Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX to PIX messaging

We have been trying to use a PIX with two DMZ's in addition to inside and outside connections.

One is a DMZ containing customer test equipment, The second contains an mailserver and a DNS server.

We wanted to keep them in separate DMZ's because we plan to use the mailserver for other things and wanted to control the customer's access to the mail server.

Our customer wants to be able to send and receive e-mail from the Internet to a machine in the test equipment DMZ.

We were trying to relay the messages from their system in the test equipment DMZ to the mail server in the mail DMZ and to the Internet.

We were also trying to receive mail to the mail server and relay them to the customer's machine.

We have been able to get the Mail Server to send and receive mail to machines onthe Internet (outside).However, we have been unable to get the customer's machine to connect to the mail server and vice-versa.

We set the security level on as follows:

Inside -> 100

SMTP DMZ -> 60

Customer Test DMZ -> 40

Outside -> 0

We added specfic rules to allow SMTP between the customers machine and the mail server.

However the PIX continues to deny connection requests.

Error Message:

Apr 29 09:57:54 mps-fw01.us-mps.celestica.com %PIX-3-106010: Deny inbound tcp src DMZ-164:MOTCOM02/41032 dst DMZ-SMTP:SMTP-DNS-Server/25

We are in the process of moving the SMTP server and the DNS server back to customer's equipment DMZ. (Customer requirements trump ours).

Any assistance would be greatly appreciated.

Thanks.

-Neil

1 REPLY
New Member

Re: PIX to PIX messaging

: Saved

:

PIX Version 6.0(1)

nameif ethernet0 outside-internet security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ-164 security40

nameif ethernet3 DMZ-165 security40

nameif ethernet4 DMZ-SMTP security60

nameif ethernet5 DMZ-none security40

enable password XXXXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXXXXXXX encrypted

hostname MPS-PIX-INT-MOT

domain-name us-roc.celestica.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 136.182.0.0 morarola

name 144.189.0.0 mortarola

name 129.188.0.0 Mortarola

name 10.69.211.230 JasonH

name 10.69.210.113 FredK

name 10.69.144.10 CiscoWorks

name 10.70.148.8 NeilJ

name 10.70.0.0 MTP

name 10.0.0.0 Celestica

name 10.70.164.67 MOTCOM02

name 192.168.100.100 SMTP-DNS-Server

name 10.69.210.148 SteveT.

name 10.70.136.19 PROD04

name 10.70.136.20 PROD05

name 65.222.20.65 router-ethernet

name 65.207.35.210 ROUTER_SERIAL

name 10.70.164.66 NASCOM02

name 10.69.128.0 Rochester

name 65.222.20.70 dns

name 65.222.20.69 SMTP-Srv

name 65.222.20.67 motcm02-outside

access-list outside-internet_access_in permit tcp any host motcm02-outside

access-list outside-internet_access_in permit tcp any host SMTP-Srv

access-list outside-internet_access_in permit tcp host dns host SMTP-Srv

access-list DMZ-164_access_in permit tcp host MOTCOM02 any

access-list DMZ-164_access_in permit tcp any host SMTP-Srv

access-list outside-internet_authentication permit tcp any host motcm02-outside eq telnet

access-list inside_access_in permit tcp 10.70.128.0 255.255.128.0 any eq ftp

access-list inside_access_in permit icmp 10.70.128.0 255.255.128.0 host SMTP-DNS-Server

access-list inside_access_in permit tcp host NeilJ host SMTP-DNS-Server

access-list inside_access_in permit tcp MTP 255.255.0.0 host SMTP-DNS-Server eq smtp

access-list DMZ-SMTP_access_in permit tcp host SMTP-DNS-Server eq smtp any eq smtp

access-list DMZ-SMTP_access_in permit tcp host SMTP-DNS-Server any

access-list DMZ-SMTP_access_in permit tcp host SMTP-DNS-Server host dns

pager lines 24

logging on

logging trap notifications

logging history notifications

logging host inside CiscoWorks

logging host inside NeilJ

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 100full

interface ethernet5 auto

mtu outside-internet 1500

mtu inside 1500

mtu DMZ-164 1500

mtu DMZ-165 1500

mtu DMZ-SMTP 1500

mtu DMZ-none 1500

ip address outside-internet 65.222.20.66 255.255.255.192

ip address inside 10.70.130.38 255.255.255.240

ip address DMZ-164 10.70.164.11 255.255.255.0

ip address DMZ-165 10.70.165.11 255.255.255.0

ip address DMZ-SMTP 192.168.100.1 255.255.255.0

ip address DMZ-none 127.0.0.1 255.255.255.0

ip verify reverse-path interface outside-internet

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside-internet 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address DMZ-164 0.0.0.0

