Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMZ to inside conduits

I have been trying to setup a conduit so that my server on my DMZ can send SMTP to my internal server. I have tried the following code but it doesn't seem to work.



My normal setup to allow access to the DMZ is.

static (inside, DMZ)

So the code is

conduit permit tcp host eq smtp host

I have also tried changing the static to a number but it still doesn't work.

It does how ever work if I change the host to any and leave the rest as The problem with this is it doesn't restrict access. Does anyone have any suggestions on what I might be doing wrong? Thanks.


Re: DMZ to inside conduits

For starters, I highly recommend that you convert to ACLs on the Pix. Their more restrictived,processed more efficiently, and easier to work with.

Having said that, your conduit looks correct. Are you sure that the addresses in question are accurate? By opening up the ranges to include any and the whole subnet, it worked for you. Therefore, we assume the problem to not be routing or NAT but rather access-control. Turn on logging to the buffer and see exactly /what/why the pix is denying those requests. [logging buffered 7] The easiest way to do testing is to use a telnet command line and connect to port 25 from the DMZ host. For example:

telnet 25

If successfuly, the screen will update and dispaly a banner or garbled characters(done by fixup). If it just times out, it didn't connect obviously. The pix will tell you exactly what the problem is in the logs [show log]