Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
934
Views
0
Helpful
3
Replies

Pix DMZ to Inside access

exigent
Level 1
Level 1

‎08-13-2002 11:33 AM - edited ‎02-20-2020 10:12 PM

I have a smtp bastion host on a DMZ in a PIX 515. The DMZ needs to be able to send mail to a host on the inside network. Assume the following scenario:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 175.0.0.1 255.255.255.224

ip address inside 100.0.0.1 255.255.255.0

ip address dmz 192.168.1.1 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

global (outside) 1 interface

global (dmz) 1 interface

DMZ server IP= 192.168.1.2

INSIDE server IP=100.0.0.2

Inside hosts can access DMZ server but I need the DMZ server to be able to send e-mail on port 25 back to an inside server.

Thanks in advance!

0 Helpful
3 Replies 3

albadger
Level 1
Level 1

‎08-13-2002 03:34 PM

For access from an interface of lower security to one of higher security, you will need to configure a static translation and appropriate access-lists.

In your example above, you would need something like:

static (inside,dmz) 100.0.0.2 100.0.0.2 netmask 255.255.255.255 -> so that the DMZ users can recognise the server on the inside using the 100.0.0.2 address

and then:

access-list 101 permit tcp host 192.168.1.2 host 100.0.0.2 eq 25

you would then need to apply the access-list to the interface using:

access-group 101 in interface dmz

Note: the access-list will block all other traffic from going through the DMZ interface so you will need to make sure you permit any other necessary traffic, regardless of the destination (inside or outside).

Please see the following sample configuration: http://www.cisco.com/warp/customer/110/mailserver_in.html - it is for outside access to an inside SMTP server, but the same theory applies because it is still lower security level to higher security level.

0 Helpful

exigent
Level 1
Level 1
In response to albadger

‎08-13-2002 06:58 PM

Thanks! That worked!!

0 Helpful

mjones
Level 1
Level 1

‎08-19-2002 11:13 PM

you need a static and a conduit to the inside from the dmz. If you are using ACL's the same rules apply

static (dmz,inside) etc.

access-list inside permit tcp (dmz) to (Inside) eq 25

conduit permit tcp (dmz) to (Inside) eq 25

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card