pix security config need to add conduit for SMTP from DMZ to INTERNAL

Posted on 2006-03-24
Medium Priority
Last Modified: 2010-04-08
• I want to be as secure as possible with this config, advice in getting there further is apprecitated.  
• This is a FULLY WORKING config for 8 months, it just needs a tweak.
• What this conifig does- it is a three port PIX (with DMZ,) the dmz is on
the inisde network is, the outside is the internet provider.  As it stands the config is a simple webserver firewall.  
• What I need next is for the webserver (the DMZ) to be able to use SMTP to send mail via  
• What I would prefer is to allow all traffic with specific ports, SMTP, SNMP, FTP usable between DMZ and INTERNAL, but still restrict most traffic like Netbios, file shares, etc.

Can someone fill in the clues as to how to do this?

PIX Version 7.0(2)
name webserver
interface Ethernet0
 nameif outside
 security-level 0
 ip address out.out.out.out
interface Ethernet1
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 nameif dmz
 security-level 50
 ip address
enable password hardpassword encrypted
passwd hardpassword encrypted
hostname tmapix
domain-name tma.internal
boot system flash:/pix702.bin
ftp mode passive
access-list webonly extended permit tcp any any eq https
access-list webonly extended permit tcp any any eq www
access-list internal extended permit tcp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
monitor-interface outside
monitor-interface inside
monitor-interface dmz
asdm image flash:/asdm-502.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,dmz) netmask
static (dmz,outside) out.out.out.out webserver netmask
access-group webonly in interface outside
access-group internal in interface inside
access-group internal in interface dmz
route outside gw.gw.gw.gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
no sysopt connection permit-ipsec
telnet inside
telnet inside
telnet inside
telnet dmz
telnet webserver dmz
telnet timeout 20
ssh timeout 5
ssh version 1
console timeout 0
: end
Question by:carl_legere
  • 7
  • 3
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16294202
Your on version 7 Carl so I'll have to give this one a miss. I haven't moved on from version 6.3 yet. Sorry. Hopefully Lrmoore or someone will pick this one up shortly.
LVL 18

Author Comment

ID: 16301159
Thanks for looking Keith

I upgraded it when I got it because I wanted to play with the new web gui thing.  I'm not into them, but figured it is worth a try.  There are probably a couple of lines in the code that the GUI put in that are somewhat unintentional.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16302511
I have to say, I wish I could too. I only have a 501 at home and no exposure to 7 at work. those are all 525E and 515's but we still use 6.3(5) there.

I have a CCO though so would be happy to see if I can find a list of command changes if you think that might help?

What is this line doing?
static (inside,dmz) netmask

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

LVL 18

Author Comment

ID: 16304028
should be my condiot from DMZ to inside, which then would check the ACL, which is unrestricted and let DMZ access internal? but it does not.
LVL 51

Accepted Solution

Keith Alabaster earned 2000 total points
ID: 16304632
Wouldn't have thought so :(

Not too sure about having the same access-list on both the internal and the dmz interface either. Using that scenario you are blocking all outgoing from the inside except for that listed in your internal ACL. Was that what you wanted? That same traffic is all that is allowed out of the DMZ interface also.

Anyway, lets try it as if it was 6.3 and see how we get on :)

static (inside,dmz) netmask 0 0
access-list internal permit tcp any host eq smtp

In theory.... this should tell the PIX to arp to address (as if it was an address on your DMZ lan and send it on to through the inside interface. The permit statement should tell it that any smtp traffic arriving for should be allowed through.

I think you know this already though :)

LVL 51

Expert Comment

by:Keith Alabaster
ID: 16304644
PS Obviously you need to tell your web server to send its mail to the .14 address lol
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16509950
How did you get on Carl?
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16513792
Thanks Carl.

LVL 18

Author Comment

ID: 16514901
lost interest
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16515002

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Hi, this video explains a free download that you can incorporate into your Access databases, or use stand-alone for contact management. Contacts -- Names, Addresses, Phone Numbers, eMail Addresses, Websites, Lists, Projects, Notes, Attachments…

594 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question