failover ip address DMZ-165 0.0.0.0

failover ip address DMZ-SMTP 0.0.0.0

failover ip address DMZ-none 0.0.0.0

pdm location CiscoWorks 255.255.255.255 inside

pdm location FredK 255.255.255.255 inside

pdm location JasonH 255.255.255.255 inside

pdm location 10.69.0.0 255.255.0.0 inside

pdm location Mortarola 255.255.0.0 outside-internet

pdm location morarola 255.255.0.0 outside-internet

pdm location mortarola 255.255.0.0 outside-internet

pdm location NeilJ 255.255.255.255 inside

pdm location MTP 255.255.0.0 inside

pdm location 10.70.164.5 255.255.255.255 inside

pdm location Celestica 255.0.0.0 inside

pdm location MOTCOM02 255.255.255.255 DMZ-164

pdm location SMTP-DNS-Server 255.255.255.255 DMZ-SMTP

pdm location SteveT. 255.255.255.255 inside

pdm location PROD04 255.255.255.255 inside

pdm location PROD05 255.255.255.255 inside

pdm location 10.68.128.0 255.255.128.0 inside

pdm location Rochester 255.255.128.0 inside

pdm location 10.70.128.0 255.255.128.0 inside

pdm location 10.70.254.4 255.255.255.255 inside

pdm location router-ethernet 255.255.255.255 outside-internet

pdm location ROUTER_SERIAL 255.255.255.255 outside-internet

pdm location router-ethernet 255.255.255.255 inside

pdm location router-ethernet 255.255.255.255 DMZ-165

pdm location router-ethernet 255.255.255.255 DMZ-164

pdm location NASCOM02 255.255.255.255 DMZ-164

pdm location router-ethernet 255.255.255.255 DMZ-none

pdm location dns 255.255.255.255 outside-internet

pdm location 0.0.0.0 255.255.255.255 inside

pdm location MOTCOM02 255.255.255.255 inside

pdm location MOTCOM02 255.255.255.255 DMZ-165

pdm location MOTCOM02 255.255.255.255 DMZ-none

pdm location 0.0.0.0 255.255.255.192 inside

pdm location 10.70.146.5 255.255.255.255 inside

pdm location 10.70.146.5 255.255.255.255 DMZ-164

pdm location 10.70.146.5 255.255.255.255 DMZ-165

pdm location 10.70.146.5 255.255.255.255 DMZ-none

pdm location SMTP-Srv 255.255.255.255 outside-internet

pdm location motcm02-outside 255.255.255.255 outside-internet

pdm location 10.69.210.53 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

static (DMZ-SMTP,outside-internet) SMTP-Srv SMTP-DNS-Server netmask 255.255.255.255 0 0

static (DMZ-164,outside-internet) motcm02-outside MOTCOM02 netmask 255.255.255.255 0 0

static (DMZ-SMTP,DMZ-164) SMTP-Srv SMTP-DNS-Server netmask 255.255.255.255 0 0

static (inside,DMZ-164) PROD04 PROD04 netmask 255.255.255.255 0 0

static (inside,DMZ-164) PROD05 PROD05 netmask 255.255.255.255 0 0

static (inside,DMZ-SMTP) MTP MTP netmask 255.255.0.0 0 0

access-group outside-internet_access_in in interface outside-internet

access-group inside_access_in in interface inside

access-group DMZ-164_access_in in interface DMZ-164

access-group DMZ-SMTP_access_in in interface DMZ-SMTP

route outside-internet 0.0.0.0 0.0.0.0 65.222.20.66 1

route inside 10.68.128.0 255.255.128.0 10.70.130.35 1

route inside Rochester 255.255.128.0 10.70.130.35 1

route inside 10.70.128.0 255.255.128.0 10.70.130.35 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.70.146.5 3d43662a0e19f3e0 timeout 5

aaa authentication match outside-internet_authentication outside-internet RADIUS

http server enable

http FredK 255.255.255.255 inside

http CiscoWorks 255.255.255.255 inside

http SteveT. 255.255.255.255 inside

http NeilJ 255.255.255.255 inside

http 10.70.254.4 255.255.255.255 inside

http 10.69.210.53 255.255.255.255 inside

snmp-server host inside CiscoWorks

snmp-server location MT. P. Iowa

snmp-server contact Jason Herrmann

snmp-server community bud

snmp-server enable traps

no floodguard enable

no sysopt route dnat

auth-prompt prompt Unauthorized access or utilization of this service is prohibited.

telnet FredK 255.255.255.255 inside

telnet CiscoWorks 255.255.255.255 inside

telnet NeilJ 255.255.255.255 inside

telnet router-ethernet 255.255.255.255 inside

telnet 10.70.254.4 255.255.255.255 inside

telnet MOTCOM02 255.255.255.255 inside

telnet 10.70.146.5 255.255.255.255 inside

telnet 10.69.210.53 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

: end

93
Views
0
Helpful
1
Replies
CreatePlease login to create content