pix security config need to add conduit for SMTP from DMZ to INTERNAL

Posted on 2006-03-24
Last Modified: 2010-04-08
• I want to be as secure as possible with this config, advice in getting there further is apprecitated.  
• This is a FULLY WORKING config for 8 months, it just needs a tweak.
• What this conifig does- it is a three port PIX (with DMZ,) the dmz is on
the inisde network is, the outside is the internet provider.  As it stands the config is a simple webserver firewall.  
• What I need next is for the webserver (the DMZ) to be able to use SMTP to send mail via  
• What I would prefer is to allow all traffic with specific ports, SMTP, SNMP, FTP usable between DMZ and INTERNAL, but still restrict most traffic like Netbios, file shares, etc.

Can someone fill in the clues as to how to do this?

PIX Version 7.0(2)
name webserver
interface Ethernet0
 nameif outside
 security-level 0
 ip address out.out.out.out
interface Ethernet1
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 nameif dmz
 security-level 50
 ip address
enable password hardpassword encrypted
passwd hardpassword encrypted
hostname tmapix
domain-name tma.internal
boot system flash:/pix702.bin
ftp mode passive
access-list webonly extended permit tcp any any eq https
access-list webonly extended permit tcp any any eq www
access-list internal extended permit tcp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
monitor-interface outside
monitor-interface inside
monitor-interface dmz
asdm image flash:/asdm-502.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,dmz) netmask
static (dmz,outside) out.out.out.out webserver netmask
access-group webonly in interface outside
access-group internal in interface inside
access-group internal in interface dmz
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
no sysopt connection permit-ipsec
telnet inside
telnet inside
telnet inside
telnet dmz
telnet webserver dmz
telnet timeout 20
ssh timeout 5
ssh version 1
console timeout 0
: end
Question by:carl_legere
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Your on version 7 Carl so I'll have to give this one a miss. I haven't moved on from version 6.3 yet. Sorry. Hopefully Lrmoore or someone will pick this one up shortly.
    LVL 18

    Author Comment

    Thanks for looking Keith

    I upgraded it when I got it because I wanted to play with the new web gui thing.  I'm not into them, but figured it is worth a try.  There are probably a couple of lines in the code that the GUI put in that are somewhat unintentional.
    LVL 51

    Expert Comment

    by:Keith Alabaster
    I have to say, I wish I could too. I only have a 501 at home and no exposure to 7 at work. those are all 525E and 515's but we still use 6.3(5) there.

    I have a CCO though so would be happy to see if I can find a list of command changes if you think that might help?

    What is this line doing?
    static (inside,dmz) netmask

    LVL 18

    Author Comment

    should be my condiot from DMZ to inside, which then would check the ACL, which is unrestricted and let DMZ access internal? but it does not.
    LVL 51

    Accepted Solution

    Wouldn't have thought so :(

    Not too sure about having the same access-list on both the internal and the dmz interface either. Using that scenario you are blocking all outgoing from the inside except for that listed in your internal ACL. Was that what you wanted? That same traffic is all that is allowed out of the DMZ interface also.

    Anyway, lets try it as if it was 6.3 and see how we get on :)

    static (inside,dmz) netmask 0 0
    access-list internal permit tcp any host eq smtp

    In theory.... this should tell the PIX to arp to address (as if it was an address on your DMZ lan and send it on to through the inside interface. The permit statement should tell it that any smtp traffic arriving for should be allowed through.

    I think you know this already though :)

    LVL 51

    Expert Comment

    by:Keith Alabaster
    PS Obviously you need to tell your web server to send its mail to the .14 address lol
    LVL 51

    Expert Comment

    by:Keith Alabaster
    How did you get on Carl?
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Thanks Carl.

    LVL 18

    Author Comment

    lost interest
    LVL 51

    Expert Comment

    by:Keith Alabaster

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    linux firewall 3 60
    Probable TCP NULL scan detected 10 119
    Firewall connection 10 58
    Single domain/site being blocked.... but why and where? 10 45
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now