11-16-2010 01:25 PM - edited 03-11-2019 12:10 PM
Hi all,
I have a cisco Pix 515 and I want to configure PIX Firewall to access Mail Server Access on the DMZ, I want that all outside users (internet), use the outside interface public ip address (209.160.170.220) to access the mail server services (SMTP, dns, pop3, imap, https, dns, ssl etc), I am using Port Address translation (PAT) in the outside interface.
I also would like that all internal users could access the mail server services (SMTP, pop3, imap, https, dns, ssl etc) directly, without having to go to the internet.
Using the mail diagram example (Attach to this post), I would like to know how I can achieve this goal.
My problem is that my company don’t want want to buy another public ip address to the mail server, so using this option I don’t need to use another public address correct?
Thank you so much in advance and I will be looking forward for help
Nuno
Pix data:
Pix Model: 515 E
Pix version 8.0(3)
Solved! Go to Solution.
11-16-2010 04:09 PM
if I understand correctly, I have to create acls to allow outside users to access 209.160.170.220 (outside ip address):
correct.
And If I want that the email server send email (smtp), I just have to create acl to allow?
Example:
Access-list dmzteste permit tcp host 192.180.1.20 eq smtp any
Access-group dmzteste in interface dmz
after that just have to create the static
incorrect.
If you allow the outside (internet) hosts to connect to the 209.160.170.220 ip address then the response from the server 192.180.1.20 will be automatically allowed.
No need for that access-list applied on the DMZ interface.
You only need to have the access-list on the DMZ if these hosts initiate traffic to the inside hosts.
-KS
11-16-2010 01:44 PM
You need the following configured for internet users to access the mail server on diff. ports
static (dmz,outside) tcp interface 80 192.180.120 80
static (dmz,outside) tcp interface 110 192.180.120 100
static (dmz,outside) tcp interface 443 192.180.120 443
repeat for all the other ports that you need. Also allow all these ports on the outside acl for the interface address.
For the inside hosts to reach the dmz hosts you need the following:
static (inside,dmz) 192.168.1.0 192.168.1.0 net 255.255.255.0
-KS
11-16-2010 03:24 PM
Hi Poonguzhali Sankar, thank you for your response, if I understand correctly, I have to create acls to allow outside users to access 209.160.170.220 (outside ip address):
Example:
Access-list outsidein permit tcp any host 209.160.170.220 eq smtp
Access-list outsidein permit tcp any host 209.160.170.220 eq imap
Access-list outsidein permit tcp any host 209.160.170.220 eq pop3
Access-group outsidein in interface ouside
Then I should create the static address translation to the outside users:
Static (dmz,outside) tcp 209.160.170.220 smtp 192.180.1.20 smtp netmask 255.255.255.255
Static (dmz,outside) tcp 209.160.170.220 imap 192.180.1.20 imap netmask 255.255.255.255
Static (dmz,outside) tcp 209.160.170.220 pop3 192.180.1.20 pop3 netmask 255.255.255.255
And If I want that the email server send email (smtp), I just have to create acl to allow?
Example:
Access-list dmzteste permit tcp host 192.180.1.20 eq smtp any
Access-group dmzteste in interface dmz
after that just have to create the static address translation to inside users acccess dmz
And its done ?
11-16-2010 04:09 PM
if I understand correctly, I have to create acls to allow outside users to access 209.160.170.220 (outside ip address):
correct.
And If I want that the email server send email (smtp), I just have to create acl to allow?
Example:
Access-list dmzteste permit tcp host 192.180.1.20 eq smtp any
Access-group dmzteste in interface dmz
after that just have to create the static
incorrect.
If you allow the outside (internet) hosts to connect to the 209.160.170.220 ip address then the response from the server 192.180.1.20 will be automatically allowed.
No need for that access-list applied on the DMZ interface.
You only need to have the access-list on the DMZ if these hosts initiate traffic to the inside hosts.
-KS
11-17-2010 04:04 AM
Hi Poonguzhali Sankar
thank you for your help,
01-19-2011 03:54 AM
Hi all, I have a problem with my mail server in the DMZ, after the help pr ovided by this forum, I was able to receive mail to my mail server locate in the DMZ, but i can't sent any email also when I tried to use dig utility to lookup an external domain, I get the message that it can't locate the external domain.
How do I allow all hosts located in the dmz to access internet ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide