Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 515- Mail flow between networks with different security value.

I have multiple networks setup through my Pix's. I am having trouble configuring the Pix to allow mail to flow from a network with a lower security value to a network with higher security values. Mail flow from the higher security level networks is fine going to lower level security networks.

Any advice is greatly appreciated.

Security levels follow:

nameif ethernet0 out security0

nameif ethernet1 in1 security100

nameif ethernet2 in2 security90

nameif ethernet3 in3 security30

nameif ethernet5 in5 security25

nameif ethernet4 in4 security15

Regards

Corey

4 REPLIES
Silver

Re: PIX 515- Mail flow between networks with different security

What protocol do you mean? Unix people would mean vanilla SMTP, while WIndows Exchange people could mean a variety of things, depending on the exchange architecture.

You need to use conduits or access lists to allow traffic to flow from lower to higher secure interfaces.

Matt

New Member

Re: PIX 515- Mail flow between networks with different security

A access-list must be used anytime a lower security level interface needs to access resources through a higher level interface. You could create one access-list if mail is the only thing that needs to route between these interfaces.

access-list smtp permit tcp any host eq 25

Then you can apply that access list to each interface that needs to access mail.

access-group smtp in interface

New Member

Re: PIX 515- Mail flow between networks with different security

I will give that a try. Thanks.

New Member

Re: PIX 515- Mail flow between networks with different security

There are other factors that may come up. Mainly, NAT. If you are using NAT, you may have to create some static mappings between the interfaces, which will change the way the access list work. Basically, you will have to have a different ACL for Each interface pointing to the staticly mapped IP Address for that network and the mail server. It is hard to plan this without knowing your entire configuration.

101
Views
0
Helpful
4
Replies
CreatePlease to create content