04-30-2002 09:38 AM - edited 02-20-2020 10:02 PM
We have been trying to use a PIX with two DMZ's in addition to inside and outside connections.
One is a DMZ containing customer test equipment, the second contains an mailserver and a DNS server.
We wanted to keep them in separate DMZ's because we plan to use the mailserver for other things and wanted to control the customer's access to the mail server.
Our customer wants to be able to send and receive e-mail from the Internet to a machine in the test equipment DMZ.
We were trying to relay the messages from their system in the test equipment DMZ to the mail server in the mail DMZ and to the Internet. We were also trying to receive mail to the mail server and relay them to the customer's machine.
We were able to get the Mail Server to send and receive mail to machines on
the Internet (outside).
However, we have been unable to get the customer's machine to connect to the mail server and vice-versa.
We set the security level on as follows
Inside -> 100
SMTP DMZ -> 60
Customer Test DMZ -> 40
Outside ->
We added specfic rules to allow SMTP between the customers machine and the mail server.
However the PIX continues to deny connection requests.
Error Message:
Apr 29 09:57:54 mps-fw01.us-mps.celestica.com %PIX-3-106010: Deny inbound tcp src DMZ-164:MOTCOM02/41032 dst DMZ-SMTP:SMTP-DNS-Server/25
We are in the process of moving the SMTP server and the DNS server
back to customer's equipment DMZ. (Customer requirements trump ours).
Any assistance would be greatly appreciated.
Thanks.
-Neil
05-01-2002 03:29 AM
Without seeing your config it hard to diagnose the problem, however, some fundamental things to check:
Is there a nat statement from the smtp dmz to lower security level interface i.e
nat (smtp) 1 0 0 - This will permit smtp dmz to access cust test dmz
static (smtp, customertest) ip_address ip_address - This will create a path from the customer test dmz to the smtp dmz.
conduit permit tcp ipaddress ipaddress netmask - This will permit customer test dmz to access smtp dmz.
05-07-2002 07:14 AM
That was it. I didn't have any NAT's for the mail server in the customer DMZ.
That took take of the problem. Thanks.
-neil
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide