Solved

PIX 3 legged config dmz smtp relay to inside exchange and back

Posted on 2004-08-16
12
3,148 Views
Last Modified: 2013-11-16
I can't seem to get this to work even though Cisco says it should.  For starters the smtp relay server is a Windows 2003 Web edition and I have created the smtp domain to point to the inside exchange server.  Likewise I have configured the smart host on the inside exchange to forward to the smtp realy server in the dmz.  I also have an edge router that maps a public dnsname to a NAT number on the outside interface of the pix that translation is for example 22.22.22.5 - 192.168.254.220 and one Https domain 22.22.22.6 - 192.168.254.230

Here are the configs I have worked up so far.  Can anyone see anything blaring out at them as to why this won't work.  I want smtp traffic only to pass between the smtp relay server and the inside exchange server and no other traffic.

These object groups were broken down because I want http traffic to go to the dmz server as well but I want https traffic to go to an internal iis server

object-group service HTTP tcp
  description HTTP Traffic
  port-object eq www
object-group service HTTPS tcp
  description HTTPS Traffic
  port-object eq https

ip address outside 192.168.254.x 255.255.255.240
ip address inside 10.10.1.x 255.255.255.0
ip address DMZ 192.168.10.x 255.255.255.0

Here are my statics

static (inside,outside) 192.168.254.230 10.10.1.30 netmask 255.255.255.255 0 0  
static (DMZ,outside) 192.168.254.220 192.168.10.20 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255 0 0

Here are the affected access lists
access-list outside_access_in permit tcp any host 192.168.254.230 object-group HTTPS
access-list outside_access_in permit tcp any host 192.168.254.220 object-group HTTP
access-list outside_access_in permit tcp any host 192.168.254.220 eq smtp
access-list DMZ permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp

Here are my access grous
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ in interface DMZ

Can anyone tell why mail is not flowing in from the web to the dmz smtp relay server and then on to the inside exchange server and back?
0
Comment
Question by:apscnjohnnie
  • 6
  • 6
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You are permitting DMZ--to--inside traffice destined for the private address.
So, you simply need to exclude this traffic from NAT process:

static (inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255

0
 

Author Comment

by:apscnjohnnie
Comment Utility
So I need to remove the "0"'s from my static line?
(inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255 0 0
Are they what is causing the problem?

And what do those 2 0's represent...forgive my ignorance
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The two zeros are a default setting for unlimited connections.
first 0 is max connections -0 for unlimited
2nd 0 is embryonic limit -0 for unlimited

These should have no affect, and you can't remove them

If you just added this config, did you "clear xlate" after adding it?
What version OS on the PIX? There are some versions that adding static xlates requires a reboot for it to take affect.

Can you post result of "show access-list"
0
 

Author Comment

by:apscnjohnnie
Comment Utility
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

I performed the following after the config:

clear xlate
clear local-host
clear arp

The 10.10.2.x subnet is a site to site vpn tunnel with a remote site.  All that works fine still actually I am modifying this up to show what I had it configured as last night because currently I am routing traffic straight on from outside to inside for both service groups and smtp.  This is how we have been running and it is working fine as well.  Some of the lines I have no idea what they apply to.  like "access-list inside_outbound_nat0_acl line 3 permit ip 10.10.1.0 255.255.255.0 10.10.1.128 255.255.255.128 (hitcnt=0)" & this one which is on a subnet that is not even on any of my networks.  "access-list inside_outbound_nat0_acl line 4 permit ip 10.10.1.0 255.255.255.0 10.20.20.0 255.255.255.0 (hitcnt=0)"  This was originally set up by a vendor and he left a lot of garbage behind, most of which I have cleaned up.  If you would like I can send you my entire config.

What I am trying to do is the subject line and move my web services and smtp relay service to the dmz

Here is the access-list

Pix#  sh access-list
access-list cached ACL log flows: total 193, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_outbound_nat0_acl; 4 elements
access-list inside_outbound_nat0_acl line 1 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=1190)
access-list inside_outbound_nat0_acl line 2 permit ip 10.10.1.0 255.255.255.0 10.10.1.0 255.255.255.224 (hitcnt=147)
access-list inside_outbound_nat0_acl line 3 permit ip 10.10.1.0 255.255.255.0 10.10.1.128 255.255.255.128 (hitcnt=0)
access-list inside_outbound_nat0_acl line 4 permit ip 10.10.1.0 255.255.255.0 10.20.20.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=931)
access-list inside_access_in; 4 elements
access-list inside_access_in line 2 permit tcp host 10.10.1.20 any eq smtp log 6 interval 300 (hitcnt=204)
access-list inside_access_in line 3 deny tcp 10.10.1.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list inside_access_in line 4 permit ip any any log 6 interval 300 (hitcnt=15296)
access-list inside_access_in line 5 deny ip any any log 6 interval 300 (hitcnt=0)
access-list outside_access_in; 4 elements
access-list outside_access_in line 1 permit icmp any any (hitcnt=221)
access-list outside_access_in line 2 permit tcp any host 192.168.254.230 object-group HTTPS
access-list outside_access_in line 2 permit tcp any host 192.168.254.230 eq https (hitcnt=204)
access-list outside_access_in line 3 permit tcp any host 192.168.254.220 object-group HTTP
access-list outside_access_in line 3 permit tcp any host 192.168.254.220 eq www (hitcnt=300)
access-list outside_access_in line 4 permit tcp any host 192.168.254.220 eq smtp (hitcnt=145)
access-list VPN_splitTunnelAcl; 1 elements
access-list VPN_splitTunnelAcl line 1 permit ip 10.10.1.0 255.255.255.0 any (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.1.128 255.255.255.128 (hitcnt=0)
access-list DMZ; 1 elements
access-list DMZ line 1 permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp (hitcnt=110)
access-list  dynacl2; 1 elements
access-list  dynacl2 line 1 permit ip any host 10.10.1.10 (hitcnt=143)
Pix# exit
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>access-list outside_access_in line 4 permit tcp any host 192.168.254.220 eq smtp (hitcnt=145)
>access-list DMZ line 1 permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp (hitcnt=110)

This looks like it is working OK...smtp traffic is being permitted in the outside interface to the DMZ host (through what appears to be a double-nat)

Did you remove the fixup smtp?

no fixup protocol smtp 25
^
0
 

Author Comment

by:apscnjohnnie
Comment Utility
Actually no I didn't, however I have the fixup smtp turned on currently and have no problems with smtp traffic through (your right) double nat to an inside Exchange server.  I have a 3725 on the perimeter which forwards the public dns name of the sites smtp/http/https services to a nat number on the pix outside interface.  This number is then nat'd on the inside interface and dmz as well.  All my edge router does is route, no ids/vpn/firewall.

So you don't see anything out of order?

If not then I will apply the "no fixup protocol smtp 25" and reboot the PIX after business hours today after i modify this config and let you know if it works.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I don't see anything else out of order.
I believe that the fixup is what is getting in the way of the DMZ -to- inside smtp traffic.
The fixup simply breaks smtp into an Exchange server and usually to Lotus Notes server.
The issue is the fixup's deep packet inspection and Exchange's use of Extended smtp commands.
0
 

Author Comment

by:apscnjohnnie
Comment Utility
Great, I will run this through again and let you know how it comes out and just remove the fixup protocol
0
 

Author Comment

by:apscnjohnnie
Comment Utility
Well here is where I stand.  I can telnet 25 to the inside exchange from the dmz smtprelay server.  I can telnet 25 to the dmz smtprelay server from the inside exchange server.  I can send mail from the dmz to the inside exchange server and it receives fine.  Mail from the inside exchange server sends mail fine to the dmz smtp relay server.  But the problem it goes into the queue and stays there.  The reason it will not go on out is my problem.  I can't ping to any external address from the dmz...can from inside.  I also can't do something more important and that is perform dns lookups.  There doesn't appear to be any way for the dmz smtp relay server to get out to the outside.   And I can't see what I am missing anymore....my eyes have become blurred.

I have these access-lists that permit smtp from the inside out from only the exchange server.  Do I need to create something simliar from the dmz out?

access-list inside_access_in permit tcp host 10.10.1.20 any eq smtp
access-list inside_access_in deny tcp 10.10.1.0 255.255.255.0 any eq smtp



0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
Comment Utility
You need to permit more in your dmz acl:

access-list DMZ permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp  <- permit to inside host
access-list DMZ permit udp host 192.168.10.20 any eq 53  <-- permit dns lookups
access-list DMZ permit tcp host 192.168.10.20 any eq smtp  <-- permit outbound smtp to external hosts

access-group DMZ in interface DMZ
0
 

Author Comment

by:apscnjohnnie
Comment Utility
Thanks a mil, you got me through the last parts of my understanding of the access list rules as applied to the dmz and helped me get mail a flowing the way I want through an external dmz smtp relay.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Glad to help!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now