Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX to PIX messaging

We have been trying to use a PIX with two DMZ's in addition to inside and outside connections.

One is a DMZ containing customer test equipment, The second contains an mailserver and a DNS server.

We wanted to keep them in separate DMZ's because we plan to use the mailserver for other things and wanted to control the customer's access to the mail server.

Our customer wants to be able to send and receive e-mail from the Internet to a machine in the test equipment DMZ.

We were trying to relay the messages from their system in the test equipment DMZ to the mail server in the mail DMZ and to the Internet.

We were also trying to receive mail to the mail server and relay them to the customer's machine.

We have been able to get the Mail Server to send and receive mail to machines onthe Internet (outside).However, we have been unable to get the customer's machine to connect to the mail server and vice-versa.

We set the security level on as follows:

Inside -> 100

SMTP DMZ -> 60

Customer Test DMZ -> 40

Outside -> 0

We added specfic rules to allow SMTP between the customers machine and the mail server.

However the PIX continues to deny connection requests.

Error Message:

Apr 29 09:57:54 %PIX-3-106010: Deny inbound tcp src DMZ-164:MOTCOM02/41032 dst DMZ-SMTP:SMTP-DNS-Server/25

We are in the process of moving the SMTP server and the DNS server back to customer's equipment DMZ. (Customer requirements trump ours).

Any assistance would be greatly appreciated.



New Member

Re: PIX to PIX messaging

: Saved


PIX Version 6.0(1)

nameif ethernet0 outside-internet security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ-164 security40

nameif ethernet3 DMZ-165 security40

nameif ethernet4 DMZ-SMTP security60

nameif ethernet5 DMZ-none security40

enable password XXXXXXXXXXXXXXXXXX encrypted


hostname MPS-PIX-INT-MOT


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


name morarola

name mortarola

name Mortarola

name JasonH

name FredK

name CiscoWorks

name NeilJ

name MTP

name Celestica

name MOTCOM02

name SMTP-DNS-Server

name SteveT.

name PROD04

name PROD05

name router-ethernet


name NASCOM02

name Rochester

name dns

name SMTP-Srv

name motcm02-outside

access-list outside-internet_access_in permit tcp any host motcm02-outside

access-list outside-internet_access_in permit tcp any host SMTP-Srv

access-list outside-internet_access_in permit tcp host dns host SMTP-Srv

access-list DMZ-164_access_in permit tcp host MOTCOM02 any

access-list DMZ-164_access_in permit tcp any host SMTP-Srv

access-list outside-internet_authentication permit tcp any host motcm02-outside eq telnet

access-list inside_access_in permit tcp any eq ftp

access-list inside_access_in permit icmp host SMTP-DNS-Server

access-list inside_access_in permit tcp host NeilJ host SMTP-DNS-Server

access-list inside_access_in permit tcp MTP host SMTP-DNS-Server eq smtp

access-list DMZ-SMTP_access_in permit tcp host SMTP-DNS-Server eq smtp any eq smtp

access-list DMZ-SMTP_access_in permit tcp host SMTP-DNS-Server any

access-list DMZ-SMTP_access_in permit tcp host SMTP-DNS-Server host dns

pager lines 24

logging on

logging trap notifications

logging history notifications

logging host inside CiscoWorks

logging host inside NeilJ

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 100full

interface ethernet3 100full

interface ethernet4 100full

interface ethernet5 auto

mtu outside-internet 1500

mtu inside 1500

mtu DMZ-164 1500

mtu DMZ-165 1500

mtu DMZ-SMTP 1500

mtu DMZ-none 1500

ip address outside-internet

ip address inside

ip address DMZ-164

ip address DMZ-165

ip address DMZ-SMTP

ip address DMZ-none

ip verify reverse-path interface outside-internet

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside-internet

failover ip address inside

failover ip address DMZ-164

failover ip address DMZ-165

failover ip address DMZ-SMTP

failover ip address DMZ-none

pdm location CiscoWorks inside

pdm location FredK inside

pdm location JasonH inside

pdm location inside

pdm location Mortarola outside-internet

pdm location morarola outside-internet

pdm location mortarola outside-internet

pdm location NeilJ inside

pdm location MTP inside

pdm location inside

pdm location Celestica inside

pdm location MOTCOM02 DMZ-164

pdm location SMTP-DNS-Server DMZ-SMTP

pdm location SteveT. inside

pdm location PROD04 inside

pdm location PROD05 inside

pdm location inside

pdm location Rochester inside

pdm location inside

pdm location inside

pdm location router-ethernet outside-internet

pdm location ROUTER_SERIAL outside-internet

pdm location router-ethernet inside

pdm location router-ethernet DMZ-165

pdm location router-ethernet DMZ-164

pdm location NASCOM02 DMZ-164

pdm location router-ethernet DMZ-none

pdm location dns outside-internet

pdm location inside

pdm location MOTCOM02 inside

pdm location MOTCOM02 DMZ-165

pdm location MOTCOM02 DMZ-none

pdm location inside

pdm location inside

pdm location DMZ-164

pdm location DMZ-165

pdm location DMZ-none

pdm location SMTP-Srv outside-internet

pdm location motcm02-outside outside-internet

pdm location inside

pdm logging informational 100

pdm history enable

arp timeout 14400

static (DMZ-SMTP,outside-internet) SMTP-Srv SMTP-DNS-Server netmask 0 0

static (DMZ-164,outside-internet) motcm02-outside MOTCOM02 netmask 0 0

static (DMZ-SMTP,DMZ-164) SMTP-Srv SMTP-DNS-Server netmask 0 0

static (inside,DMZ-164) PROD04 PROD04 netmask 0 0

static (inside,DMZ-164) PROD05 PROD05 netmask 0 0

static (inside,DMZ-SMTP) MTP MTP netmask 0 0

access-group outside-internet_access_in in interface outside-internet

access-group inside_access_in in interface inside

access-group DMZ-164_access_in in interface DMZ-164

access-group DMZ-SMTP_access_in in interface DMZ-SMTP

route outside-internet 1

route inside 1

route inside Rochester 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 3d43662a0e19f3e0 timeout 5

aaa authentication match outside-internet_authentication outside-internet RADIUS

http server enable

http FredK inside

http CiscoWorks inside

http SteveT. inside

http NeilJ inside

http inside

http inside

snmp-server host inside CiscoWorks

snmp-server location MT. P. Iowa

snmp-server contact Jason Herrmann

snmp-server community bud

snmp-server enable traps

no floodguard enable

no sysopt route dnat

auth-prompt prompt Unauthorized access or utilization of this service is prohibited.

telnet FredK inside

telnet CiscoWorks inside

telnet NeilJ inside

telnet router-ethernet inside

telnet inside

telnet MOTCOM02 inside

telnet inside

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80


: end

CreatePlease login to create content