Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

cannot access servers in dmz either from inside or outside

i have 2 servers in dmz which are smtp gateway servers and dns servers

i can ping the servers from inside and outide but i cannot send or recive mail or cannot ping any body from dmz with hostname.

if i apply "dmz_coming_in" access-list i am geeting mails from outside but i cannot ping any host with hostname

if i remove these "dmz_coming_in" access-list i can send mail outside and i can ping any hostwith hostname with , but i cannot recive mail from outside.

please help in this

my configuration is

DMZ

206.x.x.128-206.x.x.254

|

|

Inside--170.x.x.xand10.0.0.---Firewall-206.x.x.x-206.x.x.126------router------ internet

Firewall

|

|

isp2 171.x.x.x

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

nameif ethernet3 ISP2 security60

nameif ethernet4 intf4 security20

nameif ethernet5 intf5 security25

nameif ethernet6 intf6 security30

nameif ethernet7 failover security15

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pix-1

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside_access_in permit tcp any host 206.X.X.X eq smtp

access-list outside_access_in permit tcp any host 206.X.X.X eq smtp

access-list outside_access_in permit udp any host 206.X.X.X eq domain

access-list outside_access_in permit udp any host 206.X.X.X eq domain

access-list outside_access_in permit icmp any any

access-list outside_access_in deny ip any any

access-list dmz_coming_in permit icmp any any

access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq smtp

access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq www

access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq smtp

access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq www

access-list dmz_coming_in permit udp host 206.X.X.X host 170.X.X.X eq domain

access-list dmz_coming_in permit udp host 206.X.X.X host 170.X.X.X eq domain

access-list 101 permit ip 170.x.x.0 255.255.255.0 206.x.x.128 255.255.255.128

pager lines 24

logging on

logging monitor errors

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

interface ethernet6 auto shutdown

interface ethernet7 100full

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu ISP2 1500

mtu intf4 1500

mtu intf5 1500

mtu intf6 1500

mtu failover 1500

ip address outside 206.X.X.X 255.255.255.128

ip address inside 170.X.X.X 255.255.255.0

ip address DMZ 206.X.X.252 255.255.255.128

ip address ISP2 171.X.X.21 255.255.255.0

ip address intf4 127.0.0.1 255.255.255.255

ip address intf5 127.0.0.1 255.255.255.255

ip address intf6 127.0.0.1 255.255.255.255

ip address failover 7.7.7.7 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 206.X.X.X

failover ip address inside 170.X.X.3

failover ip address DMZ 206.X.X.253

failover ip address ISP2 171.X.X.21

failover ip address intf4 0.0.0.0

failover ip address intf5 0.0.0.0

failover ip address intf6 0.0.0.0

failover ip address failover 7.7.7.8

failover link failover

pdm location 169.x.x.155 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 206.X.X.90-206.X.X.120 netmask 255.255.255.128

global (outside) 1 206.X.X.X

global (DMZ) 1 206.X.X.X-206.X.X.X

nat (inside) 0 access-list 101

nat (inside) 1 1 170.X.X.X 255.255.255.0

nat (inside) 1 10.0.0.0 255.0.0.0 0 0

nat (DMZ) 0 206.x.x.128 255.255.255.128 0 0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group dmz_coming_in in interface DMZ

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 206.X.X.X

route inside 10.0.0.0 255.0.0.0 170.X.X. 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

url-server (DMZ) vendor n2h2 host 206.X.X.X port 4005 timeout 5 protocol T

CP

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-pptp

no sysopt route dnat

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:3d41e9f201f32c7fbe9ac8dbafaf863e

: end

[OK]

Please help ,is any where iam doing wrong

Thanks

  • Other Security Subjects
4 REPLIES
New Member

Re: cannot access servers in dmz either from inside or outside

you recieve mail using the pop3 (or2) protocol

^

it looks like you are permitting the dmz objects to initiate smtp, www, and dns "sessions" with internal host since you are saying

^

access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq www where www is the destination port

^

by default the internal objects should be able to access the dmz objects and the specified return traffic should be allowed. of course if you remove the access-list you will be able to send mail out because of the nature of ASA.

and of course the ping will work because you allowed it in both directions. i would start off by concentrating on the access-list that will be applied to the outside interface and possibly configure the dmz servers as network object-groups to stay organized.

^

object-group network mailservers

network-object host 206.X.X.X (dmz mail srv1)

network-object host 206.X.X.X (dmz mail srv2)

^

object-group network dnsservers

network-object host 206.X.X.X (dmz dns srv1)

network-object host 206.X.X.X (dmz dns srv2)

^

then say:

access-list outside_access permit tcp any object-group mailservers eq smtp

access-list outside_access permit udp any object-group dnsservers eq dns

access-group outside_access in interface outside

^

i would also define the icmp stuff as a protocol object-group to be safer and only define the type of icmp messages to come through. once you get this far and test it, then i would worry about an access-list on the dmz interface.

New Member

Re: cannot access servers in dmz either from inside or outside

i recive mail using smtp

i have smtp relay server and dns server (on same box ) in my DMZ ,and my exchange server is inside , all my external mail is processed through smtp relay server ,

when i applied "access-list dmz_coming_in " to dmz interface , i am able to recive my mail from outside , but cannot query my dns server or cannot ping any host with host name and cannot send mail outside, mail sits in my smtp relay server.

when remove this access-list i can ping ,query dns and ,send mail to outside through my exchange but i cannot recive mail , mail comes to my smtprelay server and just gves me an error cannot find server

New Member

Re: cannot access servers in dmz either from inside or outside

and also, just in case that is your "real" encrypted enable password. there is alot of software available free over the Internet that can crack md5 hashes. i would beware when posting the complete config.

New Member

Re: cannot access servers in dmz either from inside or outside

i applied this access-list and everthing is working

i applied it to dmz

will this create any security holes

access-list in_access_dmz permit icmp any any

access-list in_access_dmz permit tcp host 206.X.X.X any eq smtp

access-list in_access_dmz permit tcp host 206.X.X.X any eq www

access-list in_access_dmz permit tcp host 206.X.X.X any eq smtp

access-list in_access_dmz permit tcp host 206.X.X.X any eq www

access-list in_access_dmz permit udp host 206.X.X.X any eq domain

access-list in_access_dmz permit udp host 206.X.X.X any eq domain

access-group in_access_dmz in interface DMZ

thanks for your help

i am still in testing phase

108
Views
0
Helpful
4
Replies