Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PIX 3 legged config dmz smtp relay to inside exchange and back

Posted on 2004-08-16
12
Medium Priority
?
3,157 Views
Last Modified: 2013-11-16
I can't seem to get this to work even though Cisco says it should.  For starters the smtp relay server is a Windows 2003 Web edition and I have created the smtp domain to point to the inside exchange server.  Likewise I have configured the smart host on the inside exchange to forward to the smtp realy server in the dmz.  I also have an edge router that maps a public dnsname to a NAT number on the outside interface of the pix that translation is for example 22.22.22.5 - 192.168.254.220 and one Https domain 22.22.22.6 - 192.168.254.230

Here are the configs I have worked up so far.  Can anyone see anything blaring out at them as to why this won't work.  I want smtp traffic only to pass between the smtp relay server and the inside exchange server and no other traffic.

These object groups were broken down because I want http traffic to go to the dmz server as well but I want https traffic to go to an internal iis server

object-group service HTTP tcp
  description HTTP Traffic
  port-object eq www
object-group service HTTPS tcp
  description HTTPS Traffic
  port-object eq https

ip address outside 192.168.254.x 255.255.255.240
ip address inside 10.10.1.x 255.255.255.0
ip address DMZ 192.168.10.x 255.255.255.0

Here are my statics

static (inside,outside) 192.168.254.230 10.10.1.30 netmask 255.255.255.255 0 0  
static (DMZ,outside) 192.168.254.220 192.168.10.20 netmask 255.255.255.255 0 0
static (inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255 0 0

Here are the affected access lists
access-list outside_access_in permit tcp any host 192.168.254.230 object-group HTTPS
access-list outside_access_in permit tcp any host 192.168.254.220 object-group HTTP
access-list outside_access_in permit tcp any host 192.168.254.220 eq smtp
access-list DMZ permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp

Here are my access grous
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group DMZ in interface DMZ

Can anyone tell why mail is not flowing in from the web to the dmz smtp relay server and then on to the inside exchange server and back?
0
Comment
Question by:apscnjohnnie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11811098
You are permitting DMZ--to--inside traffice destined for the private address.
So, you simply need to exclude this traffic from NAT process:

static (inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255

0
 

Author Comment

by:apscnjohnnie
ID: 11811466
So I need to remove the "0"'s from my static line?
(inside,DMZ) 10.10.1.20 10.10.1.20 netmask 255.255.255.255 0 0
Are they what is causing the problem?

And what do those 2 0's represent...forgive my ignorance
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11812131
The two zeros are a default setting for unlimited connections.
first 0 is max connections -0 for unlimited
2nd 0 is embryonic limit -0 for unlimited

These should have no affect, and you can't remove them

If you just added this config, did you "clear xlate" after adding it?
What version OS on the PIX? There are some versions that adding static xlates requires a reboot for it to take affect.

Can you post result of "show access-list"
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:apscnjohnnie
ID: 11812446
Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

I performed the following after the config:

clear xlate
clear local-host
clear arp

The 10.10.2.x subnet is a site to site vpn tunnel with a remote site.  All that works fine still actually I am modifying this up to show what I had it configured as last night because currently I am routing traffic straight on from outside to inside for both service groups and smtp.  This is how we have been running and it is working fine as well.  Some of the lines I have no idea what they apply to.  like "access-list inside_outbound_nat0_acl line 3 permit ip 10.10.1.0 255.255.255.0 10.10.1.128 255.255.255.128 (hitcnt=0)" & this one which is on a subnet that is not even on any of my networks.  "access-list inside_outbound_nat0_acl line 4 permit ip 10.10.1.0 255.255.255.0 10.20.20.0 255.255.255.0 (hitcnt=0)"  This was originally set up by a vendor and he left a lot of garbage behind, most of which I have cleaned up.  If you would like I can send you my entire config.

What I am trying to do is the subject line and move my web services and smtp relay service to the dmz

