DMZ to inside conduits

gyalch · ‎02-27-2003

I have been trying to setup a conduit so that my server on my DMZ can send SMTP to my internal server. I have tried the following code but it doesn't seem to work.

DMZ 10.0.0.0/24

internal 192.168.0.0/24

My normal setup to allow access to the DMZ is.

static (inside, DMZ) 192.168.0.0 192.168.0.0 255.255.255.0

So the code is

conduit permit tcp host 192.168.0.1 eq smtp host 10.0.0.1

I have also tried changing the static to a 10.0.0.0 number but it still doesn't work.

It does how ever work if I change the host 10.0.0.1 to any and leave the rest as 192.168.0.0. The problem with this is it doesn't restrict access. Does anyone have any suggestions on what I might be doing wrong? Thanks.

shannong · ‎02-28-2003

For starters, I highly recommend that you convert to ACLs on the Pix. Their more restrictived,processed more efficiently, and easier to work with.

Having said that, your conduit looks correct. Are you sure that the addresses in question are accurate? By opening up the ranges to include any and the whole subnet, it worked for you. Therefore, we assume the problem to not be routing or NAT but rather access-control. Turn on logging to the buffer and see exactly /what/why the pix is denying those requests. [logging buffered 7] The easiest way to do testing is to use a telnet command line and connect to port 25 from the DMZ host. For example:

telnet 192.168.0.1 25

If successfuly, the screen will update and dispaly a banner or garbled characters(done by fixup). If it just times out, it didn't connect obviously. The pix will tell you exactly what the problem is in the logs [show log]