Solved

Pix config question

Posted on 2004-10-21
243 Views
Last Modified: 2010-04-09
I’m a little confused on how email will reach the email server which is in the inside interface. Can someone please look at this config and answer the questions below?
Thank You.

1. Which IP will I use to point to my domain (A Record for InterNic)? Is it the public ip of the IIS server since that is where the website is or is it the IP of the outside interface on the pix?
2. How will emails reach the email server since it is in the inside? I'm thinking its
this*  static (inside,outside) tcp interface smtp 192.168.50.5 smtp netmask 255.255.255.255 ?
3. Will this config do the following
           a.      Access the web server in the dmz.
           b.      Allow OWA to reach email server(inside).
           c.      Allow all host to access the internet including the server in the dmz.

Internet
    |
    |
Router
    |
    |
 Pix------DMZ IIS server and FTP server  172.16.5.0 255.255.255.240
   |
   |
Private Lan (inside) DC with Active Directory and Email server. 192.168.50.0 255.255.255.0


object-group service web_server tcp
      port-object eq www
      port-object eq https
      port-object eq ftp
      port-object eq domain
      port-object eq smtp

access-list outside_in permit tcp any interface outside object-group web_server

aceess-list dmz_in permit ip host 172.16.5.2 192.168.50.0 255.255.255.0
aceess-list dmz_in permit icmp any any *Testing only
aceess-list dmz_in permit udp host 172.16.50.2 any eq domain
aceess-list dmz_in permit tcp host 172.16.50.2 any eq www
aceess-list dmz_in permit tcp host 172.16.50.2 any eq https
aceess-list dmz_in permit tcp host 172.16.50.2 eq www any
aceess-list dmz_in permit tcp host 172.16.50.2 eq https any
aceess-list dmz_in permit tcp host 172.16.50.2 eq ftp any
aceess-list dmz_in deny ip any any

ip address outside public_ip 255.255.255.240
ip address inside 192.168.50.1 255.255.255.0
ip address dmz 172.16.5.1 255.255.255.240

global (outside) 1 interface
nat (inside) 192.168.50.0 255.255.255.0

static (dmz,outside) public_ip 172.16.5.2 netmask 255.255.255.255 0
static (inside,outside) tcp interface smtp 192.168.50.5 smtp netmask 255.255.255.255 0
static (inside,outside) tcp interface www 192.168.50.5 www netmask 255.255.255.255 0

static (inside,dmz) 192.1668.50.0 192.168.50.0 netmask 255.255.255.0 0

access-group outside_in in interface outside
access-group dmz_in in interface dmz

route outside 0 0 public_IP   *outside interface


 

0
Question by:mcfr6070
    6 Comments
     
    LVL 79

    Accepted Solution

    by:
    If all you have is one public IP assigned to the outside interface, you can't map that to the web server in the dmz.

    Change this:
       >static (dmz,outside) public_ip 172.16.5.2 netmask 255.255.255.255

    to this:
        static (dmz,outside) tcp interface www 172.16.5.2 www netmask 255.255.255.255
        static (dmz,outside) tcp interface ftp 172.16.5.2 ftp netmask 255.255.255.255
        static (dmz,outside) tcp interface ftp-data 172.16.5.2 ftp-data netmask 255.255.255.255

    Then you can't use this one at the same time:
       >static (dmz,outside) public_ip 172.16.5.2 netmask 255.255.255.255 0

    Do you have another Public IP address other than the interface ip?
    If not, then all of you A and MX DNS records have to point to the interface IP address..

    #3a, yes
    #3b, No because you have port 80 going to the web server in the dmz
    for #3c, you need to add:
       global (dmz) 1 interface


    0
     

    Author Comment

    by:mcfr6070
    I have 8 public ips I can use, can i get 3b to work with that?
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Yes, of course..
    0
     

    Author Comment

    by:mcfr6070
    Should I do a static such as (for the email server in the inside)?
     static (inside,outside) x.x.x.16 192.168.50.5 netmask 255.255.255.255  

    Regarding the OWA, when the request for the owa comes in it will hit the IIS and then it will forward to the email server, will I need a static line in order for the request to get to the email server or will this line do it? Thanks for ur help
    static (inside,dmz) 192.1668.50.0 192.168.50.0 netmask 255.255.255.0 0
     

    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Yes you need both the static and the corresponding access-list entry.
    Does the OWA server redirect the user to the other IP, or just communicate itself with the email server? If it does not redirect, then you need both that static and an access-list applied to the dmz interface...
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Any progress? Are you still working on this? Do you need more information?
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now