Configure DMZ for Trend Virus Appliance / MTA for External Access to Web DNS and forwward mail to internal Server
I have a PIX 515 with 3 interfaces and we have purchased a Trend IMSA Virus Appliance that I have configured in the DMZ and want this to forward mail to our internal exchange server on the inside network plus allow the Trend Appliance on the DMZ to get Web Access to the outside interface for pattern updates etc.
I need to have the IP Address that is registreded with our ISP with MX record to be used and not translated or Nated to the Trend Box on DMZ as it needs to know the source addresses of incoming mail to it's reputation checking of those sites. For this also I need this IP to be used as the outgoing IP for mail and access to our DNS Services hosted on our ISP as well so we can use DNS for email delivery.
Many thanks Norm
I need to have the IP Address that is registreded with our ISP with MX record to be used and not translated or Nated to the Trend Box on DMZ as it needs to know the source addresses of incoming mail to it's reputation checking of those sites. For this also I need this IP to be used as the outgoing IP for mail and access to our DNS Services hosted on our ISP as well so we can use DNS for email delivery.
Many thanks Norm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that..
Cheers Norm
Cheers Norm
ASKER
Hi IrMoore,
I am working through your solution thanks for this and just a couple of questions. The first one is the TRENDIP I am using is just a 172.16.x.x for the Trend Appliance and on this appliance it has the feature to forward to an interal server and all I have done there is put another STATIC in from (inside,dmz) EXCHANGEIP EXCHANGEIP so do I still need the nat (inside) 2 EXCHANGEIP
Also is the nat (dmz) 2 TRENDIP used for the web access of the Trend Appliance to the Outside Interface for pattern updates as I can't get this to work at the moment for some reason? Users on the inside don't need access to the Trend Appliance Only me to point a browser to http://TRENDIP:8081/IMSS.html and this works ok at present
Last thing and I think this may be why I cannot get to a web site form the TrendIP is on the network setup for this unit it wants DNS servers and it needs the external DNS servers also to check to see if the incoming connections from other SMTP Servers are valid so how do I do DNS lookups from the TrendIP on the DMZ.
Many thanks for your help with this
Regards, Norm
You have to nat, you have no choice, but it will work.
static (dmz,outside) tcp MXrecordIP smtp TRENDIP smtp netmask 255.255.255.255
global (outside) 2 <MXrecordIP>
nat (dmz) 2 <TREND IP> 255.255.255.255
nat (inside) 2 <EXCHANGE IP> 255.255.255.255
access-list outside_access_in permit tcp any host <MXrecordIP> eq smtp
access-group outside_access_in in interface outside
Now, assuming that all inside hosts also need to access the Trend appliance:
static (inside,dmz) insideLANsubnet insideLANsubnet netmask 255.255.255.0
access-list dmz_out permit tcp host <TREND IP> any eq www
access-list dmz_out permit tcp host <TREND IP> any eq https
access-list dmz_out permit tcp host <TREND IP> any eq ftp
access-list dmz_out permit udp host <TREND IP> any eq domain
access-list dmz_out permit ip host <TREND IP> insideLANsubnet
access-group dmz_out in interface dmz
I am working through your solution thanks for this and just a couple of questions. The first one is the TRENDIP I am using is just a 172.16.x.x for the Trend Appliance and on this appliance it has the feature to forward to an interal server and all I have done there is put another STATIC in from (inside,dmz) EXCHANGEIP EXCHANGEIP so do I still need the nat (inside) 2 EXCHANGEIP
Also is the nat (dmz) 2 TRENDIP used for the web access of the Trend Appliance to the Outside Interface for pattern updates as I can't get this to work at the moment for some reason? Users on the inside don't need access to the Trend Appliance Only me to point a browser to http://TRENDIP:8081/IMSS.html and this works ok at present
Last thing and I think this may be why I cannot get to a web site form the TrendIP is on the network setup for this unit it wants DNS servers and it needs the external DNS servers also to check to see if the incoming connections from other SMTP Servers are valid so how do I do DNS lookups from the TrendIP on the DMZ.
