12-23-2005 07:31 AM - edited 02-21-2020 12:36 AM
Dear all,
i am setting up an exchange front end server in dmz and backend server in inside area of pix. i require to open a range of ports (say 1024-1600) for RPC using accesslists from dmz to inside. Plz help me
thanks
savad
12-23-2005 07:49 AM
Try this:
1) define access-list:
access-list dmz2in extended permit tcp host frontend-server-ip host backend-server-ip range 1024-1600
2) apply access-list
access-group dmz2in in interface dmz
Note: dmz would be the name of you dmz interface
example (under version 7.0)-
interface Ethernet2
speed 100
duplex full
nameif dmz
12-23-2005 08:09 AM
You might miss some ports, here is a example for that kind of setup, Note this was configured for a WOA with SMTP and POP Relay !
Mail Exchange with AD rights from DMZ
---------------------------------------
object-group service WOA-DC-TCP tcp
port-object eq ldap
port-object eq 3268
port-object eq 88
port-object eq domain
port-object eq 135
port-object range 1024 65535
port-object eq 445
object-group service WOA-DC-UDP udp
port-object eq 88
port-object eq domain
port-object eq netbios-ns
port-object eq 389
access-list outside permit tcp any host WOARelayPublicIP eq www
access-list outside permit tcp any host WOARelayPublicIP eq smtp
access-list outside permit tcp any host WOARelayPublicIP eq pop3
access-group outside in interface outside
access-list dmz permit tcp host WOA-Relay-DMZ-IP any eq smtp
access-list dmz permit tcp host WOA-Relay-DMZ-IP any eq pop3
access-list dmz permit udp host WOA-Relay-DMZ-IP host DC1-Inside-IP eq ntp
access-list dmz permit udp host WOA-Relay-DMZ-IP host NTP-Server-Pub eq ntp
access-list dmz permit tcp host WOA-Relay-DMZ-IP host DC1-Inside-IP object-group WOA-DC-TCP
access-list dmz permit udp host WOA-Relay-DMZ-IP host DC1-Inside-IP object-group WOA-DC-UDP
access-list dmz permit tcp host WOA-Relay-DMZ-IP host DC2-Inside-IP object-group WOA-DC-TCP
access-list dmz permit udp host WOA-Relay-DMZ-IP host DC2-Inside-IP object-group WOA-DC-UDP
access-list dmz permit tcp host WOA-Relay-DMZ-IP host Exchange-Inside-IP eq www
access-list dmz permit tcp host WOA-Relay-DMZ-IP host Exchange-Inside-IP eq 445
access-list dmz permit tcp host WOA-Relay-DMZ-IP host Exchange-Inside-IP eq 691
access-list dmz permit icmp any any
access-list dmz permit ip host WOA-Relay-DMZ-IP any
access-list dmz deny ip any any log
access-group dmz in interface dmz
static (dmz,outside) WOARelayPublicIP WOA-Relay-DMZ-IP netmask 255.255.255.255 0 0
static (inside,dmz) InsideNetwork InsideNetwork netmask 255.255.255.0 0 0
sincerely
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide