We need to look at the logs.
conf t
logging on
logging buffered 7
exit
sh logg | i 192.180.1.20
and see what the syslogs say.
-KS
01-25-2011 01:24 PM
Hmm...I am really surprised.
This should work and not give you those syslogs about translation creation failed messages.
Have you tried to change the /32 address to a subnet address and try from a different pc or laptop on the DMZ?
conf t
no nat (DMZ) 101 192.80.1.20 255.255.255.255
nat (DMZ) 101 192.180.1.20 255.255.255.255
I think you typed the second octet incorrectly.
-KS
01-26-2011 06:10 AM
Pls. read my very first response.
How can this static pat be bi-directional for outbound connections sourced from a high port >1024 by this e-mail server? If it sources all connections from port 25, port 110 then yes. If you have 1-1 static "static (dmz,outside) 209.160.170.220 192.180.1.20 netmask 255.255.255.255" then what you say is correct. Not when you have static pat for certain ports.
So, you need the nat/global that I provided in my very first response. Pls. refer that.
Hope you fixed the typo and the dmz host is able to go out to the internet?
Pls. mark this thread resolved if it is.
-KS
01-26-2011 06:57 AM
Glad to hear. This thread is resolved.
Would you mind spinning up a new thread for this new question and provide additional details?
zimbra.mydomain.com resolves to (216.34.94.184):
Who is unable to access this IP address? The mail server can't or the inside users can't?
Need more detail. Who owns this IP address? What logs do you see on the firewall when you try to access this ip address?
-KS
01-23-2011 10:01 AM
Hi,
If you have these commands:
Static (dmz,outside) tcp 209.160.170.220 smtp 192.180.1.20 smtp netmask 255.255.255.255
Static (dmz,outside) tcp 209.160.170.220 imap 192.180.1.20 imap netmask 255.255.255.255
Static (dmz,outside) tcp 209.160.170.220 pop3 192.180.1.20 pop3 netmask 255.255.255.255
It means that inbound traffic destined to 209.160.170.220 that is SMTP, IMAP and POP3 will be redirected to 192.180.1.20 on the same ports.
But if 192.180.1.20 wants to get out to the Internet (on any other port) is not going to be able to use the above commands.
Try this:
nat (dmz) 1 192.180.1.0 255.255.255.0
global (outside) 1 interface
In this way, any host residing on the DMZ (assuming you have a mask of /24), will be able to initiate an outgoing connection to the Internet.
Also check if there's an ACL applied to the DMZ ''sh access-group'' that it allows the outbound traffic.
Hope it helps.
Federico.
01-23-2011 11:39 AM
Hello,
While what Federico provided will allow all dmz hosts to access the internet,
209.160.170.22 - I believe is the MX record.
In which case most of the times, the requirement is for the mail server whether on the inside or on the dmz to send e-mail out looking like 209.160.170.22.
Is this is the case then, if the mail server that will send out e-mail is in the dmz they would need:
nat (dmz) 100 192.180.1.20 255.255.255.255
global (outside) 100 209.160.170.22
or if the mail server is on the inside they would need:
nat (inside) 110 x.x.x.x 255.255.255.255
global (outside) 110 209.160.170.22
I have addressed this in my webcast that you can watch here: http://www.youtube.com/watch?v=kRY8DuaRp5U
-KS
01-24-2011 08:16 AM
Hi Thank you both for answering to my post, I just applied the following instructions to pix but I still cant access to outside from dmz interface, i can ping the inside interface from dmz but can't ping the outside interface its strange.
nat (dmz) 100 192.180.1.20 255.255.255.255
global (outside) 100 interface
01-24-2011 11:35 AM
We need to look at the logs.
conf t
logging on
logging buffered 7
exit
sh logg | i 192.180.1.20
and see what the syslogs say.
-KS
01-25-2011 05:46 AM
Hi Poonguzhali Sankar,
First thank you for the help you are providing, i just check the log file, e send you the result.
