cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1298
Views
0
Helpful
2
Replies

PIX DMZ to DMZ Communication Issue (Correction)

neiljohnson
Level 1
Level 1

We have been trying to use a PIX with two DMZ's in addition to inside and outside connections.

One is a DMZ containing customer test equipment, the second contains an mailserver and a DNS server.

We wanted to keep them in separate DMZ's because we plan to use the mailserver for other things and wanted to control the customer's access to the mail server.

Our customer wants to be able to send and receive e-mail from the Internet to a machine in the test equipment DMZ.

We were trying to relay the messages from their system in the test equipment DMZ to the mail server in the mail DMZ and to the Internet. We were also trying to receive mail to the mail server and relay them to the customer's machine.

We were able to get the Mail Server to send and receive mail to machines on

the Internet (outside).

However, we have been unable to get the customer's machine to connect to the mail server and vice-versa.

We set the security level on as follows

Inside -> 100

SMTP DMZ -> 60

Customer Test DMZ -> 40

Outside ->

We added specfic rules to allow SMTP between the customers machine and the mail server.

However the PIX continues to deny connection requests.

Error Message:

Apr 29 09:57:54 mps-fw01.us-mps.celestica.com %PIX-3-106010: Deny inbound tcp src DMZ-164:MOTCOM02/41032 dst DMZ-SMTP:SMTP-DNS-Server/25

We are in the process of moving the SMTP server and the DNS server

back to customer's equipment DMZ. (Customer requirements trump ours).

Any assistance would be greatly appreciated.

Thanks.

-Neil

2 Replies 2

saluko
Level 1
Level 1

Without seeing your config it hard to diagnose the problem, however, some fundamental things to check:

Is there a nat statement from the smtp dmz to lower security level interface i.e

nat (smtp) 1 0 0 - This will permit smtp dmz to access cust test dmz

static (smtp, customertest) ip_address ip_address - This will create a path from the customer test dmz to the smtp dmz.

conduit permit tcp ipaddress ipaddress netmask - This will permit customer test dmz to access smtp dmz.

That was it. I didn't have any NAT's for the mail server in the customer DMZ.

That took take of the problem. Thanks.

-neil

Review Cisco Networking for a $25 gift card