04-30-2002 08:28 AM - edited 02-20-2020 10:02 PM
We have been trying to use a PIX with two DMZ's in addition to inside and outside connections.
One is a DMZ containing customer test equipment, The second contains an mailserver and a DNS server.
We wanted to keep them in separate DMZ's because we plan to use the mailserver for other things and wanted to control the customer's access to the mail server.
Our customer wants to be able to send and receive e-mail from the Internet to a machine in the test equipment DMZ.
We were trying to relay the messages from their system in the test equipment DMZ to the mail server in the mail DMZ and to the Internet.
We were also trying to receive mail to the mail server and relay them to the customer's machine.
We have been able to get the Mail Server to send and receive mail to machines onthe Internet (outside).However, we have been unable to get the customer's machine to connect to the mail server and vice-versa.
We set the security level on as follows:
Inside -> 100
SMTP DMZ -> 60
Customer Test DMZ -> 40
Outside -> 0
We added specfic rules to allow SMTP between the customers machine and the mail server.
However the PIX continues to deny connection requests.
Error Message:
Apr 29 09:57:54 mps-fw01.us-mps.celestica.com %PIX-3-106010: Deny inbound tcp src DMZ-164:MOTCOM02/41032 dst DMZ-SMTP:SMTP-DNS-Server/25
We are in the process of moving the SMTP server and the DNS server back to customer's equipment DMZ. (Customer requirements trump ours).
Any assistance would be greatly appreciated.
Thanks.
-Neil
04-30-2002 09:44 AM
: Saved
:
PIX Version 6.0(1)
nameif ethernet0 outside-internet security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ-164 security40
nameif ethernet3 DMZ-165 security40
nameif ethernet4 DMZ-SMTP security60
nameif ethernet5 DMZ-none security40
enable password XXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXXXXX encrypted
hostname MPS-PIX-INT-MOT
domain-name us-roc.celestica.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 136.182.0.0 morarola
name 144.189.0.0 mortarola
name 129.188.0.0 Mortarola
name 10.69.211.230 JasonH
name 10.69.210.113 FredK
name 10.69.144.10 CiscoWorks
name 10.70.148.8 NeilJ
name 10.70.0.0 MTP
name 10.0.0.0 Celestica
name 10.70.164.67 MOTCOM02
name 192.168.100.100 SMTP-DNS-Server
name 10.69.210.148 SteveT.
name 10.70.136.19 PROD04
name 10.70.136.20 PROD05
name 65.222.20.65 router-ethernet
name 65.207.35.210 ROUTER_SERIAL
name 10.70.164.66 NASCOM02
name 10.69.128.0 Rochester
name 65.222.20.70 dns
name 65.222.20.69 SMTP-Srv
name 65.222.20.67 motcm02-outside
access-list outside-internet_access_in permit tcp any host motcm02-outside
access-list outside-internet_access_in permit tcp any host SMTP-Srv
access-list outside-internet_access_in permit tcp host dns host SMTP-Srv
access-list DMZ-164_access_in permit tcp host MOTCOM02 any
access-list DMZ-164_access_in permit tcp any host SMTP-Srv
access-list outside-internet_authentication permit tcp any host motcm02-outside eq telnet
access-list inside_access_in permit tcp 10.70.128.0 255.255.128.0 any eq ftp
access-list inside_access_in permit icmp 10.70.128.0 255.255.128.0 host SMTP-DNS-Server
access-list inside_access_in permit tcp host NeilJ host SMTP-DNS-Server
access-list inside_access_in permit tcp MTP 255.255.0.0 host SMTP-DNS-Server eq smtp
access-list DMZ-SMTP_access_in permit tcp host SMTP-DNS-Server eq smtp any eq smtp
access-list DMZ-SMTP_access_in permit tcp host SMTP-DNS-Server any
access-list DMZ-SMTP_access_in permit tcp host SMTP-DNS-Server host dns
pager lines 24
logging on
logging trap notifications
logging history notifications
logging host inside CiscoWorks
logging host inside NeilJ
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto
mtu outside-internet 1500
mtu inside 1500
mtu DMZ-164 1500
mtu DMZ-165 1500
mtu DMZ-SMTP 1500
mtu DMZ-none 1500
ip address outside-internet 65.222.20.66 255.255.255.192
ip address inside 10.70.130.38 255.255.255.240
ip address DMZ-164 10.70.164.11 255.255.255.0
ip address DMZ-165 10.70.165.11 255.255.255.0
ip address DMZ-SMTP 192.168.100.1 255.255.255.0
ip address DMZ-none 127.0.0.1 255.255.255.0
