12-11-2006 12:38 AM - edited 03-11-2019 02:06 AM
Hi,
i have a pix 515e with the following config
DMZ Exhange server and a web server
Internal a lot of servers and workstation. When i try to browse the network i cannot see the server in the DMZ. People cannot connect to the exchange server with webmail and outlook.
I am total lost, can somebody help me out.
12-11-2006 01:04 AM
At the first sight config looks ok (statics and ACLs are configured)
Can you turn on logging
logging on
logging buffered informational
try to access DMZ servers
and than check logs with command
show logg
M.
12-11-2006 01:34 AM
106023: Deny udp src DMZ:192.168.11.4/16941 dst inside:192.168.10.4/53 by access-group "dmz"
106023: Deny udp src DMZ:192.168.11.4/16941 dst inside:192.168.10.3/53 by access-group "dmz"
106023: Deny udp src DMZ:192.168.11.4/1025 dst inside:192.168.10.4/53 by access-group "dmz"
106023: Deny udp src DMZ:192.168.11.4/16941 dst inside:192.168.10.4/53 by access-group "dmz"
30.2/51740 (192.168.10.2/51740)
302013: Built outbound TCP connection 29362 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51741 (192.168.10.2/51741)
302013: Built outbound TCP connection 29363 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51742 (192.168.10.2/51742)
302013: Built outbound TCP connection 29364 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51744 (192.168.10.2/51744)
302013: Built outbound TCP connection 29365 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51746 (192.168.10.2/51746)
302013: Built outbound TCP connection 29366 for DMZ:192.168.11.4/2594 (192.168.11.4/2594) to inside:192.168.10.2/51743 (192.168.10.2/51743
305005: No translation group found for tcp src inside:192.168.14.133/1949 dst outside:84.53.136.74/80
305005: No translation group found for tcp src inside:192.168.14.133/1950 dst outside:84.53.136.33/80
305005: No translation group found for tcp src inside:192.168.14.178/1048 dst outside:84.53.136.74/80
305005: No translation group found for tcp src inside:192.168.14.133/1949 dst outside:84.53.136.74/80
305005: No translation group found for tcp src inside:192.168.14.133/1950 dst outside:84.53.136.33/80
305005: No translation group found for tcp src inside:192.168.14.178/1048 dst outside:84.53.136.74/80
12-11-2006 02:13 AM
Add:
static (inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
This will allow your whole Inside segment to be able to access DMZ. If needed for access-control for specifici access, apply access-list on inside interface to strictly allow inside hosts to access your DMZ's email server via the allowed port, example TCP 25 (smtp), http & https (tcp 80 & 443) for webmail.
access-list inside permit tcp any host 192.168.11.4 eq smtp --> permit smtp access. Assuming 192.168.11.4 is your email server in DMZ
access-list inside permit tcp any host 192.168.11.4 eq www --> allow webmail (via port 80) to pass through
access-list inside permit tcp any host 192.168.11.4 eq https --> allow secure http (https) to pass throuh
access-list inside deny ip any 192.168.11.0 255.255.255.0 --> deny other inside hosts from connecting to other DMZ's hosts, except for the 3 services above
access-list inside permit ip any any --> allow inside hosts to connect to other segment, i.e internet/outside segment
access-group inside in interface inside --> bind acl to inside interface
You should also modify the following acl on DMZ to rectify the first 4 deny logs
existing : access-list dmz permit udp any eq domain any eq domain
change to: access-list dmz permit udp any any eq domain --> to allow DMZ's 192.168.11.4 to talk to DNS server on inside segment.
The source port on DMZ server can be anything,as long as the destination port is correctly pointing to UDP 53.
HTH
AK
01-22-2007 07:43 AM
Hi,
The problem that you have is very simple. It's a port service problem, Microsoft outlook uses a RPC service ports (1025 - 65535) and the OWA (Outlook Web Access) uses http and https ports. The solution is open the follow ports:
TCP:
range 1024 65535
42,80,88,135,137,138,379,390,443,445,691,993,domain,i,imap4,ldap,ldaps,netbios-ssn,pop3,smtp
UDP:
88,389,3368,3369,3389,domain,netbios-dgm, netbios-ns,ntp,nameserver,445,636,135,139,1512
I hope it solve your problem, and excuseme for my bad english.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide