DMZ to OUTSIDE but not to INSIDE

tsuehl · ‎07-19-2006

Hi everyboy!

i want to allow a mail server in the dmz (10.0.1.2) smtp access to a server on the inside interface (10.0.0.2). The inside server has a static nat mapping to the dmz (10.0.1.3). I created an access list which allows the mail server in the dmz to access http on the outside. The inside server has also an web server up and running ... i think you got my problem. Could someone tell me the best way to this special configuration? ;) I want to limit the access to the inside to only port 25 nothing else ...

Thanks for your help!

grant.maynard · ‎07-19-2006

so you've got this:

static (inside,dmz) 10.0.1.3 10.0.0.2 netmask 255.255.255.255 0 100

all you need then is add an entry to your dmz ACL:

access-list [dmz acl name] permit tcp host 10.0.1.2 host 10.0.1.3 eq 25

tsuehl · ‎07-19-2006

Thanks for your answer. This access-list already exists. But there ist another access-list like this here:

access-list [dmzacl] permit host 10.0.1.12 any eq www

This allows http traffic also to the inside mail server. I actually only find the way to set a deny rule all acl after the allow rule for port 25 ... with much more servers i have also to deny each server this way. Does anyone have another solution for me?

koksm · ‎07-25-2006

Can't you just deny HTTP from DMZ to internal then?

So:

Deny HTTP from DMZ to Inside

Allow HTTP from DMZ to any

Allow SMTP from DMZ to Inside

HTTP to inside is cathed before the HTTP to any. T