ip verify reverse-path interface outside-internet
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside-internet 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address DMZ-164 0.0.0.0
failover ip address DMZ-165 0.0.0.0
failover ip address DMZ-SMTP 0.0.0.0
failover ip address DMZ-none 0.0.0.0
pdm location CiscoWorks 255.255.255.255 inside
pdm location FredK 255.255.255.255 inside
pdm location JasonH 255.255.255.255 inside
pdm location 10.69.0.0 255.255.0.0 inside
pdm location Mortarola 255.255.0.0 outside-internet
pdm location morarola 255.255.0.0 outside-internet
pdm location mortarola 255.255.0.0 outside-internet
pdm location NeilJ 255.255.255.255 inside
pdm location MTP 255.255.0.0 inside
pdm location 10.70.164.5 255.255.255.255 inside
pdm location Celestica 255.0.0.0 inside
pdm location MOTCOM02 255.255.255.255 DMZ-164
pdm location SMTP-DNS-Server 255.255.255.255 DMZ-SMTP
pdm location SteveT. 255.255.255.255 inside
pdm location PROD04 255.255.255.255 inside
pdm location PROD05 255.255.255.255 inside
pdm location 10.68.128.0 255.255.128.0 inside
pdm location Rochester 255.255.128.0 inside
pdm location 10.70.128.0 255.255.128.0 inside
pdm location 10.70.254.4 255.255.255.255 inside
pdm location router-ethernet 255.255.255.255 outside-internet
pdm location ROUTER_SERIAL 255.255.255.255 outside-internet
pdm location router-ethernet 255.255.255.255 inside
pdm location router-ethernet 255.255.255.255 DMZ-165
pdm location router-ethernet 255.255.255.255 DMZ-164
pdm location NASCOM02 255.255.255.255 DMZ-164
pdm location router-ethernet 255.255.255.255 DMZ-none
pdm location dns 255.255.255.255 outside-internet
pdm location 0.0.0.0 255.255.255.255 inside
pdm location MOTCOM02 255.255.255.255 inside
pdm location MOTCOM02 255.255.255.255 DMZ-165
pdm location MOTCOM02 255.255.255.255 DMZ-none
pdm location 0.0.0.0 255.255.255.192 inside
pdm location 10.70.146.5 255.255.255.255 inside
pdm location 10.70.146.5 255.255.255.255 DMZ-164
pdm location 10.70.146.5 255.255.255.255 DMZ-165
pdm location 10.70.146.5 255.255.255.255 DMZ-none
pdm location SMTP-Srv 255.255.255.255 outside-internet
pdm location motcm02-outside 255.255.255.255 outside-internet
pdm location 10.69.210.53 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
static (DMZ-SMTP,outside-internet) SMTP-Srv SMTP-DNS-Server netmask 255.255.255.255 0 0
static (DMZ-164,outside-internet) motcm02-outside MOTCOM02 netmask 255.255.255.255 0 0
static (DMZ-SMTP,DMZ-164) SMTP-Srv SMTP-DNS-Server netmask 255.255.255.255 0 0
static (inside,DMZ-164) PROD04 PROD04 netmask 255.255.255.255 0 0
static (inside,DMZ-164) PROD05 PROD05 netmask 255.255.255.255 0 0
static (inside,DMZ-SMTP) MTP MTP netmask 255.255.0.0 0 0
access-group outside-internet_access_in in interface outside-internet
access-group inside_access_in in interface inside
access-group DMZ-164_access_in in interface DMZ-164
access-group DMZ-SMTP_access_in in interface DMZ-SMTP
route outside-internet 0.0.0.0 0.0.0.0 65.222.20.66 1
route inside 10.68.128.0 255.255.128.0 10.70.130.35 1
route inside Rochester 255.255.128.0 10.70.130.35 1
route inside 10.70.128.0 255.255.128.0 10.70.130.35 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.70.146.5 3d43662a0e19f3e0 timeout 5
aaa authentication match outside-internet_authentication outside-internet RADIUS
http server enable
http FredK 255.255.255.255 inside
http CiscoWorks 255.255.255.255 inside
http SteveT. 255.255.255.255 inside
http NeilJ 255.255.255.255 inside
http 10.70.254.4 255.255.255.255 inside
http 10.69.210.53 255.255.255.255 inside
snmp-server host inside CiscoWorks
snmp-server location MT. P. Iowa
snmp-server contact Jason Herrmann
snmp-server community bud
snmp-server enable traps
no floodguard enable
no sysopt route dnat
auth-prompt prompt Unauthorized access or utilization of this service is prohibited.
telnet FredK 255.255.255.255 inside
telnet CiscoWorks 255.255.255.255 inside
telnet NeilJ 255.255.255.255 inside
telnet router-ethernet 255.255.255.255 inside
telnet 10.70.254.4 255.255.255.255 inside
telnet MOTCOM02 255.255.255.255 inside
telnet 10.70.146.5 255.255.255.255 inside
telnet 10.69.210.53 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: