pix security config need to add conduit for SMTP from DMZ to INTERNAL

Premise-
• I want to be as secure as possible with this config, advice in getting there further is apprecitated.  
• This is a FULLY WORKING config for 8 months, it just needs a tweak.
• What this conifig does- it is a three port PIX (with DMZ,) the dmz is on 192.168.130.10
the inisde network is 192.168.100.0/24, the outside is the internet provider.  As it stands the config is a simple webserver firewall.  
• What I need next is for the webserver (the DMZ) to be able to use SMTP to send mail via 192.168.100.10.  
• What I would prefer is to allow all traffic with specific ports, SMTP, SNMP, FTP usable between DMZ and INTERNAL, but still restrict most traffic like Netbios, file shares, etc.

Can someone fill in the clues as to how to do this?

PIX Version 7.0(2)
names
name 192.168.130.10 webserver
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address out.out.out.out 255.255.255.240
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.100.3 255.255.255.0
!
interface Ethernet2
 nameif dmz
 security-level 50
 ip address 192.168.130.1 255.255.255.0
!
enable password hardpassword encrypted
passwd hardpassword encrypted
hostname tmapix
domain-name tma.internal
boot system flash:/pix702.bin
ftp mode passive
access-list webonly extended permit tcp any any eq https
access-list webonly extended permit tcp any any eq www
access-list internal extended permit tcp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
monitor-interface outside
monitor-interface inside
monitor-interface dmz
asdm image flash:/asdm-502.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) out.out.out.out webserver netmask 255.255.255.255
access-group webonly in interface outside
access-group internal in interface inside
access-group internal in interface dmz
route outside 0.0.0.0 0.0.0.0 gw.gw.gw.gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.100.5 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
no sysopt connection permit-ipsec
telnet 192.168.100.50 255.255.255.255 inside
telnet 192.168.100.40 255.255.255.255 inside
telnet 192.168.100.93 255.255.255.255 inside
telnet 192.168.100.50 255.255.255.255 dmz
telnet webserver 255.255.255.255 dmz
telnet timeout 20
ssh timeout 5
ssh version 1
console timeout 0
Cryptochecksum:
: end
LVL 18
carl_legereAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Your on version 7 Carl so I'll have to give this one a miss. I haven't moved on from version 6.3 yet. Sorry. Hopefully Lrmoore or someone will pick this one up shortly.
Keith
0
carl_legereAuthor Commented:
Thanks for looking Keith

I upgraded it when I got it because I wanted to play with the new web gui thing.  I'm not into them, but figured it is worth a try.  There are probably a couple of lines in the code that the GUI put in that are somewhat unintentional.
0
Keith AlabasterEnterprise ArchitectCommented:
I have to say, I wish I could too. I only have a 501 at home and no exposure to 7 at work. those are all 525E and 515's but we still use 6.3(5) there.

I have a CCO though so would be happy to see if I can find a list of command changes if you think that might help?


What is this line doing?
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

carl_legereAuthor Commented:
should be my condiot from DMZ to inside, which then would check the ACL, which is unrestricted and let DMZ access internal? but it does not.
0
Keith AlabasterEnterprise ArchitectCommented:
Wouldn't have thought so :(

Not too sure about having the same access-list on both the internal and the dmz interface either. Using that scenario you are blocking all outgoing from the inside except for that listed in your internal ACL. Was that what you wanted? That same traffic is all that is allowed out of the DMZ interface also.

Anyway, lets try it as if it was 6.3 and see how we get on :)

static (inside,dmz) 192.168.130.14 192.168.100.10 netmask 255.255.255.255 0 0
access-list internal permit tcp any host 192.168.130.14 eq smtp

In theory.... this should tell the PIX to arp to address 192.168.130.14 (as if it was an address on your DMZ lan and send it on to 192.168.100.10 through the inside interface. The permit statement should tell it that any smtp traffic arriving for 192.168.130.14 should be allowed through.

I think you know this already though :)

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
PS Obviously you need to tell your web server to send its mail to the .14 address lol
0
Keith AlabasterEnterprise ArchitectCommented:
How did you get on Carl?
0
Keith AlabasterEnterprise ArchitectCommented:
Thanks Carl.

Regards
keith
0
carl_legereAuthor Commented:
lost interest
0
Keith AlabasterEnterprise ArchitectCommented:
lol
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.