Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Advice About Network Design and Security

Dear All,

I have the following network scenario:

An Internal Mail server that forward the mail messages to an external sendmail server that send/receive the mails from Internet.

Between the two mails servers starting from the inside, there are a L3Switch that act like bridge among the internal networks subnets where is connected the internal mail server .161.

The L3Switch is connected to the first Pix on the inside interface, and it is connected to the second Pix inside interface by its Dmz interface.The second pix has connected on the outside interface the ISP router, and on its DMZ the sendmail server that has a public ip

My question is:

From a security point of view, how is important that the internal and external mail server do not has routing informations about the external and internal networks ?I have configured the second pix to perform a port redirection in this way:

static (dmz,inside) tcp smtp smtp netmask

The internal mail server forward the mail to the pix apply the static, perform the port redirection to

Than I have added also:

static (dmz,inside) netmask

In this way the pix perform the outside nat so the source address is changed from to,so I have configured on the external mail server the instead of the real ip.

New Member

Re: Advice About Network Design and Security


I'm not sure about best practice in this area, but I think it's safe to say that the less information that's available on your externally reachable devices, the better. I think your config is sound, but if possible, it's a good idea to retrict access to the smtp port of your external mail server to trusted hosts.