08-21-2005 12:57 AM - edited 03-09-2019 12:12 PM
Hi Guys,
Would really appreciate some help. My problem is similar to a few others on here but their solutions dont seem to work.
This is my first attempt on a PIX but all went well to this point . I have 3 interfaces, inside, outside, dmz. The internal network is now connecting out the internet. The mail server on the DMZ is available on certain ports to the public internet.
The part that is causing me the issue is getting the DMZ to talk to my internal network on a few select services. I gave up with the PDM fairly early on as it was driving me nuts and going round in circles. Its insisting I setup NAT/PAT between everything. Is this really necessary?
I have set it up along the lines:
mail being my mail server on the DMZ. 192.168.0.2 being an internal server.
access-list dmz_01 permit tcp host mail host 192.168.0.2 eq domain
access-list dmz_01 permit udp host mail host 192.168.0.2 eq domain
access-list dmz_01 permit tcp host mail host 192.168.0.2 eq 445
access-group dmz_01 in interface dmz.
Your help would be massively appreciated
Rob.
08-21-2005 01:45 AM
Hi,
Add the below command to your configuration :
static(inside,dmz) 192.168.0.2 192.168.0.2 netmask 255.255.255.255
That static command permits traffic from inside to DMZ and vice versa if there is a access list on the lower
security interface also there isn't any change IP address.
Mehrdad
08-21-2005 07:47 AM
hello ROb,
it's right that having flow of traffic going between tow interfaces is quite difficult.
your solution is:
static (inside,dmz) bla bla bla
and then access-list bla bla bla
access-group name in int dmz.
try to do it with command line, it's better than PDM.
08-21-2005 10:27 AM
Rob,
Take read of the following document:
Hope this helps,and please rate posts if it helps you.
Jay
08-21-2005 05:45 PM
Rob,
Even though you have your access lists and the rest in order, the thing that you do not have are translations from the inside to the DMZ. In your log, you will probably see "No translation group for x to y.
You can use a translation exemption rule to allow your inside to communicate with your DMZ interface (a nat 0 group) or you could even statically translate your inside to the same address on the DMZ (a network static).
Either way, you have to have a translation between any high to low security interface if you want to have packets traverse the PIX (even if it is only nat 0).
Cheers,
-colin.
08-22-2005 10:06 AM
Thanks very much for your help guys, that worked well. I'm nearly there now. All i need now is to allow the mail server to talk outbound from the DMZ. Inbound I have statically mapped a public IP to mail server on the DMZ.
Inbound access is fine. I thought outbound would be similar to setting up access from the
internal network outbound then tie it down with an access list to just the ports I need.
This doesnt seem to work for some reason.
What would be the best way for allowing SMTP outbound from the DMZ to any host while resticting all other access from the DMZ?
Thanks.
08-22-2005 05:43 PM
Hi Rob,
If you have a static translation in place, and given that from the DMZ to the outside is a higher to lower security path, you should not require any rules outbound.
If you really wanted to tie it down, the rule would be to allow src mailserver.ip tcp/any to destination any tcp/25.
Check your log files - it will show if there is any traffic being denied, and for what reason.
Cheers,
-colin.
08-22-2005 11:12 PM
Hi Guys,
I'm really having problems with this; I cant get the DMZ to talk outbound no matter what I try. This should be simple, the log files dont show any traffic being denied. They show the connection being set-up but not coming back in. I have used the example in the document linked above but still no luck.
I wont use my actual IP's on a usenet site but below is similar to what I have.
Mail server on DMZ 192.168.1.2 gw 192.168.1.254
Public IP range 123.123.123.123-130
ip address outside 123.123.123.123 255.255.255.224
ip address inside 10.0.0.254 255.255.255.0
ip address dmz 192.168.1.254 255.255.255.0
global (outside) 1 123.123.123.124-123.123.123.130
global (dmz) 1 192.168.1.253
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
nat (dmz) 1 192.168.1.0 255.255.255.0 0 0
static (dmz,outside) 123.123.123.220 mail netmask 255.255.255.255 0 0
Its probably something simple but I have tried everything I can think of.
Thanks again
08-23-2005 03:31 PM
Hi Rob,
You almost answered your own question there!
If traffic is exiting the PIX (ie: you can see the translation being built), but you don't see any return traffic, it generally points to one thing.
The static that you have created for your mail server is outside the range configured on the outside interface of the firewall.
Do you have a route back to that address/range of addresses (123.123.123.220)? If you don't have that on your external router/gawteway, etc, no return traffic will work.
Cheers,
-colin.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide