cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
587
Views
5
Helpful
2
Replies

DMZ and mail relay

laupeng
Level 1
Level 1

Hi, I am trying to configure PIX 515E for int/ext/dmz but am facing some problems that need your kindly helps. I have no problems to configure the int & external (tested successfully) but I am confused on the DMZ configuration after adding a mail relay server (hosting 2 email domains). The mail relay will filter and forward all mails for abc.com to internal Exchange server and also serves as a mail server for efg.com users to retrieve emails externally thru POP3. Below is part of my PIX configuration:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet0 inside security100

nameif ethernet0 dmz security50

names

name 210.xxx.xxx.xx6 mail_server

name 210.xxx.xxx.xx8 mail_relay

object-group service INBOUND tcp

port-object eq pop3

port-object eq smtp

port-object eq www

port-object eq https

port-object eq domain

access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any

access-list outside_access_in permit tcp any any object-group INBOUND

access-list dmz_access_in permit tcp any any object-group INBOUND

access-list vpn_inside_outbound permit ip any 192.168.1.224 255.255.255.224

interface ethernet0 100basetx

interface ethernet1 100basetx

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 210.xxx.xxx.xx5 255.255.255.224

ip address inside 192.168.1.10 255.255.255.0

ip address dmz 10.0.0.1 255.255.255.0

ip local pool VPN 192.168.1.230-192.168.1.254

global (outside) 10 210.xxx.xxx.xx9

global (outside) 9 210.xxx.xxx.x10

nat (inside) 0 access-list vpn_inside_outbound

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

nat (dmz) 9 10.0.0.0 255.255.255.0 0 0

static (inside,outside) mail_server 192.168.1.2 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

static (dmz,outside) mail_relay 192.168.1.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 210.xxx.xxx.xx7 1

http server enable

http 192.168.1.1 255.255.255.255 inside

Questions:

(1) From the configuration above, Why can't I use the public IP to retrieve emails from internet nor from local network from the mail relay? Any issue with DNS? I have an internal DNS server for local network.

(2) Will the access-list above allow the mails for abc.com to forward to the internal mail server? I tried it but it works intermittently. Strange?

(3) How many access-list could I apply to an interface? If I want to allow PING to external, will the command "aceess-list outside_access_in permit icmp any any echo-reply" work? I tried it but to no avail.

(4) How could I telnet from external? I know it is not allowed by default. I even tried it using VPN connection and telnet its interface but to no avail.

(5) Do I really need the POP3 port open, or just smtp port is enough to send and receive?

I am new to this stuff and have been reading and searching for answers but still need advice from experts. Thanks in advance for any advice/helps.

2 Replies 2

nkhawaja
Cisco Employee
Cisco Employee

Hi,

I am sure that there is a typo in the following

static (inside,outside) mail_server 192.168.1.2 netmask 255.255.255.255 0 0

static (dmz,outside) mail_relay 192.168.1.2 netmask 255.255.255.255 0 0

The actual IP address of mail_relay must of of 10.0.0.x , right?

Please find your answers inline

(1) From the configuration above, Why can't I use the public IP to retrieve emails from internet nor from local network from the mail relay? Any issue with DNS? I have an internal DNS server for local network.

>> You config seems to be correct except the static as i stated above. Who / What DNS server resolves your mail_relay IP address/domain-name? You got to have a DNS server (External) that will resolve the domain-name to IP address.

(2) Will the access-list above allow the mails for abc.com to forward to the internal mail server? I tried it but it works intermittently. Strange?

>> The access-list does allow the email to come to your mail_relay etc. There is another mistake in your access-list, it need to permit udp/53 instead of tcp/53.If your mail_relay needs to come to DNS server on the inside.

(3) How many access-list could I apply to an interface? If I want to allow PING to external, will the command "aceess-list outside_access_in permit icmp any any echo-reply" work? I tried it but to no avail.

>> Only one access-list can be applied to each interface. Yes this should work "aceess-list outside_access_in permit icmp any any echo-reply" for ICMP reply.

(4) How could I telnet from external? I know it is not allowed by default. I even tried it using VPN connection and telnet its interface but to no avail.

>> Yes you are right, only SSH to external interface is possible, You can also terminate VPN to outside interface and telnet to it.

(5) Do I really need the POP3 port open, or just smtp port is enough to send and receive?

>> SMTP to send and receive emails. But POP3 to get access to your mailbox.

Regards,

Nadeem

Thanks for your help. I will try it out and let you know if it works. Yes, it is a typo error mail relay 10.0.0.2). There are still some things need your help to explain if you don't mind:

(1) We host the domain name (DNS MX record) with external hosting ISP. When I used the Outlook to test the POP3 connection to the mail relay (for domain efg.com to retrieve emails from this server POP3:210.xxx.xxx.xx8 SMTP:210.xxx.xxx.xx8) using the public IP, it returns an error that the server was found, but it did not respond. If I changed the IP address for POP3 and SMTP mail server to the DMZ mail relay IP 10.0.0.2 and tested it from the internal network (192.168.1.0), it connected and retrieved emails successfully. Is it related to the DNS? Currently the efg.com is still hosting at ISP. Our company decides to host and maintain that email domain ourselves.

(3) I apply that ICMP access list to the outside interface but still fails to get PING responds.

(4) Where can I get SSH program? What do you mean terminate VPN to outside interface?

I really appreciate for your kindly helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: