01-18-2004 12:47 PM - edited 03-10-2019 01:28 PM
Hello everyone,
We are having a problem with a Cisco PIX Firewall 515 on a customer site. We have three interfaces on the PIX. We are configuring our mail server on the DMZ (The server in the DMZ needs to communicate with another mail server on the inside LAN). We can connect to the internet from the inside LAN properly, we can access the DMZ from the inside and we can ping it also from the inside, also we are able to get to the DMZ from the outside for the Web Access application. The problem is that we can't access the inside or the outside from the DMZ. also we weren't able to access the DMZ from the inside until we used a conduit to permit so, though I know that traffic from a high security interface to a lower security interface doesn't need a conduit or an ACL. You can see that our customer is using a wrong address range for the inside interface but they will take care of it later. I also know it is not recommended to use ACLs with Conduits but this is the only way it worked. I am posting my configuration below. Please advise us. Thanks
note: The software engineer who is handling the Mail server asked us to turn off the mailguard feature for his application.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 20
! Turn off mailguard
no fixup protocol smtp 25
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside A.B.C.66 255.255.255.248
ip address inside 128.100.14.101 255.255.0.0
ip address dmz 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
static (dmz,outside) A.B.C.68 192.168.0.2 netmask 255.255.255.255 0 0
access-list fromOut permit tcp any host A.B.C.68 eq smtp
access-list fromOut permit tcp any host A.B.C.68 eq http
global (outside) 1 A.B.C.67 netmask 255.255.255.248
! 128.100.14.100 is our ISA server in the inside LAN
nat (inside) 1 128.100.14.100 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 128.100.0.0 netmask 255.255.0.0
! 192.168.0.2 is the Mail server in the DMZ
conduit permit tcp host 192.168.0.2 eq smtp http any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 A.B.C.65 1
01-18-2004 02:16 PM
Get rid of these:
static (inside,dmz) 192.168.0.0 128.100.0.0 netmask 255.255.0.0
! 192.168.0.2 is the Mail server in the DMZ
conduit permit tcp host 192.168.0.2 eq smtp http any
conduit permit icmp any any
For the mail server (or any host on the DMZ) to access the inside do the following:
static (inside,dmz) 128.100.0.0 128.100.0.0 netmask 255.255.0.0
access-list fromDMZ permit ip host 192.168.0.2 128.100.0.0 255.255.0.0
access-group fromDMZ in interface dmz
and for the dmz to access the outside do:
nat (dmz) 1 192.168.0.0 255.255.255.0
01-24-2004 01:51 PM
Hi there, thanks again for your help.
The first part has succeeded perfectly I can now access the inside from the DMZ; Unfortunately I still can't reach the outside from the DMZ. I also tried the following:
nat (dmz) 2 192.168.0.0 255.255.255.0
global (outside) 2 a.b.c.68 255.255.255.248
and it didn't work also. I am really confused now. I would really appreciate any suggestions.
01-24-2004 02:01 PM
sorry... I made a mistake in the global command.. what I used was
global (outside) 1 a.b.c.69 255.255.255.248
address a.b.c.68 is my mail server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide