Hello,

I have PIX-515 with 3 Ethernets. Here is config (only relevant parts):

access-list FROM_OUTSIDE permit icmp any any

access-list FROM_OUTSIDE permit ip any host xxx.xxx.xxx.xxx

access-list FROM_OUTSIDE permit ip any host yyy.yyy.yyy.yyy

access-list NONAT permit ip 192.168.4.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list NONAT permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list NONAT permit ip 192.168.4.0 255.255.255.0 192.168.2.0 255.255.255.0

ip address outside xxx.xxx.xxx.xxx 255.255.255.240

ip address inside 192.168.4.1 255.255.255.0

ip address DMZ 192.168.2.1 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 192.168.4.0 255.255.255.0 0 0

nat (DMZ) 0 access-list NONAT

nat (DMZ) 1 192.168.2.0 255.255.255.0 0 0

static (DMZ,outside) tcp interface pop3 192.168.2.2 pop3 netmask 255.255.255.255 0 0

static (DMZ,outside) tcp interface smtp 192.168.2.2 smtp netmask 255.255.255.255 0 0

static (DMZ,outside) tcp interface imap4 192.168.2.2 imap4 netmask 255.255.255.255 0 0

static (DMZ,outside) tcp interface www 192.168.2.3 www netmask 255.255.255.255 0 0

static (DMZ,outside) tcp interface 442 192.168.2.2 442 netmask 255.255.255.255 0 0

static (DMZ,outside) tcp interface ftp-data 192.168.2.3 ftp-data netmask 255.255.255.255 0 0

static (DMZ,outside) tcp interface ftp 192.168.2.3 ftp netmask 255.255.255.255 0 0

static (DMZ,inside) tcp xxx.xxx.xxx.xxx pop3 192.168.2.2 pop3 netmask 255.255.255.255 0 0

static (DMZ,inside) tcp xxx.xxx.xxx.xxx smtp 192.168.2.2 smtp netmask 255.255.255.255 0 0

static (DMZ,inside) tcp xxx.xxx.xxx.xxx imap4 192.168.2.2 imap4 netmask 255.255.255.255 0 0

static (DMZ,inside) tcp xxx.xxx.xxx.xxx 81 192.168.2.2 81 netmask 255.255.255.255 0 0

static (DMZ,inside) tcp interface 3389 192.168.2.2 3389 netmask 255.255.255.255 0 0

static (DMZ,inside) tcp xxx.xxx.xxx.xxx 442 192.168.2.2 442 netmask 255.255.255.255 0 0

static (DMZ,inside) tcp xxx.xxx.xxx.xxx www 192.168.2.3 www netmask 255.255.255.255 0 0

static (DMZ,inside) tcp xxx.xxx.xxx.xxx ftp-data 192.168.2.3 ftp-data netmask 255.255.255.255 0 0

static (DMZ,inside) tcp xxx.xxx.xxx.xxx ftp 192.168.2.3 ftp netmask 255.255.255.255 0 0

static (DMZ,outside) yyy.yyy.yyy.yyy 192.168.2.4 netmask 255.255.255.255 0 0

access-group FROM_OUTSIDE in interface outside

Problem is: users report that from outside all work well (www, ftp, mail, www access to mail on 442/tcp), but from inside they cannot connect to ftp server and cannot use MS Remote Desktop Conn. (3389/tcp) to connect to server 192.168.2.2 (mail server). 192.168.2.3 is www and ftp server. They connect to same address (xxx.xxx.xxx.xxx) as from outside. I am sure that configuration is OK, so I would ask: is something in configuration, what prevents users from using ftp and MS Rem. Deskt. from inside? Thanks in advance for any comment.

Best regards

Lukas Mecir

Albit