10-28-2003 02:32 AM - edited 02-20-2020 09:22 PM
Current PIX configuration as follow:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
names
name 210.xxx.xx.x6 mail_server
name 210.xxx.xx.x8 mail_relay
object-group service INBOUND tcp
port-object eq pop3
port-object eq smtp
port-object eq www
port-object eq https
port-object eq domain
access-list inside_access_in permit ip 192.168.110.0 255.255.255.0 any
access-list outside_access_in permit tcp any any object-group INBOUND
access-list outside_access_in permit udp any any eq domain
access-list dmz_access_in permit tcp any any object-group INBOUND
access-list vpn_inside_outbound permit ip any 192.168.110.224 255.255.255.224
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto
ip address outside 210.xxx.xx.x5 255.255.255.224
ip address inside 192.168.110.10 255.255.255.0
ip address dmz 10.0.0.1 255.255.255.0
ip local pool VPN 192.168.110.230-192.168.110.254
global (outside) 10 210.xxx.xx.x9
global (outside) 9 210.xxx.xx.x0
nat (inside) 0 access-list vpn_inside_outbound
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz) 9 10.0.0.0 255.255.255.0 0 0
static (inside,outside) mail_server 192.168.110.2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.110.0 netmask 255.255.255.0 0 0
static (dmz,outside) mail_relay 10.0.0.2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 210.xxx.xx.x7 1
(1) After applying access-list dmz_access_in in interface DMZ, the mail relay server can't access internet anymore. Why? Does it apply to incoming or outcoming traffic?
(2) With dmz_access_in access list, I can telnet to inside Exchange server, but I still can't send emails to internal users from the mail relay. Any ideas?
(3) Internal/External users can't send/receive emails from mail relay using public IP. Access-list issue again?
(4) When I apply access list on interfaces, does it apply to inbound or outbound traffic? I am really confused on applying access list on interfaces. Will the access list apply on outside interface being applied to DMZ? How does the firewall know where to route the incoming traffic to DMZ or inside interface?
Thank you very much in advance for any helps/advice.
10-28-2003 05:51 AM
Hi -
Please have a read of the following and let me/us know if this helps:
Just another note, your static(inside,dmz)192.168.1.0 192.168.110.0 netmask 255.255.255.0 0 0
shouldn't this be :
static(inside,dmz)192.168.1.0 192.168.1.0 255.255.255.0 0 0 - or - static(inside,dmz)192.168.110.0 192.168.110.0 255.255.255.0 0 0 ??
and also remember when modifying any ACLs or static commands always issue command: clear xlate and save with command: write memory.
Thanks -
10-28-2003 06:18 PM
Yes, I have read the document and actually entered the setting but to no avail.
static (dmz,outside) mail_relay 10.0.0.2 netmask
255.255.255.255 0 0
static (inside,dmz) 192.168.110.0 192.168.110.0 netmask 255.255.255.0 0 0
access-list outside_access_in permit tcp any any object-group test
access-group outside_access_in in interface outside
Any ideas? Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide