PIX 515 e DMZ

Discussion in 'Cisco' started by Mick, Jun 30, 2004.

  1. Mick

    Mick Guest

    Pix 515e 6.3(1) w/ the DMZ feature set

    My current running config allows Mail (port 25) to pass thru the
    OUTSIDE interface to the Mail Server on the INSIDE interface. This
    works.
    However, when i add the DMZ (i need to run www on the DMZ) mail no
    longer passes thru to the mail server on the INSIDE interface.
    Here is my current abbreviated config.

    BEGIN
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    name 192.168.11.35 mx1
    access-list acl_out permit tcp any host 207.0.0.22 eq smtp
    access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
    255.255.255.0
    access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
    255.255.255.0
    ip address outside 207.0.0.3 255.255.255.0
    ip address inside 192.168.11.50 255.255.255.0
    global (outside) 1 207.97.140.200-207.97.140.225
    global (outside) 1 207.97.140.226
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 207.97.140.21 mx1 netmask 255.255.255.255 0 0
    access-group acl_out in interface outside
    route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
    route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
    END

    Now when in include the following DMZ rules to the current config mail
    will no longer pass thru to the Mail Server on the INSIDE interface,
    however www trafic passes thur to the DMZ

    Begin
    nameif ethernet2 dmz security50
    interface ethernet2 auto
    access-list www_dmz permit tcp any host 207.0.0.130 eq www
    ipaddress dmz 172.16.128.1 255.255.255.0
    static (dmz,outside) 207.0.0.130 172.16.128.130 netmask 255.255.255.0
    static (inside,dmz) 192.168.11.0 192.168.11.0 netmask 255.255.255.0
    access-group www_dmz in interface outside
    END

    Basicly what i am trying to achieve is to have Mail pass thru from the
    outside interface to the INSIDE interface where the mail server is
    using port 25.
    And i need www traffic to pass thru the outside interface to the DMZ
    on port.
    Can this work?

    Thanks in advance.
     
    Mick, Jun 30, 2004
    #1
    1. Advertising

  2. In article <>,
    Mick <> wrote:
    :pix 515e 6.3(1) w/ the DMZ feature set

    :My current running config allows Mail (port 25) to pass thru the
    :OUTSIDE interface to the Mail Server on the INSIDE interface. This
    :works.
    :However, when i add the DMZ (i need to run www on the DMZ) mail no
    :longer passes thru to the mail server on the INSIDE interface.
    :Here is my current abbreviated config.

    :ip address outside 207.0.0.3 255.255.255.0

    :static (inside,outside) 207.97.140.21 mx1 netmask 255.255.255.255 0 0

    207.97.140.21 is not in the subnet 207.0.0/24 . The PIX will proxy
    arp for 207.97.140.21 if it is asked, but you are probably going to
    have issues about proper routing.


    :Now when in include the following DMZ rules to the current config mail
    :will no longer pass thru to the Mail Server on the INSIDE interface,
    :however www trafic passes thur to the DMZ

    :static (dmz,outside) 207.0.0.130 172.16.128.130 netmask 255.255.255.0

    You used a netmask of 255.255.255.0 which is the same as if you
    had configured

    static (dmz,outside) 207.0.0.0 172.16.128.0 netmask 255.255.255.0

    so you are sending all your public IP space to the dmz.

    Try again with a netmask of 255.255.255.255
    --
    The image data is transmitted back to Earth at the speed of light
    and usually at 12 bits per pixel.
     
    Walter Roberson, Jun 30, 2004
    #2
    1. Advertising

  3. Mick

    Mick Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<cbv54i$1l9$>...
    > In article <>,
    > Mick <> wrote:
    > :pix 515e 6.3(1) w/ the DMZ feature set
    >
    > :My current running config allows Mail (port 25) to pass thru the
    > :OUTSIDE interface to the Mail Server on the INSIDE interface. This
    > :works.
    > :However, when i add the DMZ (i need to run www on the DMZ) mail no
    > :longer passes thru to the mail server on the INSIDE interface.
    > :Here is my current abbreviated config.
    >
    > :ip address outside 207.0.0.3 255.255.255.0
    >
    > :static (inside,outside) 207.97.140.21 mx1 netmask 255.255.255.255 0 0
    >
    > 207.97.140.21 is not in the subnet 207.0.0/24 . The PIX will proxy
    > arp for 207.97.140.21 if it is asked, but you are probably going to
    > have issues about proper routing.
    >
    >
    > :Now when in include the following DMZ rules to the current config mail
    > :will no longer pass thru to the Mail Server on the INSIDE interface,
    > :however www trafic passes thur to the DMZ
    >
    > :static (dmz,outside) 207.0.0.130 172.16.128.130 netmask 255.255.255.0
    >
    > You used a netmask of 255.255.255.0 which is the same as if you
    > had configured
    >
    > static (dmz,outside) 207.0.0.0 172.16.128.0 netmask 255.255.255.0
    >
    > so you are sending all your public IP space to the dmz.
    >
    > Try again with a netmask of 255.255.255.255




    > 207.97.140.21 is not in the subnet 207.0.0/24 . The PIX will proxy
    > arp for 207.97.140.21 if it is asked, but you are probably going to
    > have issues about proper routing.


