• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 298
  • Last Modified:

Pix config question

I’m a little confused on how email will reach the email server which is in the inside interface. Can someone please look at this config and answer the questions below?
Thank You.

1. Which IP will I use to point to my domain (A Record for InterNic)? Is it the public ip of the IIS server since that is where the website is or is it the IP of the outside interface on the pix?
2. How will emails reach the email server since it is in the inside? I'm thinking its
this*  static (inside,outside) tcp interface smtp 192.168.50.5 smtp netmask 255.255.255.255 ?
3. Will this config do the following
           a.      Access the web server in the dmz.
           b.      Allow OWA to reach email server(inside).
           c.      Allow all host to access the internet including the server in the dmz.

Internet
    |
    |
Router
    |
    |
 Pix------DMZ IIS server and FTP server  172.16.5.0 255.255.255.240
   |
   |
Private Lan (inside) DC with Active Directory and Email server. 192.168.50.0 255.255.255.0


object-group service web_server tcp
      port-object eq www
      port-object eq https
      port-object eq ftp
      port-object eq domain
      port-object eq smtp

access-list outside_in permit tcp any interface outside object-group web_server

aceess-list dmz_in permit ip host 172.16.5.2 192.168.50.0 255.255.255.0
aceess-list dmz_in permit icmp any any *Testing only
aceess-list dmz_in permit udp host 172.16.50.2 any eq domain
aceess-list dmz_in permit tcp host 172.16.50.2 any eq www
aceess-list dmz_in permit tcp host 172.16.50.2 any eq https
aceess-list dmz_in permit tcp host 172.16.50.2 eq www any
aceess-list dmz_in permit tcp host 172.16.50.2 eq https any
aceess-list dmz_in permit tcp host 172.16.50.2 eq ftp any
aceess-list dmz_in deny ip any any

ip address outside public_ip 255.255.255.240
ip address inside 192.168.50.1 255.255.255.0
ip address dmz 172.16.5.1 255.255.255.240

global (outside) 1 interface
nat (inside) 192.168.50.0 255.255.255.0

static (dmz,outside) public_ip 172.16.5.2 netmask 255.255.255.255 0
static (inside,outside) tcp interface smtp 192.168.50.5 smtp netmask 255.255.255.255 0
static (inside,outside) tcp interface www 192.168.50.5 www netmask 255.255.255.255 0

static (inside,dmz) 192.1668.50.0 192.168.50.0 netmask 255.255.255.0 0

access-group outside_in in interface outside
access-group dmz_in in interface dmz

route outside 0 0 public_IP   *outside interface


 

0
mcfr6070
Asked:
mcfr6070
  • 4
  • 2
1 Solution
 
lrmooreCommented:
If all you have is one public IP assigned to the outside interface, you can't map that to the web server in the dmz.

Change this:
   >static (dmz,outside) public_ip 172.16.5.2 netmask 255.255.255.255

to this:
    static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
    static (dmz,outside) tcp interface ftp 172.16.5.2 ftp netmask 255.255.255.255
    static (dmz,outside) tcp interface ftp-data 172.16.5.2 ftp-data netmask 255.255.255.255

Then you can't use this one at the same time:
   >static (dmz,outside) public_ip 172.16.5.2 netmask 255.255.255.255 0

Do you have another Public IP address other than the interface ip?
If not, then all of you A and MX DNS records have to point to the interface IP address..

#3a, yes
#3b, No because you have port 80 going to the web server in the dmz
for #3c, you need to add:
   global (dmz) 1 interface


0
 
mcfr6070Author Commented:
I have 8 public ips I can use, can i get 3b to work with that?
0
 
lrmooreCommented:
Yes, of course..
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
mcfr6070Author Commented:
Should I do a static such as (for the email server in the inside)?
 static (inside,outside) x.x.x.16 192.168.50.5 netmask 255.255.255.255  

Regarding the OWA, when the request for the owa comes in it will hit the IIS and then it will forward to the email server, will I need a static line in order for the request to get to the email server or will this line do it? Thanks for ur help
static (inside,dmz) 192.1668.50.0 192.168.50.0 netmask 255.255.255.0 0
 

0
 
lrmooreCommented:
Yes you need both the static and the corresponding access-list entry.
Does the OWA server redirect the user to the other IP, or just communicate itself with the email server? If it does not redirect, then you need both that static and an access-list applied to the dmz interface...
0
 
lrmooreCommented:
Any progress? Are you still working on this? Do you need more information?
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now