• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 312
  • Last Modified:

Pix config question

I’m a little confused on how email will reach the email server which is in the inside interface. Can someone please look at this config and answer the questions below?
Thank You.

1. Which IP will I use to point to my domain (A Record for InterNic)? Is it the public ip of the IIS server since that is where the website is or is it the IP of the outside interface on the pix?
2. How will emails reach the email server since it is in the inside? I'm thinking its
this*  static (inside,outside) tcp interface smtp smtp netmask ?
3. Will this config do the following
           a.      Access the web server in the dmz.
           b.      Allow OWA to reach email server(inside).
           c.      Allow all host to access the internet including the server in the dmz.

 Pix------DMZ IIS server and FTP server
Private Lan (inside) DC with Active Directory and Email server.

object-group service web_server tcp
      port-object eq www
      port-object eq https
      port-object eq ftp
      port-object eq domain
      port-object eq smtp

access-list outside_in permit tcp any interface outside object-group web_server

aceess-list dmz_in permit ip host
aceess-list dmz_in permit icmp any any *Testing only
aceess-list dmz_in permit udp host any eq domain
aceess-list dmz_in permit tcp host any eq www
aceess-list dmz_in permit tcp host any eq https
aceess-list dmz_in permit tcp host eq www any
aceess-list dmz_in permit tcp host eq https any
aceess-list dmz_in permit tcp host eq ftp any
aceess-list dmz_in deny ip any any

ip address outside public_ip
ip address inside
ip address dmz

global (outside) 1 interface
nat (inside)

static (dmz,outside) public_ip netmask 0
static (inside,outside) tcp interface smtp smtp netmask 0
static (inside,outside) tcp interface www www netmask 0

static (inside,dmz) 192.1668.50.0 netmask 0

access-group outside_in in interface outside
access-group dmz_in in interface dmz

route outside 0 0 public_IP   *outside interface


  • 4
  • 2
1 Solution
If all you have is one public IP assigned to the outside interface, you can't map that to the web server in the dmz.

Change this:
   >static (dmz,outside) public_ip netmask

to this:
    static (dmz,outside) tcp interface www www netmask
    static (dmz,outside) tcp interface ftp ftp netmask
    static (dmz,outside) tcp interface ftp-data ftp-data netmask

Then you can't use this one at the same time:
   >static (dmz,outside) public_ip netmask 0

Do you have another Public IP address other than the interface ip?
If not, then all of you A and MX DNS records have to point to the interface IP address..

#3a, yes
#3b, No because you have port 80 going to the web server in the dmz
for #3c, you need to add:
   global (dmz) 1 interface

mcfr6070Author Commented:
I have 8 public ips I can use, can i get 3b to work with that?
Yes, of course..
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

mcfr6070Author Commented:
Should I do a static such as (for the email server in the inside)?
 static (inside,outside) x.x.x.16 netmask  

Regarding the OWA, when the request for the owa comes in it will hit the IIS and then it will forward to the email server, will I need a static line in order for the request to get to the email server or will this line do it? Thanks for ur help
static (inside,dmz) 192.1668.50.0 netmask 0

Yes you need both the static and the corresponding access-list entry.
Does the OWA server redirect the user to the other IP, or just communicate itself with the email server? If it does not redirect, then you need both that static and an access-list applied to the dmz interface...
Any progress? Are you still working on this? Do you need more information?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now