Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
0
Helpful
3
Replies

Peculiar DMZ Problem

r.seetharam
Level 1
Level 1

‎01-27-2005 08:26 AM - edited ‎03-09-2019 10:08 AM

Dear All,

i have done the following config, my requirment was to connect Mail server to DMZ and connect internal users to Inside Interface.

now users are able to access Internet and send the mails through the mail server, but users were not able to recieve mails through the mail server,

after having this problem i tried to add Static Command directing the Internal and DMZ Ports for the exact Outside ipaddress to be used, after giving this command users were not able to access the internet and as well as mail.

after havng this probelm i removed the given static command, immediately users were able to access the internet and also able to send and recieve mails, i was in a impression of happy ending .

but after 2 days users were facng the same problem, Then i again did the same excercise of adding and removing static command things started working but again worked for 2 days, now i want to give the permenent solution, can any one please guide me in solving this peculiar problem .

Written by enable_15 at 05:13:46.718 UTC Fri Dec 31 2004

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password xxxx

passwd xxxx

hostname xxxx

domain-name xxxx

fixup protocol dns

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

<--- More --->

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list 101 permit tcp 216.104.x.0 255.255.255.0 any eq https

access-list 101 permit tcp 216.104.x.0 255.255.255.0 any eq www

access-list 101 permit tcp 216.104.x.0 255.255.255.0 any eq smtp

access-list 101 permit icmp any any

access-list 101 permit ip any any

access-list dmz permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 216.104.x.x 255.255.x.x

ip address inside 192.168.0.2 255.255.255.0

ip address dmz 172.x.x.x.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

<--- More --->

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

access-group 101 in interface outside

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 192.168.0.2 1

route outside 0.0.0.0 0.0.0.0 192.168.107.5 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

<--- More --->

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxxx

waiting for your responses.

raghu

Labels:
0 Helpful
3 Replies 3

abertram
Level 5
Level 5

‎01-27-2005 12:27 PM

Raghu,

One of the first things I noticed is that the ACL you have bound to the Outside interface is only permitting traffic from the source network of 216.104.x.x to any. Then you have a permit ip any any down further. Is there a mail host forwarding you all Internet mail? I assume no, as the 216.104.x.0 network appears based on your mask to be your entire class C block of public space.

Usually you would want something that looks like this for your configuration (assuming mail/OWA http/https ports are required and mail server at address of 216.104.1.5):

access-list 101 permit tcp any host 216.104.1.5 eq smtp

access-list 101 permit tcp any host 216.104.1.5 eq http

access-list 101 permit tcp any host 216.104.1.5 eq https

Also, I do not see a static NAT entry for the DMZ server. This would prevent traffic from translating properly into your DMZ. Additionally just for RFC compliance sake, the address you are using in the DMZ is actually a routable address rather than something that falls in the 172.16.0.0 - 172.31.255.254 space. I recommend correcting that.

A static nat something like this for the same mail server (assuming DMZ address of 172.16.1.5):

static (dmz,outside) 216.104.1.5 172.16.1.5

Without knowing all the details, I would assume that the reason things are working intermittently is because the DMZ box is able to NAT out to the Internet via the global (outside) 1 interface statement which is opening up a translation in the Pix's translation table. Normally the default timeout on the NAT/PAT translation is 5minutes.

You can view the active translations by entering:

show xlate

Last thing that is a little odd is the route's you have entered.

You have two route outside entries for the default route going to 192.168.0.2 and 192.168.107.5. These should be causing issues with the Pix even being able to route traffic outside your network.

This should get you started in the right direction. Feel free to post back if you have more questions.

Cheers.

-Adam

0 Helpful

csoans
Level 1
Level 1

‎01-31-2005 02:12 PM

Raghu,

There are a few things you would want to change:

1. remove this line

access-list 101 permit ip any any

Since you tied this access list to your outside i/f you are actually allowing all ip traffic in

2. remove the follwoing lines

route outside 0.0.0.0 0.0.0.0 192.168.0.2 1

route outside 0.0.0.0 0.0.0.0 192.168.107.5 2

and insteda you a route outside statement pointing the g/w address to your isp's router i/f

route outside 0.0.0.0 0.0.0.0 216.104.x.x

3. remove the following line

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

and add static nat statements for each of the servers available from the outside if they are using the same IP but are different boxes you can use lines similar to the one shown below

static (dmz,outside) tcp 216.104.x.x 80 172.x.x.x 80 netmask 255.255.255.255 0 0

static (dmz,outside) tcp 216.104.x.x 443 172.x.x.x 443 netmask 255.255.255.255 0 0

static (dmz,outside) tcp 216.104.x.x 25 172.x.x.x 25 netmask 255.255.255.255 0 0

if its the same box just add one static entry like the one below

static (dmz,outside) tcp 216.104.x.x 172.x.x.x netmask 255.255.255.255 0 0

also if you do not wangt to NAT between the inside and DMZ you can add a nat (inside) 0 line like the one shown

nat (inside) 0 access-list NONAT

access-list NONAT permit ip ip 192.168.0.0 255.255.255.0 172.x.x.x 255.255.255.0

Regards

Chris

0 Helpful

r.seetharam
Level 1
Level 1
In response to csoans

‎02-18-2005 07:40 AM

Dear Chris,

I did everything once i put any other static command aprt from the command what i hav given, i will not be able to aceess internet also, but if i remove static command, immeidtely it starts working and it works for 2 days maximum again we will not be able to recieve any mails.

can u tell me what might be the problem

ragrds

raghu

0 Helpful
Customers Also Viewed These Support Documents