• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 489
  • Last Modified:

Configure DMZ for Trend Virus Appliance / MTA for External Access to Web DNS and forwward mail to internal Server

I have a PIX 515 with 3 interfaces and we have purchased a Trend IMSA Virus Appliance that I have configured in the DMZ and want this to forward mail to our internal exchange server on the inside network plus allow the Trend Appliance on the DMZ to get Web Access to the outside interface for pattern updates etc.

I need to have the IP Address that is registreded with our ISP with MX record to be used and not translated or Nated to the Trend Box on DMZ as it needs to know the source addresses of incoming mail to it's reputation checking of those sites.  For this also I need this IP to be used as the outgoing IP for mail and access to our DNS Services hosted on our ISP as well so we can use DNS for email delivery.

Many thanks Norm
0
999
Asked:
999
  • 5
  • 5
6 Solutions
 
lrmooreCommented:
No guarantees, but this might work.
You have to nat, you have no choice, but it will work.
static (dmz,outside) tcp MXrecordIP smtp TRENDIP smtp netmask 255.255.255.255
global (outside) 2 <MXrecordIP>
nat (dmz) 2 <TREND IP> 255.255.255.255
nat (inside) 2 <EXCHANGE IP> 255.255.255.255

access-list outside_access_in permit tcp any host <MXrecordIP> eq smtp
access-group outside_access_in in interface outside

Now, assuming that all inside hosts also need to access the Trend appliance:
static (inside,dmz) insideLANsubnet insideLANsubnet netmask 255.255.255.0
access-list dmz_out permit tcp host <TREND IP> any eq www
access-list dmz_out permit tcp host <TREND IP> any eq https
access-list dmz_out permit tcp host <TREND IP> any eq ftp
access-list dmz_out permit udp host <TREND IP> any eq domain
access-list dmz_out permit ip host <TREND IP> insideLANsubnet
access-group dmz_out in interface dmz
0
 
rsivanandanCommented:
Since the second paragraph mentions about the limitation you want, I would assume you have 2 public ip address that can be assigned on the DMZ and directly on the Trend BOX ? and it is on a separate subnet (doesn't fall under the same subnet as assigned on the pix outside interface).

If that is the case. Then here is the config;

From inside to dmz and dmz to outside there doesn't need to be any specific configuration.

OUTSIDE TO DMZ:

static (dmz, outside) <Public_IP_ON_Trend> <Public_IP_ON_Trend> netmask 255.255.255.255

access-list <Outside_In> permit tcp any host <Public_IP_ON_Trend> eq 25

access-group <Outside_In> in interface outside

DMZ to INSIDE :

static (inside,dmz) <Private_IP_ON_Xchange> <Private_IP_ON_Xchange> netmask 255.255.255.255

access-list <DMZ_IN> permit host <Public_IP_ON_Trend> host <Private_IP_ON_Xchange> eq 25

access-group <DMZ_IN> in interface DMZ

Cheers,
Rajesh
0
 
lrmooreCommented:
>For this also I need this IP to be used as the outgoing IP for mail
There's the rub. You can't use the same IP address for outgoing email and have it assigned directly to the server, too.
With my solution, all inbound smtp traffic gets port-forwarded to the Trend filter, and all outbound connections from both systems share that same IP address.

An alternative that can help is to simply have another MX record with a lower priority that points to the current global IP.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
999Author Commented:
Hi Guys,

Thanks for the great input I will work through these and get back to you all asap.

Cheers Norm
0
 
lrmooreCommented:
I forgot to add smtp to your dmz acl:
access-list dmz_out permit tcp host <TREND IP> any eq smtp
0
 
999Author Commented:
Thanks for that..

Cheers Norm
0
 
999Author Commented:
Hi IrMoore,

I am working through your solution thanks for this and just a couple of questions. The first one is the TRENDIP I am using is just a 172.16.x.x for the Trend Appliance and on this appliance it has the feature to forward to an interal server and all I have done there is put another STATIC in from (inside,dmz) EXCHANGEIP EXCHANGEIP so do I still need the nat (inside) 2 EXCHANGEIP

Also is the nat (dmz) 2 TRENDIP used for the web access of the Trend Appliance to the Outside Interface for pattern updates as I can't get this to work at the moment for some reason?  Users on the inside don't need access to the Trend Appliance Only me to point a browser to http://TRENDIP:8081/IMSS.html and this works ok at present

Last thing and I think this may be why I cannot get to a web site form the TrendIP is on the network setup for this unit it wants DNS servers and it needs the external DNS servers also to check to see if the incoming connections from other SMTP Servers are valid so how do I do DNS lookups from the TrendIP on the DMZ.

Many thanks for your help with this
Regards, Norm

You have to nat, you have no choice, but it will work.
static (dmz,outside) tcp MXrecordIP smtp TRENDIP smtp netmask 255.255.255.255
global (outside) 2 <MXrecordIP>
nat (dmz) 2 <TREND IP> 255.255.255.255
nat (inside) 2 <EXCHANGE IP> 255.255.255.255

access-list outside_access_in permit tcp any host <MXrecordIP> eq smtp
access-group outside_access_in in interface outside

Now, assuming that all inside hosts also need to access the Trend appliance:
static (inside,dmz) insideLANsubnet insideLANsubnet netmask 255.255.255.0
access-list dmz_out permit tcp host <TREND IP> any eq www
access-list dmz_out permit tcp host <TREND IP> any eq https
access-list dmz_out permit tcp host <TREND IP> any eq ftp
access-list dmz_out permit udp host <TREND IP> any eq domain
access-list dmz_out permit ip host <TREND IP> insideLANsubnet
access-group dmz_out in interface dmz
0
 
lrmooreCommented:
> put another STATIC in from (inside,dmz) EXCHANGEIP EXCHANGEIP so do I still need the nat (inside) 2 EXCHANGEIP
Yes. The static inside-dmz is only for communications between the Exchangeip and the trendip. ExchangeIP still needs to get natted to the global when it goes outside to send mail.

TrendIP will be natted to global whenever it goes out to the internet for pattern updates or anything else.

There should not be any issue with dns on the trendIP. In its TCP/IP configuration, just put public IPs in the dns entries. Your ISP should have available, or you can always use 198.6.1.2, 208.67.222.222, 208.67.220.220

If you apply the acl as I posted it, to the dmz interface, then you should be able to accomplish all of your goals

0
 
999Author Commented:
Have been playing with this all weekend but still not much further and would appreciate some expert eyes to scan my config and if you need more please let me know:

ip address mailgw 172.16.54.54 255.255.255.0 >> PIX dmz(mailgw) Default GW for TRENDIP

global (outside) 1 203.31.64.70 >> Global for Inside Network
global (outside) 2 203.31.64.24 >> MXIPAddress

nat (inside) 0 access-list bypassingnat >> This is for no nat of IPSec Traffic etc
nat (inside) 2 128.100.1.15 255.255.255.255 0 0 >> This is our internal Exchange IP
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (mailgw) 2 172.16.54.56 255.255.255.255 0 0  >> This is the TRENDIP on dmz(mailgw)

static (mailgw,outside) 203.31.64.24 172.16.54.56 netmask 255.255.255.255 0 0  >> MX to TrendIP Static
static (inside,mailgw) 128.100.1.15 128.100.1.15 netmask 255.255.255.255 0 0 >> Internal Exchange IP

access-list acl_inbound permit tcp any host 203.31.64.24 eq smtp
access-group acl_inbound in interface outside


access-list mailgw_out permit tcp host 172.16.54.56 any eq www
access-list mailgw_out permit tcp host 172.16.54.56 any eq https
access-list mailgw_out permit tcp host 172.16.54.56 any eq ftp
access-list mailgw_out permit udp host 172.16.54.56 any eq domain
access-list mailgw_out permit tcp host 172.16.54.56 any eq smtp
access-group mailgw_out in interface mailgw

Now the TRENDIP (Appliance) has a hostname of adc.ourdomain.org.au
and has IP of 172.16.54.56 / 24 with default GW of 172.16.54.54
DNS of our ISP 203.x.x.x etc and forward incoming email to 128.100.1.15 (Internal Exchange Server) Which is the only machine that needs access to the TRENDIP (Appliance) on mailgw(dmz)

I manage the TRENDIP (Appliance) from a browser on our Internal Exchange Server
128.100.1.15 and the url is http://172.16.54.56:8081/IMSS.html and I can get in to the
Web Console do all the config but when I try to update virus engine etc it just tries for a
few minutes and then comes back with no updates or versions just "unknown"

I did also test from out from our perimeter router on the outside interface to do an inbound email
via Telnet and that worked but it does not work from my Internet ADSL connection from home and I do not even get the HELO in if I Telnet to 203.31.64.24 25 from home where I am testing this.  As I am using 203.31.64.24 as my test MX once I am happy I can update from the TRENDIP and send inbound mail from the Internet proper via Telnet I will change all references of 203.31.64.24 to x.x.x.54 which is our real MX and then shut down that SMarthost and configure out Internal Exchange Server 128.100.1.15 to forward to [172.16.54.56]

I am just missing something here on a couple of fronts and really appreciate your expert advice

Many Thanks Norm
0
 
lrmooreCommented:
global (outside) 1 203.31.64.70 >> 
global (outside) 2 203.31.64.24 >>

Are these two IP addresses within the same mask applied to  your outside interface, and does the ISP route properly to this second IP address? What is your external connection type? T1, DSL, other? If you have T1 and a router, are there any restrictions/acls on it?
0
 
999Author Commented:
Yes the 203.31.64.70 is one we have used as outside IP for years and 203.31.64.24 is in the same subnet so I imagine routing to that would not be a problem.

Our external connection is 10Meg Ethernet and we have a Cisco 2600 and only restrictions on that are IP NBAR for dropping Peer To Peer Traffic like Kazza etc.

It does seem though that there is something in or before our perimater router that is blocking something as even a traceroute stops just before our gateway but mabe ICMP is blocked there but we have no problems getting mail to our live MX IP 203.31.64.54 which is on a multihomed Smart Host on a switch on the same segment as our perimters router and as mentioned this is the host I will be shutting down and then using this MXIP in place of x.x.x.24 when I get the PIX side of things working.

0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now