Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1113
Views
0
Helpful
2
Replies

PIX DMZ to DMZ Communication Issue (Correction)

neiljohnson
Level 1
Level 1

‎04-30-2002 09:38 AM - edited ‎02-20-2020 10:02 PM

We have been trying to use a PIX with two DMZ's in addition to inside and outside connections.

One is a DMZ containing customer test equipment, the second contains an mailserver and a DNS server.

We wanted to keep them in separate DMZ's because we plan to use the mailserver for other things and wanted to control the customer's access to the mail server.

Our customer wants to be able to send and receive e-mail from the Internet to a machine in the test equipment DMZ.

We were trying to relay the messages from their system in the test equipment DMZ to the mail server in the mail DMZ and to the Internet. We were also trying to receive mail to the mail server and relay them to the customer's machine.

We were able to get the Mail Server to send and receive mail to machines on

the Internet (outside).

However, we have been unable to get the customer's machine to connect to the mail server and vice-versa.

We set the security level on as follows

Inside -> 100

SMTP DMZ -> 60

Customer Test DMZ -> 40

Outside ->

We added specfic rules to allow SMTP between the customers machine and the mail server.

However the PIX continues to deny connection requests.

Error Message:

Apr 29 09:57:54 mps-fw01.us-mps.celestica.com %PIX-3-106010: Deny inbound tcp src DMZ-164:MOTCOM02/41032 dst DMZ-SMTP:SMTP-DNS-Server/25

We are in the process of moving the SMTP server and the DNS server

back to customer's equipment DMZ. (Customer requirements trump ours).

Any assistance would be greatly appreciated.

Thanks.

-Neil

0 Helpful
2 Replies 2

saluko
Level 1
Level 1

‎05-01-2002 03:29 AM

Without seeing your config it hard to diagnose the problem, however, some fundamental things to check:

Is there a nat statement from the smtp dmz to lower security level interface i.e

nat (smtp) 1 0 0 - This will permit smtp dmz to access cust test dmz

static (smtp, customertest) ip_address ip_address - This will create a path from the customer test dmz to the smtp dmz.

conduit permit tcp ipaddress ipaddress netmask - This will permit customer test dmz to access smtp dmz.

0 Helpful

cnj002
Level 1
Level 1
In response to saluko

‎05-07-2002 07:14 AM

That was it. I didn't have any NAT's for the mail server in the customer DMZ.

That took take of the problem. Thanks.

-neil

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card