01-18-2004 12:39 PM
Hello everyone,
We are having a problem with a Cisco PIX Firewall 515 on a customer site. We have three interfaces on the PIX. We are configuring our mail server on the DMZ (The server in the DMZ needs to communicate with another mail server on the inside LAN). We can connect to the internet from the inside LAN properly, we can access the DMZ from the inside and we can ping it also from the inside, also we are able to get to the DMZ from the outside for the Web Access application. The problem is that we can't access the inside or the outside from the DMZ. also we weren't able to access the DMZ from the inside until we used a conduit to permit so, though I know that traffic from a high security interface to a lower security interface doesn't need a conduit or an ACL. You can see that our customer is using a wrong address range for the inside interface but they will take care of it later. I also know it is not recommended to use ACLs with Conduits but this is the only way it worked. I am posting my onfiguration below.Please advise us. Thanks
note: The software engineer who is handling the Mail server asked us to turn off the mailguard feature for his application.
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 20
! Turn off mailguard
no fixup protocol smtp 25
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside A.B.C.66 255.255.255.248
ip address inside 128.100.14.101 255.255.0.0
ip address dmz 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
static (dmz,outside) A.B.C.68 192.168.0.2 netmask 255.255.255.255 0 0
access-list fromOut permit tcp any host A.B.C.68 eq smtp
access-list fromOut permit tcp any host A.B.C.68 eq http
global (outside) 1 A.B.C.67 netmask 255.255.255.248
! 128.100.14.100 is our ISA server in the inside LAN
nat (inside) 1 128.100.14.100 255.255.255.255 0 0
static (inside,dmz) 192.168.0.0 128.100.0.0 netmask 255.255.0.0
! 192.168.0.2 is the Mail server in the DMZ
conduit permit tcp host 192.168.0.2 eq smtp http any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 A.B.C.65 1
01-18-2004 02:29 PM
Already answered in Security - Firewalling forum.
01-18-2004 09:32 PM
Thanks for the quick response. I'll try it and get back to you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide