PIX 3 legged config dmz smtp relay to inside exchange and back
I can't seem to get this to work even though Cisco says it should. For starters the smtp relay server is a Windows 2003 Web edition and I have created the smtp domain to point to the inside exchange server. Likewise I have configured the smart host on the inside exchange to forward to the smtp realy server in the dmz. I also have an edge router that maps a public dnsname to a NAT number on the outside interface of the pix that translation is for example 22.22.22.5 - 192.168.254.220 and one Https domain 22.22.22.6 - 192.168.254.230
Here are the configs I have worked up so far. Can anyone see anything blaring out at them as to why this won't work. I want smtp traffic only to pass between the smtp relay server and the inside exchange server and no other traffic.
These object groups were broken down because I want http traffic to go to the dmz server as well but I want https traffic to go to an internal iis server
object-group service HTTP tcp
description HTTP Traffic
port-object eq www
object-group service HTTPS tcp
description HTTPS Traffic
port-object eq https
ip address outside 192.168.254.x 255.255.255.240
ip address inside 10.10.1.x 255.255.255.0
ip address DMZ 192.168.10.x 255.255.255.0
Here are my statics
static (inside,outside) 192.168.254.230 10.10.1.30 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.254.220 192.168.10.20 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255 0 0
Here are the affected access lists
access-list outside_access_in permit tcp any host 192.168.254.230 object-group HTTPS
access-list outside_access_in permit tcp any host 192.168.254.220 object-group HTTP
access-list outside_access_in permit tcp any host 192.168.254.220 eq smtp
access-list DMZ permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp
Here are my access grous
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ in interface DMZ
Can anyone tell why mail is not flowing in from the web to the dmz smtp relay server and then on to the inside exchange server and back?
Here are the configs I have worked up so far. Can anyone see anything blaring out at them as to why this won't work. I want smtp traffic only to pass between the smtp relay server and the inside exchange server and no other traffic.
These object groups were broken down because I want http traffic to go to the dmz server as well but I want https traffic to go to an internal iis server
object-group service HTTP tcp
description HTTP Traffic
port-object eq www
object-group service HTTPS tcp
description HTTPS Traffic
port-object eq https
ip address outside 192.168.254.x 255.255.255.240
ip address inside 10.10.1.x 255.255.255.0
ip address DMZ 192.168.10.x 255.255.255.0
Here are my statics
static (inside,outside) 192.168.254.230 10.10.1.30 netmask 255.255.255.255 0 0
static (DMZ,outside) 192.168.254.220 192.168.10.20 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255 0 0
Here are the affected access lists
access-list outside_access_in permit tcp any host 192.168.254.230 object-group HTTPS
access-list outside_access_in permit tcp any host 192.168.254.220 object-group HTTP
access-list outside_access_in permit tcp any host 192.168.254.220 eq smtp
access-list DMZ permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp
Here are my access grous
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ in interface DMZ
Can anyone tell why mail is not flowing in from the web to the dmz smtp relay server and then on to the inside exchange server and back?
ASKER
So I need to remove the "0"'s from my static line?
(inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255 0 0
Are they what is causing the problem?
And what do those 2 0's represent...forgive my ignorance
(inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255 0 0
Are they what is causing the problem?
And what do those 2 0's represent...forgive my ignorance
The two zeros are a default setting for unlimited connections.
first 0 is max connections -0 for unlimited
2nd 0 is embryonic limit -0 for unlimited
These should have no affect, and you can't remove them
If you just added this config, did you "clear xlate" after adding it?
What version OS on the PIX? There are some versions that adding static xlates requires a reboot for it to take affect.
Can you post result of "show access-list"
first 0 is max connections -0 for unlimited
2nd 0 is embryonic limit -0 for unlimited
These should have no affect, and you can't remove them
If you just added this config, did you "clear xlate" after adding it?
What version OS on the PIX? There are some versions that adding static xlates requires a reboot for it to take affect.
Can you post result of "show access-list"
ASKER
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)
I performed the following after the config:
clear xlate
clear local-host
clear arp
The 10.10.2.x subnet is a site to site vpn tunnel with a remote site. All that works fine still actually I am modifying this up to show what I had it configured as last night because currently I am routing traffic straight on from outside to inside for both service groups and smtp. This is how we have been running and it is working fine as well. Some of the lines I have no idea what they apply to. like "access-list inside_outbound_nat0_acl line 3 permit ip 10.10.1.0 255.255.255.0 10.10.1.128 255.255.255.128 (hitcnt=0)" & this one which is on a subnet that is not even on any of my networks. "access-list inside_outbound_nat0_acl line 4 permit ip 10.10.1.0 255.255.255.0 10.20.20.0 255.255.255.0 (hitcnt=0)" This was originally set up by a vendor and he left a lot of garbage behind, most of which I have cleaned up. If you would like I can send you my entire config.
What I am trying to do is the subject line and move my web services and smtp relay service to the dmz
Here is the access-list
Pix# sh access-list
access-list cached ACL log flows: total 193, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list inside_outbound_nat0_acl; 4 elements
access-list inside_outbound_nat0_acl line 1 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=1190)
access-list inside_outbound_nat0_acl line 2 permit ip 10.10.1.0 255.255.255.0 10.10.1.0 255.255.255.224 (hitcnt=147)
access-list inside_outbound_nat0_acl line 3 permit ip 10.10.1.0 255.255.255.0 10.10.1.128 255.255.255.128 (hitcnt=0)
access-list inside_outbound_nat0_acl line 4 permit ip 10.10.1.0 255.255.255.0 10.20.20.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=931)
access-list inside_access_in; 4 elements
access-list inside_access_in line 2 permit tcp host 10.10.1.20 any eq smtp log 6 interval 300 (hitcnt=204)
access-list inside_access_in line 3 deny tcp 10.10.1.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list inside_access_in line 4 permit ip any any log 6 interval 300 (hitcnt=15296)
access-list inside_access_in line 5 deny ip any any log 6 interval 300 (hitcnt=0)
access-list outside_access_in; 4 elements
access-list outside_access_in line 1 permit icmp any any (hitcnt=221)
access-list outside_access_in line 2 permit tcp any host 192.168.254.230 object-group HTTPS
access-list outside_access_in line 2 permit tcp any host 192.168.254.230 eq https (hitcnt=204)
access-list outside_access_in line 3 permit tcp any host 192.168.254.220 object-group HTTP
access-list outside_access_in line 3 permit tcp any host 192.168.254.220 eq www (hitcnt=300)
access-list outside_access_in line 4 permit tcp any host 192.168.254.220 eq smtp (hitcnt=145)
access-list VPN_splitTunnelAcl; 1 elements
access-list VPN_splitTunnelAcl line 1 permit ip 10.10.1.0 255.255.255.0 any (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.1.128 255.255.255.128 (hitcnt=0)
access-list DMZ; 1 elements
access-list DMZ line 1 permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp (hitcnt=110)
access-list dynacl2; 1 elements
access-list dynacl2 line 1 permit ip any host 10.10.1.10 (hitcnt=143)
Pix# exit
Cisco PIX Device Manager Version 3.0(1)
I performed the following after the config:
clear xlate
clear local-host
clear arp
The 10.10.2.x subnet is a site to site vpn tunnel with a remote site. All that works fine still actually I am modifying this up to show what I had it configured as last night because currently I am routing traffic straight on from outside to inside for both service groups and smtp. This is how we have been running and it is working fine as well. Some of the lines I have no idea what they apply to. like "access-list inside_outbound_nat0_acl line 3 permit ip 10.10.1.0 255.255.255.0 10.10.1.128 255.255.255.128 (hitcnt=0)" & this one which is on a subnet that is not even on any of my networks. "access-list inside_outbound_nat0_acl line 4 permit ip 10.10.1.0 255.255.255.0 10.20.20.0 255.255.255.0 (hitcnt=0)" This was originally set up by a vendor and he left a lot of garbage behind, most of which I have cleaned up. If you would like I can send you my entire config.
