Cisco Support Community
Community Member

Pix DMZ to Inside access

I have a smtp bastion host on a DMZ in a PIX 515. The DMZ needs to be able to send mail to a host on the inside network. Assume the following scenario:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside

ip address inside

ip address dmz

nat (inside) 1 0 0

nat (dmz) 1 0 0

global (outside) 1 interface

global (dmz) 1 interface

DMZ server IP=

INSIDE server IP=

Inside hosts can access DMZ server but I need the DMZ server to be able to send e-mail on port 25 back to an inside server.

Thanks in advance!

Community Member

Re: Pix DMZ to Inside access

For access from an interface of lower security to one of higher security, you will need to configure a static translation and appropriate access-lists.

In your example above, you would need something like:

static (inside,dmz) netmask -> so that the DMZ users can recognise the server on the inside using the address

and then:

access-list 101 permit tcp host host eq 25

you would then need to apply the access-list to the interface using:

access-group 101 in interface dmz

Note: the access-list will block all other traffic from going through the DMZ interface so you will need to make sure you permit any other necessary traffic, regardless of the destination (inside or outside).

Please see the following sample configuration: - it is for outside access to an inside SMTP server, but the same theory applies because it is still lower security level to higher security level.

Community Member

Re: Pix DMZ to Inside access

Thanks! That worked!!

Community Member

Re: Pix DMZ to Inside access

you need a static and a conduit to the inside from the dmz. If you are using ACL's the same rules apply

static (dmz,inside) etc.

access-list inside permit tcp (dmz) to (Inside) eq 25

conduit permit tcp (dmz) to (Inside) eq 25

CreatePlease to create content