cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1701
Views
0
Helpful
5
Replies

PIX 515 Mail Dmz

Hi all,

I have a cisco Pix 515 and I want to configure PIX Firewall to access Mail Server Access on the DMZ, I want that all outside users (internet), use the outside interface public ip address (209.160.170.220) to access the mail server services (SMTP, dns, pop3, imap, https, dns, ssl etc), I am using Port Address translation (PAT) in the outside interface.

I also would like that all internal users could access the mail server services (SMTP, pop3, imap, https, dns, ssl etc) directly, without having to go to the internet.

Using the mail diagram example (Attach to this post), I would like to know how I can achieve this goal.

My problem is that my company don’t want want to buy another public ip address to the mail server, so using this option I don’t need to use another public address correct?

Thank you so much in advance and I will be looking forward for help

Nuno

Pix data:

Pix Model: 515 E

Pix version 8.0(3)

1 Accepted Solution

Accepted Solutions

if I understand correctly, I have to create acls to allow outside users to access 209.160.170.220 (outside ip address):

correct.

And If I want that the email server send email (smtp), I just have to create acl to allow?

Example:

Access-list dmzteste permit tcp host 192.180.1.20 eq smtp any

Access-group dmzteste in interface dmz

after that just have to create the static

incorrect.

If you allow the outside (internet) hosts to connect to the 209.160.170.220 ip address then the response from the server 192.180.1.20 will be automatically allowed.

No need for that access-list applied on the DMZ interface.

You only need to have the access-list on the DMZ if these hosts initiate traffic to the inside hosts.

-KS

View solution in original post

5 Replies 5

Kureli Sankar
Cisco Employee
Cisco Employee

You need the following configured for internet users to access the mail server on diff. ports

static (dmz,outside) tcp interface 80 192.180.120 80

static (dmz,outside) tcp interface 110 192.180.120 100

static (dmz,outside) tcp interface 443 192.180.120 443

repeat for all the other ports that you need. Also allow all these ports on the outside acl for the interface address.

For the inside hosts to reach the dmz hosts you need the following:

static (inside,dmz) 192.168.1.0 192.168.1.0 net 255.255.255.0

-KS

Hi Poonguzhali Sankar, thank you for your response, if I understand correctly, I have to create acls to allow outside users to access 209.160.170.220 (outside ip address):

Example:

Access-list outsidein permit tcp any host 209.160.170.220 eq smtp

Access-list outsidein permit tcp any host 209.160.170.220 eq imap

Access-list outsidein permit tcp any host 209.160.170.220 eq pop3

Access-group outsidein in interface ouside

Then I should create the static address translation to the outside users:

Static (dmz,outside) tcp 209.160.170.220 smtp 192.180.1.20 smtp netmask 255.255.255.255

Static (dmz,outside) tcp 209.160.170.220 imap 192.180.1.20 imap netmask 255.255.255.255

Static (dmz,outside) tcp 209.160.170.220 pop3 192.180.1.20 pop3 netmask 255.255.255.255

And If I want that the email server send email (smtp), I just have to create acl to allow?

Example:

Access-list dmzteste permit tcp host 192.180.1.20 eq smtp any

Access-group dmzteste in interface dmz

after that just have to create the static address translation to inside users acccess dmz

And its done ?

if I understand correctly, I have to create acls to allow outside users to access 209.160.170.220 (outside ip address):

correct.

And If I want that the email server send email (smtp), I just have to create acl to allow?

Example:

Access-list dmzteste permit tcp host 192.180.1.20 eq smtp any

Access-group dmzteste in interface dmz

after that just have to create the static

incorrect.

If you allow the outside (internet) hosts to connect to the 209.160.170.220 ip address then the response from the server 192.180.1.20 will be automatically allowed.

No need for that access-list applied on the DMZ interface.

You only need to have the access-list on the DMZ if these hosts initiate traffic to the inside hosts.

-KS

Hi Poonguzhali Sankar

thank you for your help,

Hi all, I have a problem with my mail server in the DMZ, after the help pr ovided by this forum, I was able to receive mail to my mail server locate in the DMZ, but i can't sent any email also when I tried to use dig utility to lookup an external domain, I get the message that it can't locate the external domain.

How do I allow all hosts located in the dmz to access internet ?



Review Cisco Networking for a $25 gift card