Solved: NAT and DMZ question

acydgod · ‎11-11-2010

Hi,

We have a PIX 515 with inside, outside and dmz zones which is doing NAT on our mail server from inside to outside.

The problem is that users on the DMZ cannot seem to access the mail server by the outside/public IP

The relevant access lists are

access-list outside-acl extended permit tcp any host external-mailserver eq smtp

access-list dmz-acl extended permit tcp any host external-mailserver eq smtp

and a static NAT for our mail server

static (inside,outside) external-mailserver internal-mailserver netmask 255.255.255.255

I would think it's something obvious but who knows. I thought perhaps the return traffic that goes back out the 'outside' interface is not permitted to reach the dmz but I thought the access list would keep state, no?

Thanks for any help.

Federico Coto Fajardo · ‎11-11-2010

Sorry the command above is incorrect.

The correct command is:

static (inside,DMZ) external-mailserver internal-mailserver

Federico.

View solution in original post

Federico Coto Fajardo · ‎11-11-2010

Hi,

To allow DMZ users to access the internal server with its public IP you need:

static (outside,DMZ) external-mailserver internal-mailserver

Hope it helps.

Federico.

Federico Coto Fajardo · ‎11-11-2010

Sorry the command above is incorrect.

The correct command is:

static (inside,DMZ) external-mailserver internal-mailserver

Federico.

acydgod · ‎11-11-2010

Thanks. Your second answer was correct but when I marked it correct seems to show first to me.