Pix config question
Posted on 2004-10-21
I’m a little confused on how email will reach the email server which is in the inside interface. Can someone please look at this config and answer the questions below?
1. Which IP will I use to point to my domain (A Record for InterNic)? Is it the public ip of the IIS server since that is where the website is or is it the IP of the outside interface on the pix?
2. How will emails reach the email server since it is in the inside? I'm thinking its
this* static (inside,outside) tcp interface smtp 192.168.50.5 smtp netmask 255.255.255.255 ?
3. Will this config do the following
a. Access the web server in the dmz.
b. Allow OWA to reach email server(inside).
c. Allow all host to access the internet including the server in the dmz.
Pix------DMZ IIS server and FTP server 172.16.5.0 255.255.255.240
Private Lan (inside) DC with Active Directory and Email server. 192.168.50.0 255.255.255.0
object-group service web_server tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq domain
port-object eq smtp
access-list outside_in permit tcp any interface outside object-group web_server
aceess-list dmz_in permit ip host 172.16.5.2 192.168.50.0 255.255.255.0
aceess-list dmz_in permit icmp any any *Testing only
aceess-list dmz_in permit udp host 172.16.50.2 any eq domain
aceess-list dmz_in permit tcp host 172.16.50.2 any eq www
aceess-list dmz_in permit tcp host 172.16.50.2 any eq https
aceess-list dmz_in permit tcp host 172.16.50.2 eq www any
aceess-list dmz_in permit tcp host 172.16.50.2 eq https any
aceess-list dmz_in permit tcp host 172.16.50.2 eq ftp any
aceess-list dmz_in deny ip any any
ip address outside public_ip 255.255.255.240
ip address inside 192.168.50.1 255.255.255.0
ip address dmz 172.16.5.1 255.255.255.240
global (outside) 1 interface
nat (inside) 192.168.50.0 255.255.255.0
static (dmz,outside) public_ip 172.16.5.2 netmask 255.255.255.255 0
static (inside,outside) tcp interface smtp 192.168.50.5 smtp netmask 255.255.255.255 0
static (inside,outside) tcp interface www 192.168.50.5 www netmask 255.255.255.255 0
static (inside,dmz) 192.1668.50.0 192.168.50.0 netmask 255.255.255.0 0
access-group outside_in in interface outside
access-group dmz_in in interface dmz
route outside 0 0 public_IP *outside interface