Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

SMTP Relay server in DMZ

I am trying to configure a PIX 515 running OS ver. 5.3 to accept SMTP mail from the Internet to an (Exchange) relay server in the DMZ, which then relays the mail to an SMTP server on the internal network. I have encountered some difficulties and was hoping to have a second pair of eyes review my configuration for any glaring or stupid errors. Below is a excerpt from the config I am trying to use:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security50

.

.

.

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol sqlnet 1521

fixup protocol sip 5060

no fixup protocol smtp 25

.

.

.

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

icmp deny any echo-reply outside

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 12.106.226.85 255.255.255.0

ip address inside 10.1.1.146 255.255.0.0

ip address DMZ 10.9.1.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

arp timeout 14400

global (outside) 1 12.106.226.87

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 12.106.226.86 10.1.1.147 netmask 255.255.255.255 0 0

static (DMZ,outside) 12.106.226.80 10.9.1.2 netmask 255.255.255.255 0 0

static (inside,DMZ) 10.1.0.0 10.1.0.0 netmask 255.255.0.0 0 0

conduit permit esp host 12.106.226.86 any

conduit permit ah host 12.106.226.86 any

conduit permit udp host 12.106.226.86 eq isakmp any

conduit permit tcp host 12.106.226.80 eq pop3 any

conduit permit tcp host 10.1.1.1 host 10.9.1.2 eq smtp

conduit permit tcp host 10.1.1.3 host 10.9.1.2 eq smtp

conduit permit tcp host 12.106.226.80 eq smtp any

conduit deny icmp host 12.106.226.86 any

conduit deny icmp host 12.106.226.80 any

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 12.106.226.1 1

.

.

.

Any assistance would be appreciated.

Dan

dan.kline@networksvcs.net

2 REPLIES
Community Member

Re: SMTP Relay server in DMZ

Dan,

Here is a sample config from a 6.2 with a SMTP relay server in the dmz.

nameif ethernet0 outside security0

nameif ethernet1 zone security50

nameif ethernet2 inside security100

fixup protocol ftp 21

fixup protocol http 80

no fixup protocol h323 ras 1718-1719

no fixup protocol ils 389

no fixup protocol h323 h225 1720

no fixup protocol rsh 514

no fixup protocol sqlnet 1521

no fixup protocol sip 5060

no fixup protocol smtp 25

no fixup protocol skinny 2000

no fixup protocol rtsp 554

fixup protocol domain 53

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu zone 1500

mtu inside 1500

ip address outside xxx.xxx.xxx.xxx 255.255.255.192

ip address zone xx.xx.xx.xx 255.255.255.0

ip address inside x.x.x.x 255.0.0.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address zone 0.0.0.0

failover ip address inside 0.0.0.0

pdm history enable

arp timeout 7000

global (outside) 1 xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx

global (outside) 1 xxx.xxx.xxx.xxx

global (zone) 1 xx.xx.xx.xx-xx.xx.xx.xx

global (zone) 1 xx.xx.xx.xx

nat (inside) 1 x.x.x.x 255.255.255.0 0 0

static (zone,outside) xxx.xxx.xxx.xxx xx.xx.xx.xx netmask 255.255.255.255 0 0 = DMZ to Public

static (inside,zone) xx.xx.xx.xx x.x.x.x netmask 255.255.255.255 0 0 = lan to DMZ

conduit permit tcp host xxx.xxx.xxx.xxx eq smtp any = DMZ to Public

conduit permit udp host xxx.xxx.xxx.xxx eq domain any = DMZ to Public

conduit permit tcp host xx.xx.xx.xx eq smtp host xx.xx.xx.xx = DMZ to lan

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

Community Member

Re: SMTP Relay server in DMZ

Thanks, VG. This looks almost identical to what I am using. There may be an additional issue with the SMTP server on the internal network rejecting connections. Once I clear up that issue I will try, try again. I appreciate the sample of a working config. It makes me feel like I'm not losing it altogether . . . Dan

365
Views
0
Helpful
2
Replies
CreatePlease to create content