Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3160
  • Last Modified:

PIX 3 legged config dmz smtp relay to inside exchange and back

I can't seem to get this to work even though Cisco says it should.  For starters the smtp relay server is a Windows 2003 Web edition and I have created the smtp domain to point to the inside exchange server.  Likewise I have configured the smart host on the inside exchange to forward to the smtp realy server in the dmz.  I also have an edge router that maps a public dnsname to a NAT number on the outside interface of the pix that translation is for example 22.22.22.5 - 192.168.254.220 and one Https domain 22.22.22.6 - 192.168.254.230

Here are the configs I have worked up so far.  Can anyone see anything blaring out at them as to why this won't work.  I want smtp traffic only to pass between the smtp relay server and the inside exchange server and no other traffic.

These object groups were broken down because I want http traffic to go to the dmz server as well but I want https traffic to go to an internal iis server

object-group service HTTP tcp
  description HTTP Traffic
  port-object eq www
object-group service HTTPS tcp
  description HTTPS Traffic
  port-object eq https

ip address outside 192.168.254.x 255.255.255.240
ip address inside 10.10.1.x 255.255.255.0
ip address DMZ 192.168.10.x 255.255.255.0

Here are my statics

static (inside,outside) 192.168.254.230 10.10.1.30 netmask 255.255.255.255 0 0  
static (DMZ,outside) 192.168.254.220 192.168.10.20 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255 0 0

Here are the affected access lists
access-list outside_access_in permit tcp any host 192.168.254.230 object-group HTTPS
access-list outside_access_in permit tcp any host 192.168.254.220 object-group HTTP
access-list outside_access_in permit tcp any host 192.168.254.220 eq smtp
access-list DMZ permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp

Here are my access grous
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ in interface DMZ

Can anyone tell why mail is not flowing in from the web to the dmz smtp relay server and then on to the inside exchange server and back?
0
apscnjohnnie
Asked:
apscnjohnnie
  • 6
  • 6
1 Solution
 
lrmooreCommented:
You are permitting DMZ--to--inside traffice destined for the private address.
So, you simply need to exclude this traffic from NAT process:

static (inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255

0
 
apscnjohnnieAuthor Commented:
So I need to remove the "0"'s from my static line?
(inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255 0 0
Are they what is causing the problem?

And what do those 2 0's represent...forgive my ignorance
0
 
lrmooreCommented:
The two zeros are a default setting for unlimited connections.
first 0 is max connections -0 for unlimited
2nd 0 is embryonic limit -0 for unlimited

These should have no affect, and you can't remove them

If you just added this config, did you "clear xlate" after adding it?
What version OS on the PIX? There are some versions that adding static xlates requires a reboot for it to take affect.

Can you post result of "show access-list"
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
apscnjohnnieAuthor Commented:
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

I performed the following after the config:

clear xlate
clear local-host
clear arp

The 10.10.2.x subnet is a site to site vpn tunnel with a remote site.  All that works fine still actually I am modifying this up to show what I had it configured as last night because currently I am routing traffic straight on from outside to inside for both service groups and smtp.  This is how we have been running and it is working fine as well.  Some of the lines I have no idea what they apply to.  like "access-list inside_outbound_nat0_acl line 3 permit ip 10.10.1.0 255.255.255.0 10.10.1.128 255.255.255.128 (hitcnt=0)" & this one which is on a subnet that is not even on any of my networks.  "access-list inside_outbound_nat0_acl line 4 permit ip 10.10.1.0 255.255.255.0 10.20.20.0 255.255.255.0 (hitcnt=0)"  This was originally set up by a vendor and he left a lot of garbage behind, most of which I have cleaned up.  If you would like I can send you my entire config.

What I am trying to do is the subject line and move my web services and smtp relay service to the dmz

Here is the access-list

Pix#  sh access-list
access-list cached ACL log flows: total 193, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_outbound_nat0_acl; 4 elements
access-list inside_outbound_nat0_acl line 1 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=1190)
access-list inside_outbound_nat0_acl line 2 permit ip 10.10.1.0 255.255.255.0 10.10.1.0 255.255.255.224 (hitcnt=147)
access-list inside_outbound_nat0_acl line 3 permit ip 10.10.1.0 255.255.255.0 10.10.1.128 255.255.255.128 (hitcnt=0)
access-list inside_outbound_nat0_acl line 4 permit ip 10.10.1.0 255.255.255.0 10.20.20.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=931)
access-list inside_access_in; 4 elements
access-list inside_access_in line 2 permit tcp host 10.10.1.20 any eq smtp log 6 interval 300 (hitcnt=204)
access-list inside_access_in line 3 deny tcp 10.10.1.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list inside_access_in line 4 permit ip any any log 6 interval 300 (hitcnt=15296)
access-list inside_access_in line 5 deny ip any any log 6 interval 300 (hitcnt=0)
access-list outside_access_in; 4 elements
access-list outside_access_in line 1 permit icmp any any (hitcnt=221)
access-list outside_access_in line 2 permit tcp any host 192.168.254.230 object-group HTTPS
access-list outside_access_in line 2 permit tcp any host 192.168.254.230 eq https (hitcnt=204)
access-list outside_access_in line 3 permit tcp any host 192.168.254.220 object-group HTTP
access-list outside_access_in line 3 permit tcp any host 192.168.254.220 eq www (hitcnt=300)
access-list outside_access_in line 4 permit tcp any host 192.168.254.220 eq smtp (hitcnt=145)
access-list VPN_splitTunnelAcl; 1 elements
access-list VPN_splitTunnelAcl line 1 permit ip 10.10.1.0 255.255.255.0 any (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.1.128 255.255.255.128 (hitcnt=0)
access-list DMZ; 1 elements
access-list DMZ line 1 permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp (hitcnt=110)
access-list  dynacl2; 1 elements
access-list  dynacl2 line 1 permit ip any host 10.10.1.10 (hitcnt=143)
Pix# exit
0
 
lrmooreCommented:
>access-list outside_access_in line 4 permit tcp any host 192.168.254.220 eq smtp (hitcnt=145)
>access-list DMZ line 1 permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp (hitcnt=110)

This looks like it is working OK...smtp traffic is being permitted in the outside interface to the DMZ host (through what appears to be a double-nat)

Did you remove the fixup smtp?

no fixup protocol smtp 25
^
0
 
apscnjohnnieAuthor Commented:
Actually no I didn't, however I have the fixup smtp turned on currently and have no problems with smtp traffic through (your right) double nat to an inside Exchange server.  I have a 3725 on the perimeter which forwards the public dns name of the sites smtp/http/https services to a nat number on the pix outside interface.  This number is then nat'd on the inside interface and dmz as well.  All my edge router does is route, no ids/vpn/firewall.

So you don't see anything out of order?

If not then I will apply the "no fixup protocol smtp 25" and reboot the PIX after business hours today after i modify this config and let you know if it works.
0
 
lrmooreCommented:
I don't see anything else out of order.
I believe that the fixup is what is getting in the way of the DMZ -to- inside smtp traffic.
The fixup simply breaks smtp into an Exchange server and usually to Lotus Notes server.
The issue is the fixup's deep packet inspection and Exchange's use of Extended smtp commands.
0
 
apscnjohnnieAuthor Commented:
Great, I will run this through again and let you know how it comes out and just remove the fixup protocol
0
 
apscnjohnnieAuthor Commented:
Well here is where I stand.  I can telnet 25 to the inside exchange from the dmz smtprelay server.  I can telnet 25 to the dmz smtprelay server from the inside exchange server.  I can send mail from the dmz to the inside exchange server and it receives fine.  Mail from the inside exchange server sends mail fine to the dmz smtp relay server.  But the problem it goes into the queue and stays there.  The reason it will not go on out is my problem.  I can't ping to any external address from the dmz...can from inside.  I also can't do something more important and that is perform dns lookups.  There doesn't appear to be any way for the dmz smtp relay server to get out to the outside.   And I can't see what I am missing anymore....my eyes have become blurred.

I have these access-lists that permit smtp from the inside out from only the exchange server.  Do I need to create something simliar from the dmz out?

access-list inside_access_in permit tcp host 10.10.1.20 any eq smtp
access-list inside_access_in deny tcp 10.10.1.0 255.255.255.0 any eq smtp



0
 
lrmooreCommented:
You need to permit more in your dmz acl:

access-list DMZ permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp  <- permit to inside host
access-list DMZ permit udp host 192.168.10.20 any eq 53  <-- permit dns lookups
access-list DMZ permit tcp host 192.168.10.20 any eq smtp  <-- permit outbound smtp to external hosts

access-group DMZ in interface DMZ
0
 
apscnjohnnieAuthor Commented:
Thanks a mil, you got me through the last parts of my understanding of the access list rules as applied to the dmz and helped me get mail a flowing the way I want through an external dmz smtp relay.
0
 
lrmooreCommented:
Glad to help!
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now