Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Boarderware Mail Firewall and PIX configuration

We have got two Cisco PIXes 525 (PIXA, PIXB (failover) ) connected to another two PIXes (PIX1, and PIX2),,,,we have got no administrative control over other two PIXes (i.e. PIX1, PIX2).

The outside address for us (our company) is ip address between (PIXA,PIXB) and (PIX1, PIX2) which is: 10.1.1.0/24,,,and in turns PIX1, PIX2 connect to outside world (public ip addresses)

I have got two mail firewall devices within our dmz area (PIXA, PIXB)

First mail firewall (mfa)192.168.101.3, and Second mail firewall (mfb)192.168.101.5

Our two clustered Exchange mail servers in inside area (not DMZ), with Clustered ip address is 192.168.2.23

Function of the mail firewall (Boarderware MX200) is : receives emails from outside and delivers them to exchange and other way around receives emails from exchange and delivers them to outside.

Note: We used to use format 192.168.101.x for any ip addresses within DMZ region

The configuration with our firewall (PIXA,PIXB) are :

static (inside,dmz) 192.168.101.253 192.168.2.23 255.255.255.255 0 0

static (dmz,outside) 10.1.1.132 192.168.101.3 netmask 255.255.255.255 0 0

access-list dmz permit tcp host 192.168.101.3 host 192.168.101.253 eq smtp

access-list outside permit tcp any host 10.1.1.132 eq smtp

access-list outside permit tcp host 10.1.1.132 host 192.168.2.23 eq smtp,,,,I do not why this was there,,,,I guess it is wrong!!!!

access-group outside in interface outside

access-group dmz in interface dmz

We used second mail firewall (mfb), we have created cluster for the load balancing with the first one mail firewall.

We have created same rules as first mail firewall (mfa) ,,i.e like below:

static (inside,dmz) 192.168.101.253 192.168.2.23 255.255.255.255 0 0,,,this is already there

static (dmz,outside) 10.1.1.202 192.168.101.5 netmask 255.255.255.255 0 0

access-list dmz permit tcp host 192.168.101.5 host 192.168.101.253 eq smtp

access-list outside permit tcp any host 10.1.1.202 eq smtp

In order to eliminate the resources of the the problem , what test should I do ?

1 REPLY
New Member

Re: Boarderware Mail Firewall and PIX configuration

From outside (through net),,,I did this test to the First Mail Firewall (mfa),,,which is on production line

telnet 213.178.101.3 25,,,,,,,,,,,,,,,,fake public ip address, which is natted to first mail firewall

220 mfa.exfw.in ESMTP

helo mfa

250 mfa.exfw.in

mail from: nicename@us.com

250 Ok

rcpt to: a.peter@exfw.in

250 Ok

data

354 End data with .

test message

.

Quit

.

Quit250 Ok: queued as 86946A7AMD

but I failed when I tried to do same test on Second Mail firewall (mfb) ?

158
Views
0
Helpful
1
Replies
CreatePlease to create content