pix security config need to add conduit for SMTP from DMZ to INTERNAL

• I want to be as secure as possible with this config, advice in getting there further is apprecitated.  
• This is a FULLY WORKING config for 8 months, it just needs a tweak.
• What this conifig does- it is a three port PIX (with DMZ,) the dmz is on
the inisde network is, the outside is the internet provider.  As it stands the config is a simple webserver firewall.  
• What I need next is for the webserver (the DMZ) to be able to use SMTP to send mail via  
• What I would prefer is to allow all traffic with specific ports, SMTP, SNMP, FTP usable between DMZ and INTERNAL, but still restrict most traffic like Netbios, file shares, etc.

Can someone fill in the clues as to how to do this?

PIX Version 7.0(2)
name webserver
interface Ethernet0
 nameif outside
 security-level 0
 ip address out.out.out.out
interface Ethernet1
 nameif inside
 security-level 100
 ip address
interface Ethernet2
 nameif dmz
 security-level 50
 ip address
enable password hardpassword encrypted
passwd hardpassword encrypted
hostname tmapix
domain-name tma.internal
boot system flash:/pix702.bin
ftp mode passive
access-list webonly extended permit tcp any any eq https
access-list webonly extended permit tcp any any eq www
access-list internal extended permit tcp any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
monitor-interface outside
monitor-interface inside
monitor-interface dmz
asdm image flash:/asdm-502.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
static (inside,dmz) netmask
static (dmz,outside) out.out.out.out webserver netmask
access-group webonly in interface outside
access-group internal in interface inside
access-group internal in interface dmz
route outside gw.gw.gw.gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
no sysopt connection permit-ipsec
telnet inside
telnet inside
telnet inside
telnet dmz
telnet webserver dmz
telnet timeout 20
ssh timeout 5
ssh version 1
console timeout 0
: end
LVL 18
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Your on version 7 Carl so I'll have to give this one a miss. I haven't moved on from version 6.3 yet. Sorry. Hopefully Lrmoore or someone will pick this one up shortly.
carl_legereAuthor Commented:
Thanks for looking Keith

I upgraded it when I got it because I wanted to play with the new web gui thing.  I'm not into them, but figured it is worth a try.  There are probably a couple of lines in the code that the GUI put in that are somewhat unintentional.
Keith AlabasterEnterprise ArchitectCommented:
I have to say, I wish I could too. I only have a 501 at home and no exposure to 7 at work. those are all 525E and 515's but we still use 6.3(5) there.

I have a CCO though so would be happy to see if I can find a list of command changes if you think that might help?

What is this line doing?
static (inside,dmz) netmask

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

carl_legereAuthor Commented:
should be my condiot from DMZ to inside, which then would check the ACL, which is unrestricted and let DMZ access internal? but it does not.
Keith AlabasterEnterprise ArchitectCommented:
Wouldn't have thought so :(

Not too sure about having the same access-list on both the internal and the dmz interface either. Using that scenario you are blocking all outgoing from the inside except for that listed in your internal ACL. Was that what you wanted? That same traffic is all that is allowed out of the DMZ interface also.

Anyway, lets try it as if it was 6.3 and see how we get on :)

static (inside,dmz) netmask 0 0
access-list internal permit tcp any host eq smtp

In theory.... this should tell the PIX to arp to address (as if it was an address on your DMZ lan and send it on to through the inside interface. The permit statement should tell it that any smtp traffic arriving for should be allowed through.

I think you know this already though :)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
PS Obviously you need to tell your web server to send its mail to the .14 address lol
Keith AlabasterEnterprise ArchitectCommented:
How did you get on Carl?
Keith AlabasterEnterprise ArchitectCommented:
Thanks Carl.

carl_legereAuthor Commented:
lost interest
Keith AlabasterEnterprise ArchitectCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.