Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Pix config question

Posted on 2004-10-21
6
Medium Priority
?
284 Views
Last Modified: 2010-04-09
I’m a little confused on how email will reach the email server which is in the inside interface. Can someone please look at this config and answer the questions below?
Thank You.

1. Which IP will I use to point to my domain (A Record for InterNic)? Is it the public ip of the IIS server since that is where the website is or is it the IP of the outside interface on the pix?
2. How will emails reach the email server since it is in the inside? I'm thinking its
this*  static (inside,outside) tcp interface smtp 192.168.50.5 smtp netmask 255.255.255.255 ?
3. Will this config do the following
           a.      Access the web server in the dmz.
           b.      Allow OWA to reach email server(inside).
           c.      Allow all host to access the internet including the server in the dmz.

Internet
    |
    |
Router
    |
    |
 Pix------DMZ IIS server and FTP server  172.16.5.0 255.255.255.240
   |
   |
Private Lan (inside) DC with Active Directory and Email server. 192.168.50.0 255.255.255.0


object-group service web_server tcp
      port-object eq www
      port-object eq https
      port-object eq ftp
      port-object eq domain
      port-object eq smtp

access-list outside_in permit tcp any interface outside object-group web_server

aceess-list dmz_in permit ip host 172.16.5.2 192.168.50.0 255.255.255.0
aceess-list dmz_in permit icmp any any *Testing only
aceess-list dmz_in permit udp host 172.16.50.2 any eq domain
aceess-list dmz_in permit tcp host 172.16.50.2 any eq www
aceess-list dmz_in permit tcp host 172.16.50.2 any eq https
aceess-list dmz_in permit tcp host 172.16.50.2 eq www any
aceess-list dmz_in permit tcp host 172.16.50.2 eq https any
aceess-list dmz_in permit tcp host 172.16.50.2 eq ftp any
aceess-list dmz_in deny ip any any

ip address outside public_ip 255.255.255.240
ip address inside 192.168.50.1 255.255.255.0
ip address dmz 172.16.5.1 255.255.255.240

global (outside) 1 interface
nat (inside) 192.168.50.0 255.255.255.0

static (dmz,outside) public_ip 172.16.5.2 netmask 255.255.255.255 0
static (inside,outside) tcp interface smtp 192.168.50.5 smtp netmask 255.255.255.255 0
static (inside,outside) tcp interface www 192.168.50.5 www netmask 255.255.255.255 0

static (inside,dmz) 192.1668.50.0 192.168.50.0 netmask 255.255.255.0 0

access-group outside_in in interface outside
access-group dmz_in in interface dmz

route outside 0 0 public_IP   *outside interface


 

0
Comment
Question by:mcfr6070
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12377761
If all you have is one public IP assigned to the outside interface, you can't map that to the web server in the dmz.

Change this:
   >static (dmz,outside) public_ip 172.16.5.2 netmask 255.255.255.255

to this:
    static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
    static (dmz,outside) tcp interface ftp 172.16.5.2 ftp netmask 255.255.255.255
    static (dmz,outside) tcp interface ftp-data 172.16.5.2 ftp-data netmask 255.255.255.255

Then you can't use this one at the same time:
   >static (dmz,outside) public_ip 172.16.5.2 netmask 255.255.255.255 0

Do you have another Public IP address other than the interface ip?
If not, then all of you A and MX DNS records have to point to the interface IP address..

#3a, yes
#3b, No because you have port 80 going to the web server in the dmz
for #3c, you need to add:
   global (dmz) 1 interface


0
 

Author Comment

by:mcfr6070
ID: 12385111
I have 8 public ips I can use, can i get 3b to work with that?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12385139
Yes, of course..
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mcfr6070
ID: 12385459
Should I do a static such as (for the email server in the inside)?
 static (inside,outside) x.x.x.16 192.168.50.5 netmask 255.255.255.255  

Regarding the OWA, when the request for the owa comes in it will hit the IIS and then it will forward to the email server, will I need a static line in order for the request to get to the email server or will this line do it? Thanks for ur help
static (inside,dmz) 192.1668.50.0 192.168.50.0 netmask 255.255.255.0 0
 

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12385542
Yes you need both the static and the corresponding access-list entry.
Does the OWA server redirect the user to the other IP, or just communicate itself with the email server? If it does not redirect, then you need both that static and an access-list applied to the dmz interface...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12403442
Any progress? Are you still working on this? Do you need more information?
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question