Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix inside to DMZ mail server

Sorry for the simple question But I am an idiot.

My DMZ is 10.1.10.0 and the inside is 192.168.9

how do I access a mail server from the inside to the DMZ ???

The DMZ mail server has a static mapped public address that works fine but I have yet to make a connection from the inside.

My ACLs allow :25 & :110 to everyone on the inside and dmz.

I am sure that this is a common question But I did not find it recently.

7 REPLIES
Gold

Re: Pix inside to DMZ mail server

Hi -

Try this (as a example):

static(inside,dmz) 192.168.5.0 192.168.5.0 netmask 255.255.255.0

access-list NO_NAT permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

nat(inside) 0 access-list NO_NAT

Where IP 192.168.2.0 is the inside network - makesure to excute command 'clear xlate' and save with command 'write memory'

Hope this helps out - Thanks, Jay

New Member

Re: Pix inside to DMZ mail server

You don't need to do both the static and the (NAT and ACL). Use only one.

Jay,

In you static r u sure you have the right IP, didn't you mean 192.168.2.0 rather than 192.168.5.0?

In addition,

I'm actually trying to do the same thing, but I can't get it to work. I see the conn table, but it doesn't look right. However I did accomplish doing a no nat when going from the inside to the outside and using the ACL like you stated above. The only draw back here is that only ONE NAT 0 statement is allowed. So I cannot enter another one (i.e. to go from the inside to the dmz) it will overwrite my first one.

I tried using

static (inside,dmz) 10.102.60.4 102.102.60.4 netmask 255.255.255.0

where IP 10.102.60.4 is the inside IP address of one of my inside servers.

Am I correct what I'm stating here?

New Member

Re: Pix inside to DMZ mail server

I have a similar scenario, I am using pat(inside to outside) and would like to ssh from inside to a server in my dmz. I tried an acl {access-list dmz permit tcp 142.19.0.0 255.255.255.0 any eq ssh, access-group dmz in interface DMZ} and static mapping {static (inside,DMZ) 142.19.0.13 192.168.1.51 netmask 255.255.255.255 0 0}. I see the sessions being granted but my ssh session times out.

Does anybody have any advice?

New Member

Re: Pix inside to DMZ mail server

You are correct however all I did was add the inside subnet to dmz access list to the nat 0 command (no static needed) the error I was getting was portmap failed so this worked.

Thanks.

New Member

Re: Pix inside to DMZ mail server

Try this:

static(inside, dmz) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

access-list 110 permit tcp any 192.168.9.0 255.255.255.0 eq 25

access-list 110 permit tcp any 192.168.9.0 255.255.255.0 eq 110

access-group 110 in interface dmz

I would open it wide up until you had it working, and then apply a more restrictive access-list.

I think that this will work.

Mike

Silver

Re: Pix inside to DMZ mail server

This is a very common problem, in the few months that I´m on this forum, I´ve seen many people having trouble understanding how nat, global and static work. In my humble opinion this is poorly documented on CCO, thus having nothing to do with being an idiot, or what so ever :-))

Sometimes I´m still confused why some things are not working the way we think it should work, but I always discovered (at least till now) that if the Cisco ducumentation is followed, it always works.

You should remember the following:

1) When traffic initiates from a higher level security to a lower level security only and no translation are needed you should only use one of the following:

nat <(interface)> 0

nat <(interface)> 0

2) When traffic initiates from a higher level security to a lower level security only and translation are needed you should only use:

nat <(highlevelinterface)>

global <(lowlevelinterface)>

The static command is only needed in case traffic is initiated from a lower securitylevel to a higher securitylevel.

Be aware of one other thing: if static commands do overlap with nat and global commands you could run into unexpected behaviour like this.

Now to the point:

I think you have an overlap within your translations. Check to see if this is true, and if not, then check to see if the appropiate nat/global rules are set for traffic initiated from inside to dmz.

Hope this helps,

Leo

New Member

Re: Pix inside to DMZ mail server

heres one for the books.

I have a dmz with a 10.0.0.0/24 ip range

inside interface uses a 192.168.9.0/24 ip range

I have an smtp and web reverse proxy in the dmz which is accessable from the outside.

The server in the DMZ is configured to access servers on the inside and vice versa by their real ip addresses.

Everything works fine but how it is working i am a little unsure.

I have an access-list applied to the dmz interface, and another applied to the inside interface to allow the servers to communicate between each other based on their real ip addresses.

In order to bypass nat i used the following

nat 0 access-list NoNat

access-list NoNat permit 192.168.9.0 255.255.255.0 10.0.0.0 255.255.255.0

Thus connections initiated from the inside are not nated and can therefore access the DMZ servers by there real IP addresses.

Now this is where it gets weird. If the server in the DMZ initiates communication with the servers on the inside (by their real ip's) it works!. There are no statics applied to the dmz interface.

I have researched this quite a bit and i aggree with you 100% that this is not documented very well at all.

Any ideas how this is working?

356
Views
0
Helpful
7
Replies