3 Jan 25 2011 11:14:47 305006 193.126.240.131 portmap translation creation failed for icmp src DMZ:192.180.1.20 dst outside:193.126.240.131 (type 8, code 0)
3 Jan 25 2011 11:14:50 305006 193.126.240.131 portmap translation creation failed for icmp src DMZ:192.180.1.20 dst outside:193.126.240.131 (type 8, code 0)
3 Jan 25 2011 11:14:50 305006 192.228.79.201 portmap translation creation failed for udp src DMZ:192.180.1.20/53 dst outside:192.228.79.201/53
3 Jan 25 2011 11:21:34 305006 192.33.4.12 portmap translation creation failed for udp src DMZ:192.180.1.20/53 dst outside:192.33.4.12/53
3 Jan 25 2011 11:21:34 305006 192.33.4.12 portmap translation creation failed for udp src DMZ:192.180.1.20/53 dst outside:192.33.4.12/53
3 Jan 25 2011 11:25:06 305006 198.6.1.181 portmap translation creation failed for udp src DMZ:192.180.1.20/53 dst outside:198.6.1.181/53
3 Jan 25 2011 11:25:06 305006 198.6.1.181 portmap translation creation failed for udp src DMZ:192.180.1.20/53 dst outside:198.6.1.181/53
Regards
Nuno Martins
01-25-2011 05:56 AM
Are you sure you have these two lines? The one in red in particular. The logs say that line is missing.
nat (dmz) 100 192.180.1.20 255.255.255.255
global (outside) 100 interface
If you want all the dmz hosts to go out then you need to change the nat line to this
nat (dmz) 100 192.180.1.0 255.255.255.0
Pls post the output of
sh run nat
sh run global
Also clear xlate for 192.180.1.20 the command is "clear local 192.180.1.20"
-KS
01-25-2011 06:32 AM
Yes, I do have the two lines also i already clear the xlate to the server (clear local 192.180.1.20 ),
pixfirewall(config)# sh run nat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (DMZ) 101 192.80.1.20 255.255.255.255
pixfirewall(config)# sh run global
global (outside) 101 interface
01-25-2011 01:24 PM
Hmm...I am really surprised.
This should work and not give you those syslogs about translation creation failed messages.
Have you tried to change the /32 address to a subnet address and try from a different pc or laptop on the DMZ?
conf t
no nat (DMZ) 101 192.80.1.20 255.255.255.255
nat (DMZ) 101 192.180.1.20 255.255.255.255
I think you typed the second octet incorrectly.
-KS
01-26-2011 05:26 AM
Hello Sankar and federico,
Static (dmz,outside) tcp 209.160.170.220 smtp 192.180.1.20 smtp netmask 255.255.255.255
The above statement is bidirectional if i m not worng,, The server when transmits it will translates to the public IP 209.160.170.220 and when it receives it will recieve to the same public IP.
Why did your'l suggested such configuration in u rfirst mail.??? please clearify.
Please correct meif i m wrong uptil now i was thinking it is bidirectional.
Thanks
01-26-2011 06:10 AM
Pls. read my very first response.
How can this static pat be bi-directional for outbound connections sourced from a high port >1024 by this e-mail server? If it sources all connections from port 25, port 110 then yes. If you have 1-1 static "static (dmz,outside) 209.160.170.220 192.180.1.20 netmask 255.255.255.255" then what you say is correct. Not when you have static pat for certain ports.
So, you need the nat/global that I provided in my very first response. Pls. refer that.
Hope you fixed the typo and the dmz host is able to go out to the internet?
Pls. mark this thread resolved if it is.
-KS
01-26-2011 06:38 AM
Hi Poonguzhali Sankar,
I just find out that the problem wasn't related to the pix, i did what you sugested in the the previous post i tested another machine in the DMZ and i was able to dig an outside domain I also send an email and receive a response from "
Just one more question If you please, i can access from inside to the ip address of the mail server in the DMZ, but i can' t access to the url of the server zimbra.mydomain.com. If i trie to access from another network i can access to the url without any problem.
Thank you very much for your help
Nuno Martins
01-26-2011 06:57 AM
Glad to hear. This thread is resolved.
Would you mind spinning up a new thread for this new question and provide additional details?
zimbra.mydomain.com resolves to (216.34.94.184):
Who is unable to access this IP address? The mail server can't or the inside users can't?
Need more detail. Who owns this IP address? What logs do you see on the firewall when you try to access this ip address?
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: