Re: PIX w/dmz smtp gateway

jmartina · ‎11-09-2004

please help...

ok..i have a gateway smtp server on my dmz..well trying to anyways, but i need to see what im missing here is my statics...121.161.99.70 is what my MX record is pointing to so this needs to be my DMZ, also 1.153 is my exchange which i need to ,allow DMZ to that Ip im missing something in my static mappings...can someone help

and here is the ACL im using..i need to change the ACL to but what part...

access-list dmz-temp permit ip any any

access-list outside permit tcp any host 121.161.99.70 eq smtp

access-group outside in interface outside

access-group dmz-temp in interface dmz

static (inside,dmz) 10.34.1.0 10.34.1.0 netmask 255.255.255.0 0 0

static (inside,dmz) 192.168.200.0 192.168.200.0 netmask 255.255.255.0 0 0

static (inside,outside) 121.161.99.71 10.34.1.74 netmask 255.255.255.255 0 0

static (inside,outside) 121.161.99.70 10.34.1.153 netmask 255.255.255.255 0 0 <---smtp right now

mpalardy · ‎11-09-2004

I see you've replaced the typo from preceeding mail.

Advertise your dmz SMTP server by coding the following static:

static (dmz,outside) 121.161.99.70 10.34.1.153 netmask 255.255.255.255 0 0

Are you sure you want to advertise 10.34.1.0 255.255.255.0 in the dmz?. According to your mail this subnet appears to be already on your dmz, and should not be present on your inside network.

I wonder if you should do the same thing w/ ip 121.161.99.71 witch is in the same subnet of your dmz. But I do not see any ACL

Also remove the old statics (inside, outside) w/ ip's 121.161.99.xx you've replaced, and do a clear xlate.

Here a link that may help:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/s.htm#wp1026694

HTH

Mike