Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

problem;no secondray ip address permitted on PIX

hi enfineers ;

i have 3 mail server on inside ,ouside and dmz .

all of them should communicate with each other .i gave inside an invalid ip address .

dmz and oueside each of them have one valid but in different range for some purpose .

so what i have to to make specially dmz and outeside communicateable.

any comment is mostly appreciated .

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: problem;no secondray ip address permitted on PIX

Hi,

So what I have understood from your email

--You have 3 mail servers. Each one is inside, outside and dmz and want to make communication enable among all of three.

If the above is the case then remember the following rules

--If you are going from higher security zone to lower security zone (like inside to dmz or inside to outside or dmz to outside) then you have to use nat and global statments

--If you are coming from lower security zone to higher security zone(like outside to inside or outside to dmz or dmz to inside) then you need to create static translations for the machines you want to make visible to lower security zones and open the access-list for those translated ip addresses with the correct destination ports.

Hope the above will help

Thanks

Zia

1 REPLY
Cisco Employee

Re: problem;no secondray ip address permitted on PIX

Hi,

So what I have understood from your email

--You have 3 mail servers. Each one is inside, outside and dmz and want to make communication enable among all of three.

If the above is the case then remember the following rules

--If you are going from higher security zone to lower security zone (like inside to dmz or inside to outside or dmz to outside) then you have to use nat and global statments

--If you are coming from lower security zone to higher security zone(like outside to inside or outside to dmz or dmz to inside) then you need to create static translations for the machines you want to make visible to lower security zones and open the access-list for those translated ip addresses with the correct destination ports.

Hope the above will help

Thanks

Zia

95
Views
0
Helpful
1
Replies
This widget could not be displayed.