PIX515e and the DMZ

Discussion in 'Cisco' started by Mick, Jul 1, 2004.

  1. Mick

    Mick Guest

    What i am trying to a achieve is to have
    Mail pass thru the OUTSIDE interface to the mail-server on the INSIDE
    interface port25. I also need to have WWW traffic pass thru the OUTSIDE
    interface to the Web-Server on the DMZ. The config below allows www
    traffic to pass thru to the DMZ but mail is not passing thru to the
    mail-server on the INSIDE interface.

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password BObnFRYhrLLX7XML encrypted
    passwd a0Zhrf6icaFKoQsr encrypted
    hostname pix
    name 192.168.11.35 mx1
    access-list acl_out permit tcp any host 207.97.140.22 eq smtp
    access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
    255.255.255.0
    access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
    255.255.255.0
    access-list dmz_www permit tcp any host 207.97.140.130 eq www
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 207.97.140.3 255.255.255.0
    ip address inside 192.168.11.50 255.255.255.0
    ip address dmz 172.16.128.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.15.1-192.168.15.254
    arp timeout 14400
    global (outside) 1 207.97.140.200-207.97.140.225
    global (outside) 1 207.97.140.226
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 207.97.140.21 mail netmask 255.255.255.255 0 0
    static (dmz,outside) 207.97.140.130 172.16.128.103 netmask
    255.255.255.255 0 0
    access-group dmz_www in interface outside
    route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
    route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
     
    Mick, Jul 1, 2004
    #1
    1. Advertising

  2. Mick

    George Guest

    You are not allowing smtp traffic in..

    "access-group dmz_www in interface outside"
    and the associated access-list
    " access-list dmz_www permit tcp any host 207.97.140.130 eq www "

    allow only www traffic..
    HTH..
    -G


    (Mick) wrote in message news:<>...
    > What i am trying to a achieve is to have
    > Mail pass thru the OUTSIDE interface to the mail-server on the INSIDE
    > interface port25. I also need to have WWW traffic pass thru the OUTSIDE
    > interface to the Web-Server on the DMZ. The config below allows www
    > traffic to pass thru to the DMZ but mail is not passing thru to the
    > mail-server on the INSIDE interface.
    >
    > PIX Version 6.3(1)
    > interface ethernet0 auto
    > interface ethernet1 auto
    > interface ethernet2 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 dmz security50
    > enable password BObnFRYhrLLX7XML encrypted
    > passwd a0Zhrf6icaFKoQsr encrypted
    > hostname pix
    > name 192.168.11.35 mx1
    > access-list acl_out permit tcp any host 207.97.140.22 eq smtp
    > access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
    > 255.255.255.0
    > access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
    > 255.255.255.0
    > access-list dmz_www permit tcp any host 207.97.140.130 eq www
    > pager lines 24
    > mtu outside 1500
    > mtu inside 1500
    > mtu dmz 1500
    > ip address outside 207.97.140.3 255.255.255.0
    > ip address inside 192.168.11.50 255.255.255.0
    > ip address dmz 172.16.128.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool ippool 192.168.15.1-192.168.15.254
    > arp timeout 14400
    > global (outside) 1 207.97.140.200-207.97.140.225
    > global (outside) 1 207.97.140.226
    > nat (inside) 0 access-list 101
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) 207.97.140.21 mail netmask 255.255.255.255 0 0
    > static (dmz,outside) 207.97.140.130 172.16.128.103 netmask
    > 255.255.255.255 0 0
    > access-group dmz_www in interface outside
    > route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
    > route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
     
    George, Jul 1, 2004
    #2
    1. Advertising

  3. Mick

    Mick Guest

    ok so i do enable it?


    (George) wrote in message news:<>...
    > You are not allowing smtp traffic in..
    >
    > "access-group dmz_www in interface outside"
    > and the associated access-list
    > " access-list dmz_www permit tcp any host 207.97.140.130 eq www "
    >
    > allow only www traffic..
    > HTH..
    > -G
    >
    >
    > (Mick) wrote in message news:<>...
    > > What i am trying to a achieve is to have
    > > Mail pass thru the OUTSIDE interface to the mail-server on the INSIDE
    > > interface port25. I also need to have WWW traffic pass thru the OUTSIDE
    > > interface to the Web-Server on the DMZ. The config below allows www
    > > traffic to pass thru to the DMZ but mail is not passing thru to the
    > > mail-server on the INSIDE interface.
    > >
    > > PIX Version 6.3(1)
    > > interface ethernet0 auto
    > > interface ethernet1 auto
    > > interface ethernet2 auto
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > nameif ethernet2 dmz security50
    > > enable password BObnFRYhrLLX7XML encrypted
    > > passwd a0Zhrf6icaFKoQsr encrypted
    > > hostname pix
    > > name 192.168.11.35 mx1
    > > access-list acl_out permit tcp any host 207.97.140.22 eq smtp
    > > access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
    > > 255.255.255.0
    > > access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
    > > 255.255.255.0
    > > access-list dmz_www permit tcp any host 207.97.140.130 eq www
    > > pager lines 24
    > > mtu outside 1500
    > > mtu inside 1500
    > > mtu dmz 1500
    > > ip address outside 207.97.140.3 255.255.255.0
    > > ip address inside 192.168.11.50 255.255.255.0
    > > ip address dmz 172.16.128.1 255.255.255.0
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > ip local pool ippool 192.168.15.1-192.168.15.254
    > > arp timeout 14400
    > > global (outside) 1 207.97.140.200-207.97.140.225
    > > global (outside) 1 207.97.140.226
    > > nat (inside) 0 access-list 101
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > static (inside,outside) 207.97.140.21 mail netmask 255.255.255.255 0 0
    > > static (dmz,outside) 207.97.140.130 172.16.128.103 netmask
    > > 255.255.255.255 0 0
    > > access-group dmz_www in interface outside
    > > route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
    > > route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
     
