Pix config question

Posted on 2004-10-21
Last Modified: 2010-04-09
I’m a little confused on how email will reach the email server which is in the inside interface. Can someone please look at this config and answer the questions below?
Thank You.

1. Which IP will I use to point to my domain (A Record for InterNic)? Is it the public ip of the IIS server since that is where the website is or is it the IP of the outside interface on the pix?
2. How will emails reach the email server since it is in the inside? I'm thinking its
this*  static (inside,outside) tcp interface smtp smtp netmask ?
3. Will this config do the following
           a.      Access the web server in the dmz.
           b.      Allow OWA to reach email server(inside).
           c.      Allow all host to access the internet including the server in the dmz.

 Pix------DMZ IIS server and FTP server
Private Lan (inside) DC with Active Directory and Email server.

object-group service web_server tcp
      port-object eq www
      port-object eq https
      port-object eq ftp
      port-object eq domain
      port-object eq smtp

access-list outside_in permit tcp any interface outside object-group web_server

aceess-list dmz_in permit ip host
aceess-list dmz_in permit icmp any any *Testing only
aceess-list dmz_in permit udp host any eq domain
aceess-list dmz_in permit tcp host any eq www
aceess-list dmz_in permit tcp host any eq https
aceess-list dmz_in permit tcp host eq www any
aceess-list dmz_in permit tcp host eq https any
aceess-list dmz_in permit tcp host eq ftp any
aceess-list dmz_in deny ip any any

ip address outside public_ip
ip address inside
ip address dmz

global (outside) 1 interface
nat (inside)

static (dmz,outside) public_ip netmask 0
static (inside,outside) tcp interface smtp smtp netmask 0
static (inside,outside) tcp interface www www netmask 0

static (inside,dmz) 192.1668.50.0 netmask 0

access-group outside_in in interface outside
access-group dmz_in in interface dmz

route outside 0 0 public_IP   *outside interface


Question by:mcfr6070
    LVL 79

    Accepted Solution

    If all you have is one public IP assigned to the outside interface, you can't map that to the web server in the dmz.

    Change this:
       >static (dmz,outside) public_ip netmask

    to this:
        static (dmz,outside) tcp interface www www netmask
        static (dmz,outside) tcp interface ftp ftp netmask
        static (dmz,outside) tcp interface ftp-data ftp-data netmask

    Then you can't use this one at the same time:
       >static (dmz,outside) public_ip netmask 0

    Do you have another Public IP address other than the interface ip?
    If not, then all of you A and MX DNS records have to point to the interface IP address..

    #3a, yes
    #3b, No because you have port 80 going to the web server in the dmz
    for #3c, you need to add:
       global (dmz) 1 interface


    Author Comment

    I have 8 public ips I can use, can i get 3b to work with that?
    LVL 79

    Expert Comment

    Yes, of course..

    Author Comment

    Should I do a static such as (for the email server in the inside)?
     static (inside,outside) x.x.x.16 netmask  

    Regarding the OWA, when the request for the owa comes in it will hit the IIS and then it will forward to the email server, will I need a static line in order for the request to get to the email server or will this line do it? Thanks for ur help
    static (inside,dmz) 192.1668.50.0 netmask 0

    LVL 79

    Expert Comment

    Yes you need both the static and the corresponding access-list entry.
    Does the OWA server redirect the user to the other IP, or just communicate itself with the email server? If it does not redirect, then you need both that static and an access-list applied to the dmz interface...
    LVL 79

    Expert Comment

    Any progress? Are you still working on this? Do you need more information?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now