Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

internal/dmz routing issue

I am having issues recieving mail on the internal network when sent from machines in my dmz. I can get mail to yahoo or any external mail system when sending from the dmz machines, but I cannot get the mail on the internal network? I am using live IP's in my dmz, could that be it?

5 REPLIES

Re: internal/dmz routing issue

Have you created static maps and access-lists to allow access to your inside? If yes please post your config.

Steve

New Member

Re: internal/dmz routing issue

Here is the static mapping and access-list for my mail server.

static (inside,outside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255 0 0

access-list 110 permit tcp any host 1.1.1.1 eq smtp

Half of my live ip's are used on the external int and the other half used in the dmz. The static mapping for my mail server is using a live IP on the external int. Can I even do this? Did I forget to add a route?

Re: internal/dmz routing issue

No, if I understood you correctly, the static mapping can't be an IP from the external interface. Use a static IP from your DMZ interface.

eg.ip address outside 2.2.2.2 255.255.255.224

ip address inside 1.1.1.1 255.255.0.0

ip address DMZ 3.3.3.3 255.255.255.0

static (inside,DMZ) 3.3.3.4 1.1.1.2 netmask 255.255.255.255 (where 1.1.1.2 is your internal mail server)

access-list 110 permit tcp 3.3.3.5 host 3.3.3.4 eq smtp (where 3.3.3.5 is your dmz mail server)

Also, does the PIX have a route to the internal mail server, and does the mail server have a route to the DMZ mail server?

New Member

Re: internal/dmz routing issue

ok, that is what i was thinking...that i need to map a dmz address to the internal mail server.

The PIX does not have a route to the internal mail server nor does the mail server have a route to the dmz mail server. So I'm guessing that I have forgotten something???

Re: internal/dmz routing issue

Yes, add the static map.

Add a route on the PIX to get to the internal mail server:

route inside 1.1.1.0 255.255.255.0 x.x.x.x (1.1.1.0 is you mail server subnet and x.x.x.x is the next hop).

On your internal network routers, add a route for the DMZ subnet pointing at the PIX as the next hop so that your internal mail server can get to the dmz.

Steve

99
Views
0
Helpful
5
Replies