    Mick, Jul 2, 2004
    #3
  4. Mick

    PES Guest

    "Mick" <> wrote in message
    news:...
    > ok so i do enable it?


    access-list dmz_www permit tcp any host 207.97.140.21 eq 25

    > (George) wrote in message

    news:<>...
    > > You are not allowing smtp traffic in..
    > >
    > > "access-group dmz_www in interface outside"
    > > and the associated access-list
    > > " access-list dmz_www permit tcp any host 207.97.140.130 eq www "
    > >
    > > allow only www traffic..
    > > HTH..
    > > -G
    > >
    > >
    > > (Mick) wrote in message

    news:<>...
    > > > What i am trying to a achieve is to have
    > > > Mail pass thru the OUTSIDE interface to the mail-server on the INSIDE
    > > > interface port25. I also need to have WWW traffic pass thru the

    OUTSIDE
    > > > interface to the Web-Server on the DMZ. The config below allows www
    > > > traffic to pass thru to the DMZ but mail is not passing thru to the
    > > > mail-server on the INSIDE interface.
    > > >
    > > > PIX Version 6.3(1)
    > > > interface ethernet0 auto
    > > > interface ethernet1 auto
    > > > interface ethernet2 auto
    > > > nameif ethernet0 outside security0
    > > > nameif ethernet1 inside security100
    > > > nameif ethernet2 dmz security50
    > > > enable password BObnFRYhrLLX7XML encrypted
    > > > passwd a0Zhrf6icaFKoQsr encrypted
    > > > hostname pix
    > > > name 192.168.11.35 mx1
    > > > access-list acl_out permit tcp any host 207.97.140.22 eq smtp
    > > > access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
    > > > 255.255.255.0
    > > > access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
    > > > 255.255.255.0
    > > > access-list dmz_www permit tcp any host 207.97.140.130 eq www
    > > > pager lines 24
    > > > mtu outside 1500
    > > > mtu inside 1500
    > > > mtu dmz 1500
    > > > ip address outside 207.97.140.3 255.255.255.0
    > > > ip address inside 192.168.11.50 255.255.255.0
    > > > ip address dmz 172.16.128.1 255.255.255.0
    > > > ip audit info action alarm
    > > > ip audit attack action alarm
    > > > ip local pool ippool 192.168.15.1-192.168.15.254
    > > > arp timeout 14400
    > > > global (outside) 1 207.97.140.200-207.97.140.225
    > > > global (outside) 1 207.97.140.226
    > > > nat (inside) 0 access-list 101
    > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > > static (inside,outside) 207.97.140.21 mail netmask 255.255.255.255 0 0
    > > > static (dmz,outside) 207.97.140.130 172.16.128.103 netmask
    > > > 255.255.255.255 0 0
    > > > access-group dmz_www in interface outside
    > > > route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
    > > > route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
     
    PES, Jul 2, 2004
    #4
  5. Mick

    Mick Guest

    "PES" <NO*SPAMpestewartREMOVE**SUCKS> wrote in message news:<40e53772$>...
    > "Mick" <> wrote in message
    > news:...
    > > ok so i do enable it?

