Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Urgent helps needed on DMZ and access list

Current PIX configuration as follow:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

names

name 210.xxx.xx.x6 mail_server

name 210.xxx.xx.x8 mail_relay

object-group service INBOUND tcp

port-object eq pop3

port-object eq smtp

port-object eq www

port-object eq https

port-object eq domain

access-list inside_access_in permit ip 192.168.110.0 255.255.255.0 any

access-list outside_access_in permit tcp any any object-group INBOUND

access-list outside_access_in permit udp any any eq domain

access-list dmz_access_in permit tcp any any object-group INBOUND

access-list vpn_inside_outbound permit ip any 192.168.110.224 255.255.255.224

interface ethernet0 100basetx

interface ethernet1 100basetx

interface ethernet2 auto

ip address outside 210.xxx.xx.x5 255.255.255.224

ip address inside 192.168.110.10 255.255.255.0

ip address dmz 10.0.0.1 255.255.255.0

ip local pool VPN 192.168.110.230-192.168.110.254

global (outside) 10 210.xxx.xx.x9

global (outside) 9 210.xxx.xx.x0

nat (inside) 0 access-list vpn_inside_outbound

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

nat (dmz) 9 10.0.0.0 255.255.255.0 0 0

static (inside,outside) mail_server 192.168.110.2 netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.1.0 192.168.110.0 netmask 255.255.255.0 0 0

static (dmz,outside) mail_relay 10.0.0.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 210.xxx.xx.x7 1

(1) After applying access-list dmz_access_in in interface DMZ, the mail relay server can't access internet anymore. Why? Does it apply to incoming or outcoming traffic?

(2) With dmz_access_in access list, I can telnet to inside Exchange server, but I still can't send emails to internal users from the mail relay. Any ideas?

(3) Internal/External users can't send/receive emails from mail relay using public IP. Access-list issue again?

(4) When I apply access list on interfaces, does it apply to inbound or outbound traffic? I am really confused on applying access list on interfaces. Will the access list apply on outside interface being applied to DMZ? How does the firewall know where to route the incoming traffic to DMZ or inside interface?

Thank you very much in advance for any helps/advice.

  • Other Security Subjects
2 REPLIES
Gold

Re: Urgent helps needed on DMZ and access list

Hi -

Please have a read of the following and let me/us know if this helps:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008015efa9.shtml

Just another note, your static(inside,dmz)192.168.1.0 192.168.110.0 netmask 255.255.255.0 0 0

shouldn't this be :

static(inside,dmz)192.168.1.0 192.168.1.0 255.255.255.0 0 0 - or - static(inside,dmz)192.168.110.0 192.168.110.0 255.255.255.0 0 0 ??

and also remember when modifying any ACLs or static commands always issue command: clear xlate and save with command: write memory.

Thanks -

New Member

Re: Urgent helps needed on DMZ and access list

Yes, I have read the document and actually entered the setting but to no avail.

static (dmz,outside) mail_relay 10.0.0.2 netmask

255.255.255.255 0 0

static (inside,dmz) 192.168.110.0 192.168.110.0 netmask 255.255.255.0 0 0

access-list outside_access_in permit tcp any any object-group test

access-group outside_access_in in interface outside

Any ideas? Thanks.

81
Views
0
Helpful
2
Replies