What I am trying to do is the subject line and move my web services and smtp relay service to the dmz
Here is the access-list
Pix# sh access-list
access-list cached ACL log flows: total 193, denied 0 (deny-flow-max 1024)
alert-interval 300
access-list inside_outbound_nat0_acl; 4 elements
access-list inside_outbound_nat0_acl line 1 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=1190)
access-list inside_outbound_nat0_acl line 2 permit ip 10.10.1.0 255.255.255.0 10.10.1.0 255.255.255.224 (hitcnt=147)
access-list inside_outbound_nat0_acl line 3 permit ip 10.10.1.0 255.255.255.0 10.10.1.128 255.255.255.128 (hitcnt=0)
access-list inside_outbound_nat0_acl line 4 permit ip 10.10.1.0 255.255.255.0 10.20.20.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=931)
access-list inside_access_in; 4 elements
access-list inside_access_in line 2 permit tcp host 10.10.1.20 any eq smtp log 6 interval 300 (hitcnt=204)
access-list inside_access_in line 3 deny tcp 10.10.1.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list inside_access_in line 4 permit ip any any log 6 interval 300 (hitcnt=15296)
access-list inside_access_in line 5 deny ip any any log 6 interval 300 (hitcnt=0)
access-list outside_access_in; 4 elements
access-list outside_access_in line 1 permit icmp any any (hitcnt=221)
access-list outside_access_in line 2 permit tcp any host 192.168.254.230 object-group HTTPS
access-list outside_access_in line 2 permit tcp any host 192.168.254.230 eq https (hitcnt=204)
access-list outside_access_in line 3 permit tcp any host 192.168.254.220 object-group HTTP
access-list outside_access_in line 3 permit tcp any host 192.168.254.220 eq www (hitcnt=300)
access-list outside_access_in line 4 permit tcp any host 192.168.254.220 eq smtp (hitcnt=145)
access-list VPN_splitTunnelAcl; 1 elements
access-list VPN_splitTunnelAcl line 1 permit ip 10.10.1.0 255.255.255.0 any (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.1.128 255.255.255.128 (hitcnt=0)
access-list DMZ; 1 elements
access-list DMZ line 1 permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp (hitcnt=110)
access-list dynacl2; 1 elements
access-list dynacl2 line 1 permit ip any host 10.10.1.10 (hitcnt=143)
Pix# exit
>access-list outside_access_in line 4 permit tcp any host 192.168.254.220 eq smtp (hitcnt=145)
>access-list DMZ line 1 permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp (hitcnt=110)
This looks like it is working OK...smtp traffic is being permitted in the outside interface to the DMZ host (through what appears to be a double-nat)
Did you remove the fixup smtp?
no fixup protocol smtp 25
^
>access-list DMZ line 1 permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp (hitcnt=110)
This looks like it is working OK...smtp traffic is being permitted in the outside interface to the DMZ host (through what appears to be a double-nat)
Did you remove the fixup smtp?
no fixup protocol smtp 25
^
ASKER
Actually no I didn't, however I have the fixup smtp turned on currently and have no problems with smtp traffic through (your right) double nat to an inside Exchange server. I have a 3725 on the perimeter which forwards the public dns name of the sites smtp/http/https services to a nat number on the pix outside interface. This number is then nat'd on the inside interface and dmz as well. All my edge router does is route, no ids/vpn/firewall.
So you don't see anything out of order?
If not then I will apply the "no fixup protocol smtp 25" and reboot the PIX after business hours today after i modify this config and let you know if it works.
So you don't see anything out of order?
If not then I will apply the "no fixup protocol smtp 25" and reboot the PIX after business hours today after i modify this config and let you know if it works.
I don't see anything else out of order.
I believe that the fixup is what is getting in the way of the DMZ -to- inside smtp traffic.
The fixup simply breaks smtp into an Exchange server and usually to Lotus Notes server.
The issue is the fixup's deep packet inspection and Exchange's use of Extended smtp commands.
I believe that the fixup is what is getting in the way of the DMZ -to- inside smtp traffic.
The fixup simply breaks smtp into an Exchange server and usually to Lotus Notes server.
The issue is the fixup's deep packet inspection and Exchange's use of Extended smtp commands.
ASKER
Great, I will run this through again and let you know how it comes out and just remove the fixup protocol
ASKER
Well here is where I stand. I can telnet 25 to the inside exchange from the dmz smtprelay server. I can telnet 25 to the dmz smtprelay server from the inside exchange server. I can send mail from the dmz to the inside exchange server and it receives fine. Mail from the inside exchange server sends mail fine to the dmz smtp relay server. But the problem it goes into the queue and stays there. The reason it will not go on out is my problem. I can't ping to any external address from the dmz...can from inside. I also can't do something more important and that is perform dns lookups. There doesn't appear to be any way for the dmz smtp relay server to get out to the outside. And I can't see what I am missing anymore....my eyes have become blurred.
I have these access-lists that permit smtp from the inside out from only the exchange server. Do I need to create something simliar from the dmz out?
access-list inside_access_in permit tcp host 10.10.1.20 any eq smtp
access-list inside_access_in deny tcp 10.10.1.0 255.255.255.0 any eq smtp
I have these access-lists that permit smtp from the inside out from only the exchange server. Do I need to create something simliar from the dmz out?
access-list inside_access_in permit tcp host 10.10.1.20 any eq smtp
access-list inside_access_in deny tcp 10.10.1.0 255.255.255.0 any eq smtp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a mil, you got me through the last parts of my understanding of the access list rules as applied to the dmz and helped me get mail a flowing the way I want through an external dmz smtp relay.
Glad to help!
So, you simply need to exclude this traffic from NAT process:
static (inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255