Re: DMZ can't access inside or outside interface

abuaqel · ‎01-18-2004

Hello everyone,

We are having a problem with a Cisco PIX Firewall 515 on a customer site. We have three interfaces on the PIX. We are configuring our mail server on the DMZ (The server in the DMZ needs to communicate with another mail server on the inside LAN). We can connect to the internet from the inside LAN properly, we can access the DMZ from the inside and we can ping it also from the inside, also we are able to get to the DMZ from the outside for the Web Access application. The problem is that we can't access the inside or the outside from the DMZ. also we weren't able to access the DMZ from the inside until we used a conduit to permit so, though I know that traffic from a high security interface to a lower security interface doesn't need a conduit or an ACL. You can see that our customer is using a wrong address range for the inside interface but they will take care of it later. I also know it is not recommended to use ACLs with Conduits but this is the only way it worked. I am posting my configuration below. Please advise us. Thanks

note: The software engineer who is handling the Mail server asked us to turn off the mailguard feature for his application.

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol ftp 20

! Turn off mailguard

no fixup protocol smtp 25

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside A.B.C.66 255.255.255.248

ip address inside 128.100.14.101 255.255.0.0

ip address dmz 192.168.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

static (dmz,outside) A.B.C.68 192.168.0.2 netmask 255.255.255.255 0 0

access-list fromOut permit tcp any host A.B.C.68 eq smtp

access-list fromOut permit tcp any host A.B.C.68 eq http

global (outside) 1 A.B.C.67 netmask 255.255.255.248

! 128.100.14.100 is our ISA server in the inside LAN

nat (inside) 1 128.100.14.100 255.255.255.255 0 0

static (inside,dmz) 192.168.0.0 128.100.0.0 netmask 255.255.0.0

! 192.168.0.2 is the Mail server in the DMZ

conduit permit tcp host 192.168.0.2 eq smtp http any

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 A.B.C.65 1

gfullage · ‎01-18-2004

Get rid of these:

static (inside,dmz) 192.168.0.0 128.100.0.0 netmask 255.255.0.0

! 192.168.0.2 is the Mail server in the DMZ

conduit permit tcp host 192.168.0.2 eq smtp http any

conduit permit icmp any any

For the mail server (or any host on the DMZ) to access the inside do the following:

static (inside,dmz) 128.100.0.0 128.100.0.0 netmask 255.255.0.0

access-list fromDMZ permit ip host 192.168.0.2 128.100.0.0 255.255.0.0

access-group fromDMZ in interface dmz

and for the dmz to access the outside do:

nat (dmz) 1 192.168.0.0 255.255.255.0

abuaqel · ‎01-24-2004

Hi there, thanks again for your help.

The first part has succeeded perfectly I can now access the inside from the DMZ; Unfortunately I still can't reach the outside from the DMZ. I also tried the following:

nat (dmz) 2 192.168.0.0 255.255.255.0

global (outside) 2 a.b.c.68 255.255.255.248

and it didn't work also. I am really confused now. I would really appreciate any suggestions.

abuaqel · ‎01-24-2004

sorry... I made a mistake in the global command.. what I used was

global (outside) 1 a.b.c.69 255.255.255.248

address a.b.c.68 is my mail server.