    Walter, the subnet is the same just my mistake trying to hide my real
    ip
    the following is the statement w/ the real ip
    static (dmz,outside) 207.07.140.130 172.16.128.130 netmask
    255.255.255.0

    So what your saying is the static nat statment above should use the
    following mask 255.255.255.255
     
    Mick, Jul 1, 2004
    #3
  4. Mick

    Mick Guest

    (Mick) wrote in message news:<>...
    > -cnrc.gc.ca (Walter Roberson) wrote in message news:<cbv54i$1l9$>...
    > > In article <>,
    > > Mick <> wrote:
    > > :pix 515e 6.3(1) w/ the DMZ feature set

    >
    > > :My current running config allows Mail (port 25) to pass thru the
    > > :OUTSIDE interface to the Mail Server on the INSIDE interface. This
    > > :works.
    > > :However, when i add the DMZ (i need to run www on the DMZ) mail no
    > > :longer passes thru to the mail server on the INSIDE interface.
    > > :Here is my current abbreviated config.

    >
    > > :ip address outside 207.0.0.3 255.255.255.0

    >
    > > :static (inside,outside) 207.97.140.21 mx1 netmask 255.255.255.255 0 0
    > >
    > > 207.97.140.21 is not in the subnet 207.0.0/24 . The PIX will proxy
    > > arp for 207.97.140.21 if it is asked, but you are probably going to
    > > have issues about proper routing.
    > >
    > >
    > > :Now when in include the following DMZ rules to the current config mail
    > > :will no longer pass thru to the Mail Server on the INSIDE interface,
    > > :however www trafic passes thur to the DMZ

    >
    > > :static (dmz,outside) 207.0.0.130 172.16.128.130 netmask 255.255.255.0
    > >
    > > You used a netmask of 255.255.255.0 which is the same as if you
    > > had configured
    > >
    > > static (dmz,outside) 207.0.0.0 172.16.128.0 netmask 255.255.255.0
    > >
    > > so you are sending all your public IP space to the dmz.
    > >
    > > Try again with a netmask of 255.255.255.255

    >
    >
    >
    > > 207.97.140.21 is not in the subnet 207.0.0/24 . The PIX will proxy
    > > arp for 207.97.140.21 if it is asked, but you are probably going to
    > > have issues about proper routing.

    >
    > Walter, the subnet is the same just my mistake trying to hide my real
    > ip
    > the following is the statement w/ the real ip
    > static (dmz,outside) 207.07.140.130 172.16.128.130 netmask
    > 255.255.255.0
    >
    > So what your saying is the static nat statment above should use the
    > following mask 255.255.255.255



    Ok her is the Real Config. What i am trying to a achieve is to have
    Mail pass thru the OUTSIDE interface to the mail-server on the INSIDE
    interface. I also need to have WWW traffic pass thru the OUTSIDE
    interface to the Web-Server on the DMZ. The config below allows www
    traffic to pass thru to the DMZ but mail is not passing thru to the
    mail-server on the INSIDE interface.

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password BObnFRYhrLLX7XML encrypted
    passwd a0Zhrf6icaFKoQsr encrypted
    hostname pix
    name 192.168.11.35 mx1
    access-list acl_out permit tcp any host 207.97.140.22 eq smtp
    access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
    255.255.255.0
    access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
    255.255.255.0
    access-list dmz_www permit tcp any host 207.97.140.130 eq www
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 207.97.140.3 255.255.255.0
    ip address inside 192.168.11.50 255.255.255.0
    ip address dmz 172.16.128.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.15.1-192.168.15.254
    arp timeout 14400
    global (outside) 1 207.97.140.200-207.97.140.225
    global (outside) 1 207.97.140.226
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 207.97.140.21 mail netmask 255.255.255.255 0 0
    static (dmz,outside) 207.97.140.130 172.16.128.103 netmask
    255.255.255.255 0 0
    access-group dmz_www in interface outside
    route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
    route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
     
    Mick, Jul 1, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. The Entitty

    PIX 515 - Access to DMZ

    The Entitty, Nov 29, 2003, in forum: Cisco
    Replies:
    1
    Views:
    514
    Walter Roberson
    Nov 29, 2003
  2. JohnC
    Replies:
    9
    Views:
    917
    Walter Roberson
    Dec 7, 2004
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,965
    Walter Roberson
    Sep 25, 2005
  4. Scott Townsend
    Replies:
    8
    Views:
    752
    Roman Nakhmanson
    Feb 22, 2006
  5. Jack
    Replies:
    0
    Views:
    738
Loading...

Share This Page