PIX 515- Mail flow between networks with different security value.

corey.burnett · ‎02-18-2003

I have multiple networks setup through my Pix's. I am having trouble configuring the Pix to allow mail to flow from a network with a lower security value to a network with higher security values. Mail flow from the higher security level networks is fine going to lower level security networks.

Any advice is greatly appreciated.

Security levels follow:

nameif ethernet0 out security0

nameif ethernet1 in1 security100

nameif ethernet2 in2 security90

nameif ethernet3 in3 security30

nameif ethernet5 in5 security25

nameif ethernet4 in4 security15

Regards

Corey

mostiguy · ‎02-19-2003

What protocol do you mean? Unix people would mean vanilla SMTP, while WIndows Exchange people could mean a variety of things, depending on the exchange architecture.

You need to use conduits or access lists to allow traffic to flow from lower to higher secure interfaces.

Matt

wolfrikk · ‎02-19-2003

A access-list must be used anytime a lower security level interface needs to access resources through a higher level interface. You could create one access-list if mail is the only thing that needs to route between these interfaces.

access-list smtp permit tcp any host eq 25

Then you can apply that access list to each interface that needs to access mail.

access-group smtp in interface

corey.burnett · ‎02-19-2003

I will give that a try. Thanks.

wolfrikk · ‎02-19-2003

There are other factors that may come up. Mainly, NAT. If you are using NAT, you may have to create some static mappings between the interfaces, which will change the way the access list work. Basically, you will have to have a different ACL for Each interface pointing to the staticly mapped IP Address for that network and the mail server. It is hard to plan this without knowing your entire configuration.