Many thanks for your help with this
Regards, Norm
You have to nat, you have no choice, but it will work.
static (dmz,outside) tcp MXrecordIP smtp TRENDIP smtp netmask 255.255.255.255
global (outside) 2 <MXrecordIP>
nat (dmz) 2 <TREND IP> 255.255.255.255
nat (inside) 2 <EXCHANGE IP> 255.255.255.255
access-list outside_access_in permit tcp any host <MXrecordIP> eq smtp
access-group outside_access_in in interface outside
Now, assuming that all inside hosts also need to access the Trend appliance:
static (inside,dmz) insideLANsubnet insideLANsubnet netmask 255.255.255.0
access-list dmz_out permit tcp host <TREND IP> any eq www
access-list dmz_out permit tcp host <TREND IP> any eq https
access-list dmz_out permit tcp host <TREND IP> any eq ftp
access-list dmz_out permit udp host <TREND IP> any eq domain
access-list dmz_out permit ip host <TREND IP> insideLANsubnet
access-group dmz_out in interface dmz
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Have been playing with this all weekend but still not much further and would appreciate some expert eyes to scan my config and if you need more please let me know:
ip address mailgw 172.16.54.54 255.255.255.0 >> PIX dmz(mailgw) Default GW for TRENDIP
global (outside) 1 203.31.64.70 >> Global for Inside Network
global (outside) 2 203.31.64.24 >> MXIPAddress
nat (inside) 0 access-list bypassingnat >> This is for no nat of IPSec Traffic etc
nat (inside) 2 128.100.1.15 255.255.255.255 0 0 >> This is our internal Exchange IP
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (mailgw) 2 172.16.54.56 255.255.255.255 0 0 >> This is the TRENDIP on dmz(mailgw)
static (mailgw,outside) 203.31.64.24 172.16.54.56 netmask 255.255.255.255 0 0 >> MX to TrendIP Static
static (inside,mailgw) 128.100.1.15 128.100.1.15 netmask 255.255.255.255 0 0 >> Internal Exchange IP
access-list acl_inbound permit tcp any host 203.31.64.24 eq smtp
access-group acl_inbound in interface outside
access-list mailgw_out permit tcp host 172.16.54.56 any eq www
access-list mailgw_out permit tcp host 172.16.54.56 any eq https
access-list mailgw_out permit tcp host 172.16.54.56 any eq ftp
access-list mailgw_out permit udp host 172.16.54.56 any eq domain
access-list mailgw_out permit tcp host 172.16.54.56 any eq smtp
access-group mailgw_out in interface mailgw
Now the TRENDIP (Appliance) has a hostname of adc.ourdomain.org.au
and has IP of 172.16.54.56 / 24 with default GW of 172.16.54.54
DNS of our ISP 203.x.x.x etc and forward incoming email to 128.100.1.15 (Internal Exchange Server) Which is the only machine that needs access to the TRENDIP (Appliance) on mailgw(dmz)
I manage the TRENDIP (Appliance) from a browser on our Internal Exchange Server
128.100.1.15 and the url is http://172.16.54.56:8081/IMSS.html and I can get in to the
Web Console do all the config but when I try to update virus engine etc it just tries for a
few minutes and then comes back with no updates or versions just "unknown"
I did also test from out from our perimeter router on the outside interface to do an inbound email
via Telnet and that worked but it does not work from my Internet ADSL connection from home and I do not even get the HELO in if I Telnet to 203.31.64.24 25 from home where I am testing this. As I am using 203.31.64.24 as my test MX once I am happy I can update from the TRENDIP and send inbound mail from the Internet proper via Telnet I will change all references of 203.31.64.24 to x.x.x.54 which is our real MX and then shut down that SMarthost and configure out Internal Exchange Server 128.100.1.15 to forward to [172.16.54.56]
I am just missing something here on a couple of fronts and really appreciate your expert advice
Many Thanks Norm
ip address mailgw 172.16.54.54 255.255.255.0 >> PIX dmz(mailgw) Default GW for TRENDIP
global (outside) 1 203.31.64.70 >> Global for Inside Network
global (outside) 2 203.31.64.24 >> MXIPAddress
nat (inside) 0 access-list bypassingnat >> This is for no nat of IPSec Traffic etc
nat (inside) 2 128.100.1.15 255.255.255.255 0 0 >> This is our internal Exchange IP
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (mailgw) 2 172.16.54.56 255.255.255.255 0 0 >> This is the TRENDIP on dmz(mailgw)
static (mailgw,outside) 203.31.64.24 172.16.54.56 netmask 255.255.255.255 0 0 >> MX to TrendIP Static
static (inside,mailgw) 128.100.1.15 128.100.1.15 netmask 255.255.255.255 0 0 >> Internal Exchange IP
access-list acl_inbound permit tcp any host 203.31.64.24 eq smtp
access-group acl_inbound in interface outside
access-list mailgw_out permit tcp host 172.16.54.56 any eq www
access-list mailgw_out permit tcp host 172.16.54.56 any eq https
access-list mailgw_out permit tcp host 172.16.54.56 any eq ftp
access-list mailgw_out permit udp host 172.16.54.56 any eq domain
access-list mailgw_out permit tcp host 172.16.54.56 any eq smtp
access-group mailgw_out in interface mailgw
Now the TRENDIP (Appliance) has a hostname of adc.ourdomain.org.au
and has IP of 172.16.54.56 / 24 with default GW of 172.16.54.54
DNS of our ISP 203.x.x.x etc and forward incoming email to 128.100.1.15 (Internal Exchange Server) Which is the only machine that needs access to the TRENDIP (Appliance) on mailgw(dmz)
I manage the TRENDIP (Appliance) from a browser on our Internal Exchange Server
128.100.1.15 and the url is http://172.16.54.56:8081/IMSS.html and I can get in to the
Web Console do all the config but when I try to update virus engine etc it just tries for a
few minutes and then comes back with no updates or versions just "unknown"
I did also test from out from our perimeter router on the outside interface to do an inbound email
via Telnet and that worked but it does not work from my Internet ADSL connection from home and I do not even get the HELO in if I Telnet to 203.31.64.24 25 from home where I am testing this. As I am using 203.31.64.24 as my test MX once I am happy I can update from the TRENDIP and send inbound mail from the Internet proper via Telnet I will change all references of 203.31.64.24 to x.x.x.54 which is our real MX and then shut down that SMarthost and configure out Internal Exchange Server 128.100.1.15 to forward to [172.16.54.56]
I am just missing something here on a couple of fronts and really appreciate your expert advice
Many Thanks Norm
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes the 203.31.64.70 is one we have used as outside IP for years and 203.31.64.24 is in the same subnet so I imagine routing to that would not be a problem.
Our external connection is 10Meg Ethernet and we have a Cisco 2600 and only restrictions on that are IP NBAR for dropping Peer To Peer Traffic like Kazza etc.
It does seem though that there is something in or before our perimater router that is blocking something as even a traceroute stops just before our gateway but mabe ICMP is blocked there but we have no problems getting mail to our live MX IP 203.31.64.54 which is on a multihomed Smart Host on a switch on the same segment as our perimters router and as mentioned this is the host I will be shutting down and then using this MXIP in place of x.x.x.24 when I get the PIX side of things working.
Our external connection is 10Meg Ethernet and we have a Cisco 2600 and only restrictions on that are IP NBAR for dropping Peer To Peer Traffic like Kazza etc.
It does seem though that there is something in or before our perimater router that is blocking something as even a traceroute stops just before our gateway but mabe ICMP is blocked there but we have no problems getting mail to our live MX IP 203.31.64.54 which is on a multihomed Smart Host on a switch on the same segment as our perimters router and as mentioned this is the host I will be shutting down and then using this MXIP in place of x.x.x.24 when I get the PIX side of things working.
ASKER
Thanks for the great input I will work through these and get back to you all asap.
Cheers Norm