Here is the access-list

Pix#  sh access-list
access-list cached ACL log flows: total 193, denied 0 (deny-flow-max 1024)
            alert-interval 300
access-list inside_outbound_nat0_acl; 4 elements
access-list inside_outbound_nat0_acl line 1 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=1190)
access-list inside_outbound_nat0_acl line 2 permit ip 10.10.1.0 255.255.255.0 10.10.1.0 255.255.255.224 (hitcnt=147)
access-list inside_outbound_nat0_acl line 3 permit ip 10.10.1.0 255.255.255.0 10.10.1.128 255.255.255.128 (hitcnt=0)
access-list inside_outbound_nat0_acl line 4 permit ip 10.10.1.0 255.255.255.0 10.20.20.0 255.255.255.0 (hitcnt=0)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 10.10.1.0 255.255.255.0 10.10.2.0 255.255.255.0 (hitcnt=931)
access-list inside_access_in; 4 elements
access-list inside_access_in line 2 permit tcp host 10.10.1.20 any eq smtp log 6 interval 300 (hitcnt=204)
access-list inside_access_in line 3 deny tcp 10.10.1.0 255.255.255.0 any eq smtp (hitcnt=0)
access-list inside_access_in line 4 permit ip any any log 6 interval 300 (hitcnt=15296)
access-list inside_access_in line 5 deny ip any any log 6 interval 300 (hitcnt=0)
access-list outside_access_in; 4 elements
access-list outside_access_in line 1 permit icmp any any (hitcnt=221)
access-list outside_access_in line 2 permit tcp any host 192.168.254.230 object-group HTTPS
access-list outside_access_in line 2 permit tcp any host 192.168.254.230 eq https (hitcnt=204)
access-list outside_access_in line 3 permit tcp any host 192.168.254.220 object-group HTTP
access-list outside_access_in line 3 permit tcp any host 192.168.254.220 eq www (hitcnt=300)
access-list outside_access_in line 4 permit tcp any host 192.168.254.220 eq smtp (hitcnt=145)
access-list VPN_splitTunnelAcl; 1 elements
access-list VPN_splitTunnelAcl line 1 permit ip 10.10.1.0 255.255.255.0 any (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 10.10.1.128 255.255.255.128 (hitcnt=0)
access-list DMZ; 1 elements
access-list DMZ line 1 permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp (hitcnt=110)
access-list  dynacl2; 1 elements
access-list  dynacl2 line 1 permit ip any host 10.10.1.10 (hitcnt=143)
Pix# exit
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11812565
>access-list outside_access_in line 4 permit tcp any host 192.168.254.220 eq smtp (hitcnt=145)
>access-list DMZ line 1 permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp (hitcnt=110)

This looks like it is working OK...smtp traffic is being permitted in the outside interface to the DMZ host (through what appears to be a double-nat)

Did you remove the fixup smtp?

no fixup protocol smtp 25
^
0
 

Author Comment

by:apscnjohnnie
ID: 11812659
Actually no I didn't, however I have the fixup smtp turned on currently and have no problems with smtp traffic through (your right) double nat to an inside Exchange server.  I have a 3725 on the perimeter which forwards the public dns name of the sites smtp/http/https services to a nat number on the pix outside interface.  This number is then nat'd on the inside interface and dmz as well.  All my edge router does is route, no ids/vpn/firewall.

So you don't see anything out of order?

If not then I will apply the "no fixup protocol smtp 25" and reboot the PIX after business hours today after i modify this config and let you know if it works.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11812985
I don't see anything else out of order.
I believe that the fixup is what is getting in the way of the DMZ -to- inside smtp traffic.
The fixup simply breaks smtp into an Exchange server and usually to Lotus Notes server.
The issue is the fixup's deep packet inspection and Exchange's use of Extended smtp commands.
0
 

Author Comment

by:apscnjohnnie
ID: 11813625
Great, I will run this through again and let you know how it comes out and just remove the fixup protocol
0
 

Author Comment

by:apscnjohnnie
ID: 11817101
Well here is where I stand.  I can telnet 25 to the inside exchange from the dmz smtprelay server.  I can telnet 25 to the dmz smtprelay server from the inside exchange server.  I can send mail from the dmz to the inside exchange server and it receives fine.  Mail from the inside exchange server sends mail fine to the dmz smtp relay server.  But the problem it goes into the queue and stays there.  The reason it will not go on out is my problem.  I can't ping to any external address from the dmz...can from inside.  I also can't do something more important and that is perform dns lookups.  There doesn't appear to be any way for the dmz smtp relay server to get out to the outside.   And I can't see what I am missing anymore....my eyes have become blurred.

I have these access-lists that permit smtp from the inside out from only the exchange server.  Do I need to create something simliar from the dmz out?

access-list inside_access_in permit tcp host 10.10.1.20 any eq smtp
access-list inside_access_in deny tcp 10.10.1.0 255.255.255.0 any eq smtp



0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 11817824
You need to permit more in your dmz acl:

access-list DMZ permit tcp host 192.168.10.20 host 10.10.1.20 eq smtp  <- permit to inside host
access-list DMZ permit udp host 192.168.10.20 any eq 53  <-- permit dns lookups
access-list DMZ permit tcp host 192.168.10.20 any eq smtp  <-- permit outbound smtp to external hosts

access-group DMZ in interface DMZ
0
 

Author Comment

by:apscnjohnnie
ID: 11821962
Thanks a mil, you got me through the last parts of my understanding of the access list rules as applied to the dmz and helped me get mail a flowing the way I want through an external dmz smtp relay.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11822388
Glad to help!
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question