Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX 515 e DMZ

Reply
Thread Tools

PIX 515 e DMZ

 
 
Mick
Guest
Posts: n/a
 
      06-30-2004
Pix 515e 6.3(1) w/ the DMZ feature set

My current running config allows Mail (port 25) to pass thru the
OUTSIDE interface to the Mail Server on the INSIDE interface. This
works.
However, when i add the DMZ (i need to run www on the DMZ) mail no
longer passes thru to the mail server on the INSIDE interface.
Here is my current abbreviated config.

BEGIN
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
name 192.168.11.35 mx1
access-list acl_out permit tcp any host 207.0.0.22 eq smtp
access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
255.255.255.0
ip address outside 207.0.0.3 255.255.255.0
ip address inside 192.168.11.50 255.255.255.0
global (outside) 1 207.97.140.200-207.97.140.225
global (outside) 1 207.97.140.226
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 207.97.140.21 mx1 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
END

Now when in include the following DMZ rules to the current config mail
will no longer pass thru to the Mail Server on the INSIDE interface,
however www trafic passes thur to the DMZ

Begin
nameif ethernet2 dmz security50
interface ethernet2 auto
access-list www_dmz permit tcp any host 207.0.0.130 eq www
ipaddress dmz 172.16.128.1 255.255.255.0
static (dmz,outside) 207.0.0.130 172.16.128.130 netmask 255.255.255.0
static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
access-group www_dmz in interface outside
END

Basicly what i am trying to achieve is to have Mail pass thru from the
outside interface to the INSIDE interface where the mail server is
using port 25.
And i need www traffic to pass thru the outside interface to the DMZ
on port.
Can this work?

Thanks in advance.
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      06-30-2004
In article <(E-Mail Removed) >,
Mick <(E-Mail Removed)> wrote:
ix 515e 6.3(1) w/ the DMZ feature set

:My current running config allows Mail (port 25) to pass thru the
:OUTSIDE interface to the Mail Server on the INSIDE interface. This
:works.
:However, when i add the DMZ (i need to run www on the DMZ) mail no
:longer passes thru to the mail server on the INSIDE interface.
:Here is my current abbreviated config.

:ip address outside 207.0.0.3 255.255.255.0

:static (inside,outside) 207.97.140.21 mx1 netmask 255.255.255.255 0 0

207.97.140.21 is not in the subnet 207.0.0/24 . The PIX will proxy
arp for 207.97.140.21 if it is asked, but you are probably going to
have issues about proper routing.


:Now when in include the following DMZ rules to the current config mail
:will no longer pass thru to the Mail Server on the INSIDE interface,
:however www trafic passes thur to the DMZ

:static (dmz,outside) 207.0.0.130 172.16.128.130 netmask 255.255.255.0

You used a netmask of 255.255.255.0 which is the same as if you
had configured

static (dmz,outside) 207.0.0.0 172.16.128.0 netmask 255.255.255.0

so you are sending all your public IP space to the dmz.

Try again with a netmask of 255.255.255.255
--
The image data is transmitted back to Earth at the speed of light
and usually at 12 bits per pixel.
 
Reply With Quote
 
 
 
 
Mick
Guest
Posts: n/a
 
      07-01-2004
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<cbv54i$1l9$(E-Mail Removed)>...
> In article <(E-Mail Removed) >,
> Mick <(E-Mail Removed)> wrote:
> ix 515e 6.3(1) w/ the DMZ feature set
>
> :My current running config allows Mail (port 25) to pass thru the
> :OUTSIDE interface to the Mail Server on the INSIDE interface. This
> :works.
> :However, when i add the DMZ (i need to run www on the DMZ) mail no
> :longer passes thru to the mail server on the INSIDE interface.
> :Here is my current abbreviated config.
>
> :ip address outside 207.0.0.3 255.255.255.0
>
> :static (inside,outside) 207.97.140.21 mx1 netmask 255.255.255.255 0 0
>
> 207.97.140.21 is not in the subnet 207.0.0/24 . The PIX will proxy
> arp for 207.97.140.21 if it is asked, but you are probably going to
> have issues about proper routing.
>
>
> :Now when in include the following DMZ rules to the current config mail
> :will no longer pass thru to the Mail Server on the INSIDE interface,
> :however www trafic passes thur to the DMZ
>
> :static (dmz,outside) 207.0.0.130 172.16.128.130 netmask 255.255.255.0
>
> You used a netmask of 255.255.255.0 which is the same as if you
> had configured
>
> static (dmz,outside) 207.0.0.0 172.16.128.0 netmask 255.255.255.0
>
> so you are sending all your public IP space to the dmz.
>
> Try again with a netmask of 255.255.255.255




> 207.97.140.21 is not in the subnet 207.0.0/24 . The PIX will proxy
> arp for 207.97.140.21 if it is asked, but you are probably going to
> have issues about proper routing.


Walter, the subnet is the same just my mistake trying to hide my real
ip
the following is the statement w/ the real ip
static (dmz,outside) 207.07.140.130 172.16.128.130 netmask
255.255.255.0

So what your saying is the static nat statment above should use the
following mask 255.255.255.255
 
Reply With Quote
 
Mick
Guest
Posts: n/a
 
      07-01-2004
http://www.velocityreviews.com/forums/(E-Mail Removed) (Mick) wrote in message news:<(E-Mail Removed) om>...
> (E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<cbv54i$1l9$(E-Mail Removed)>...
> > In article <(E-Mail Removed) >,
> > Mick <(E-Mail Removed)> wrote:
> > ix 515e 6.3(1) w/ the DMZ feature set

>
> > :My current running config allows Mail (port 25) to pass thru the
> > :OUTSIDE interface to the Mail Server on the INSIDE interface. This
> > :works.
> > :However, when i add the DMZ (i need to run www on the DMZ) mail no
> > :longer passes thru to the mail server on the INSIDE interface.
> > :Here is my current abbreviated config.

>
> > :ip address outside 207.0.0.3 255.255.255.0

>
> > :static (inside,outside) 207.97.140.21 mx1 netmask 255.255.255.255 0 0
> >
> > 207.97.140.21 is not in the subnet 207.0.0/24 . The PIX will proxy
> > arp for 207.97.140.21 if it is asked, but you are probably going to
> > have issues about proper routing.
> >
> >
> > :Now when in include the following DMZ rules to the current config mail
> > :will no longer pass thru to the Mail Server on the INSIDE interface,
> > :however www trafic passes thur to the DMZ

>
> > :static (dmz,outside) 207.0.0.130 172.16.128.130 netmask 255.255.255.0
> >
> > You used a netmask of 255.255.255.0 which is the same as if you
> > had configured
> >
> > static (dmz,outside) 207.0.0.0 172.16.128.0 netmask 255.255.255.0
> >
> > so you are sending all your public IP space to the dmz.
> >
> > Try again with a netmask of 255.255.255.255

>
>
>
> > 207.97.140.21 is not in the subnet 207.0.0/24 . The PIX will proxy
> > arp for 207.97.140.21 if it is asked, but you are probably going to
> > have issues about proper routing.

>
> Walter, the subnet is the same just my mistake trying to hide my real
> ip
> the following is the statement w/ the real ip
> static (dmz,outside) 207.07.140.130 172.16.128.130 netmask
> 255.255.255.0
>
> So what your saying is the static nat statment above should use the
> following mask 255.255.255.255



Ok her is the Real Config. What i am trying to a achieve is to have
Mail pass thru the OUTSIDE interface to the mail-server on the INSIDE
interface. I also need to have WWW traffic pass thru the OUTSIDE
interface to the Web-Server on the DMZ. The config below allows www
traffic to pass thru to the DMZ but mail is not passing thru to the
mail-server on the INSIDE interface.

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password BObnFRYhrLLX7XML encrypted
passwd a0Zhrf6icaFKoQsr encrypted
hostname pix
name 192.168.11.35 mx1
access-list acl_out permit tcp any host 207.97.140.22 eq smtp
access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
255.255.255.0
access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
255.255.255.0
access-list dmz_www permit tcp any host 207.97.140.130 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 207.97.140.3 255.255.255.0
ip address inside 192.168.11.50 255.255.255.0
ip address dmz 172.16.128.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.15.1-192.168.15.254
arp timeout 14400
global (outside) 1 207.97.140.200-207.97.140.225
global (outside) 1 207.97.140.226
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 207.97.140.21 mail netmask 255.255.255.255 0 0
static (dmz,outside) 207.97.140.130 172.16.128.103 netmask
255.255.255.255 0 0
access-group dmz_www in interface outside
route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
Cisco PIX DMZ to DMZ Access Network-Guy Cisco 7 09-25-2005 08:28 PM
how to config 515-e-dmz dmz routes & ACL? JohnC Cisco 9 12-07-2004 09:14 AM
PIX 515 - Access to DMZ The Entitty Cisco 1 11-29-2003 07:20 AM



Advertisments