    >
    > access-list dmz_www permit tcp any host 207.97.140.21 eq 25
    >
    > > (George) wrote in message

    > news:<>...
    > > > You are not allowing smtp traffic in..
    > > >
    > > > "access-group dmz_www in interface outside"
    > > > and the associated access-list
    > > > " access-list dmz_www permit tcp any host 207.97.140.130 eq www "
    > > >
    > > > allow only www traffic..
    > > > HTH..
    > > > -G
    > > >
    > > >
    > > > (Mick) wrote in message

    > news:<>...
    > > > > What i am trying to a achieve is to have
    > > > > Mail pass thru the OUTSIDE interface to the mail-server on the INSIDE
    > > > > interface port25. I also need to have WWW traffic pass thru the

    > OUTSIDE
    > > > > interface to the Web-Server on the DMZ. The config below allows www
    > > > > traffic to pass thru to the DMZ but mail is not passing thru to the
    > > > > mail-server on the INSIDE interface.
    > > > >
    > > > > PIX Version 6.3(1)
    > > > > interface ethernet0 auto
    > > > > interface ethernet1 auto
    > > > > interface ethernet2 auto
    > > > > nameif ethernet0 outside security0
    > > > > nameif ethernet1 inside security100
    > > > > nameif ethernet2 dmz security50
    > > > > enable password BObnFRYhrLLX7XML encrypted
    > > > > passwd a0Zhrf6icaFKoQsr encrypted
    > > > > hostname pix
    > > > > name 192.168.11.35 mx1
    > > > > access-list acl_out permit tcp any host 207.97.140.22 eq smtp
    > > > > access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
    > > > > 255.255.255.0
    > > > > access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
    > > > > 255.255.255.0
    > > > > access-list dmz_www permit tcp any host 207.97.140.130 eq www
    > > > > pager lines 24
    > > > > mtu outside 1500
    > > > > mtu inside 1500
    > > > > mtu dmz 1500
    > > > > ip address outside 207.97.140.3 255.255.255.0
    > > > > ip address inside 192.168.11.50 255.255.255.0
    > > > > ip address dmz 172.16.128.1 255.255.255.0
    > > > > ip audit info action alarm
    > > > > ip audit attack action alarm
    > > > > ip local pool ippool 192.168.15.1-192.168.15.254
    > > > > arp timeout 14400
    > > > > global (outside) 1 207.97.140.200-207.97.140.225
    > > > > global (outside) 1 207.97.140.226
    > > > > nat (inside) 0 access-list 101
    > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > > > static (inside,outside) 207.97.140.21 mail netmask 255.255.255.255 0 0
    > > > > static (dmz,outside) 207.97.140.130 172.16.128.103 netmask
    > > > > 255.255.255.255 0 0
    > > > > access-group dmz_www in interface outside
    > > > > route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
    > > > > route inside 192.168.0.0 255.255.255.0 192.168.11.1 1


    Ok i followed posts advice but now mail goes thru to the INSIDE but
    the SSH is not going thur to the server on the DMZ.

    here is my config. What could be wrong now

    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password BObnFRYhrLLX7XML encrypted
    passwd a0Zhrf6icaFKoQsr encrypted
    name 192.168.11.35 mx1

    access-list acl_out permit tcp any host 207.97.140.22 eq smtp
    access-list acl_out permit tcp any host 207.97.140.22 eq https
    access-list acl_out permit tcp any host 207.97.140.130 eq ssh
    access-list 101 permit ip 192.168.11.0 255.255.255.0 192.168.15.0
    255.255.255.0
    access-list 101 permit ip 192.168.0.0 255.255.255.0 192.168.15.0
    255.255.255.0
    access-list 101 permit ip 192.168.22.0 255.255.255.0 192.168.15.0
    255.255.255.0

    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside 207.97.140.3 255.255.255.0
    ip address inside 192.168.11.50 255.255.255.0
    ip address dmz 192.168.100.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool ippool 192.168.15.1-192.168.15.254
    arp timeout 14400
    global (outside) 1 207.97.140.200-207.97.140.225
    global (outside) 1 207.97.140.226
    nat (inside) 0 access-list 101
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0

    static (inside,outside) 207.97.140.22 mx1 netmask 255.255.255.255 0 0

    static (dmz,outside) 209.97.140.130 192.168.100.41 netmask
    255.255.255.255 0 0
    static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0
    access-group acl_out in interface outside
    route outside 0.0.0.0 0.0.0.0 207.97.140.1 1
    route inside 192.168.0.0 255.255.255.0 192.168.11.1 1
    route inside 192.168.22.0 255.255.255.0 192.168.11.1 1

    Thanks in advance.
     
    Mick, Jul 2, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mick

    The DMZ and the PIX515e saga

    Mick, Jul 3, 2004, in forum: Cisco
    Replies:
    1
    Views:
    456
    Rik Bain
    Jul 3, 2004
  2. JohnC
    Replies:
    9
    Views:
    884
    Walter Roberson
    Dec 7, 2004
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,918
    Walter Roberson
    Sep 25, 2005
  4. morten
    Replies:
    4
    Views:
    1,264
    Tilman Schmidt
    Sep 4, 2007
  5. David Henzler

    Pix515e 3-Ethernet DMZ

    David Henzler, Mar 5, 2009, in forum: Cisco
    Replies:
    5
    Views:
    468
    David Henzler
    Mar 10, 2009
Loading...

Share This Page