i have 2 servers in dmz which are smtp gateway servers and dns servers
i can ping the servers from inside and outide but i cannot end or recive mail or cannot ping any body from dmz with hostname.
if i apply "dmz_coming_in" access-list i am geeting mails from outside but i cannot ping any host with hostname
if i remove these "dmz_coming_in" access-list i can send mail outside and i can ping any hostwith hostname with , but i cannot recive mail from outside.
please help in this
my configuration is
DMZ
206.x.x.128-206.x.x.254
|
|
Inside--170.x.x.xand10.0.0.---Firewall-206.x.x.x-206.x.x.126------router------internet
Firewall
|
|
isp2171.x.x.x
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
nameif ethernet3 ISP2 security60
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
nameif ethernet6 intf6 security30
nameif ethernet7 failover security15
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-1
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host 206.X.X.X eq smtp
access-list outside_access_in permit tcp any host 206.X.X.X eq smtp
access-list outside_access_in permit udp any host 206.X.X.X eq domain
access-list outside_access_in permit udp any host 206.X.X.X eq domain
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
access-list dmz_coming_in permit icmp any any
access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq smtp
access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq www
access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq smtp
access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq www
access-list dmz_coming_in permit udp host 206.X.X.X host 170.X.X.X eq domain
access-list dmz_coming_in permit udp host 206.X.X.X host 170.X.X.X eq domain
access-list 101 permit ip 170.x.x.0 255.255.255.0 206.x.x.128 255.255.255.128
pager lines 24
logging on
logging monitor errors
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
interface ethernet7 100full
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu ISP2 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu failover 1500
ip address outside 206.X.X.X 255.255.255.128
ip address inside 170.X.X.X 255.255.255.0
ip address DMZ 206.X.X.252 255.255.255.128
ip address ISP2 171.X.X.21 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip address intf6 127.0.0.1 255.255.255.255
ip address failover 7.7.7.7 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 206.X.X.X
failover ip address inside 170.X.X.3
failover ip address DMZ 206.X.X.253
failover ip address ISP2 171.X.X.21
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
failover ip address intf6 0.0.0.0
failover ip address failover 7.7.7.8
failover link failover
pdm location 169.x.x.155 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 206.X.X.90-206.X.X.120 netmask 255.255.255.128
global (outside) 1 206.X.X.X
global (DMZ) 1 206.X.X.X-206.X.X.X
nat (inside) 0 access-list 101
nat (inside) 1 1 170.X.X.X 255.255.255.0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (DMZ) 0 206.x.x.128 255.255.255.128 0 0
static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0
static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_coming_in in interface DMZ
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 206.X.X.X
route inside 10.0.0.0 255.0.0.0 170.X.X. 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (DMZ) vendor n2h2 host 206.X.X.X port 4005 timeout 5 protocol T
CP
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3d41e9f201f32c7fbe9ac8dbafaf863e
: end
[OK]
Please help ,s any where iam doing wrong
Thanks
i can ping the servers from inside and outide but i cannot end or recive mail or cannot ping any body from dmz with hostname.
if i apply "dmz_coming_in" access-list i am geeting mails from outside but i cannot ping any host with hostname
if i remove these "dmz_coming_in" access-list i can send mail outside and i can ping any hostwith hostname with , but i cannot recive mail from outside.
please help in this
my configuration is
DMZ
206.x.x.128-206.x.x.254
|
|
Inside--170.x.x.xand10.0.0.---Firewall-206.x.x.x-206.x.x.126------router------internet
Firewall
|
|
isp2171.x.x.x
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security50
nameif ethernet3 ISP2 security60
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
nameif ethernet6 intf6 security30
nameif ethernet7 failover security15
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pix-1
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list outside_access_in permit tcp any host 206.X.X.X eq smtp
access-list outside_access_in permit tcp any host 206.X.X.X eq smtp
access-list outside_access_in permit udp any host 206.X.X.X eq domain
access-list outside_access_in permit udp any host 206.X.X.X eq domain
access-list outside_access_in permit icmp any any
access-list outside_access_in deny ip any any
access-list dmz_coming_in permit icmp any any
access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq smtp
access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq www
access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq smtp
access-list dmz_coming_in permit tcp host 206.X.X.X host 170.X.X.X eq www
access-list dmz_coming_in permit udp host 206.X.X.X host 170.X.X.X eq domain
access-list dmz_coming_in permit udp host 206.X.X.X host 170.X.X.X eq domain
access-list 101 permit ip 170.x.x.0 255.255.255.0 206.x.x.128 255.255.255.128
pager lines 24
logging on
logging monitor errors
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface ethernet6 auto shutdown
interface ethernet7 100full
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu ISP2 1500
mtu intf4 1500
mtu intf5 1500
mtu intf6 1500
mtu failover 1500
ip address outside 206.X.X.X 255.255.255.128
ip address inside 170.X.X.X 255.255.255.0
ip address DMZ 206.X.X.252 255.255.255.128
ip address ISP2 171.X.X.21 255.255.255.0
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip address intf6 127.0.0.1 255.255.255.255
ip address failover 7.7.7.7 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 206.X.X.X
failover ip address inside 170.X.X.3
failover ip address DMZ 206.X.X.253
failover ip address ISP2 171.X.X.21
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
failover ip address intf6 0.0.0.0
failover ip address failover 7.7.7.8
failover link failover
pdm location 169.x.x.155 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 206.X.X.90-206.X.X.120 netmask 255.255.255.128
global (outside) 1 206.X.X.X
global (DMZ) 1 206.X.X.X-206.X.X.X
nat (inside) 0 access-list 101
nat (inside) 1 1 170.X.X.X 255.255.255.0
nat (inside) 1 10.0.0.0 255.0.0.0 0 0
nat (DMZ) 0 206.x.x.128 255.255.255.128 0 0
static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0
static (DMZ,outside) 206.X.X.X 206.X.X.X netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group dmz_coming_in in interface DMZ
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 206.X.X.X
route inside 10.0.0.0 255.0.0.0 170.X.X. 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (DMZ) vendor n2h2 host 206.X.X.X port 4005 timeout 5 protocol T
CP
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:3d41e9f201f32c7fbe9ac8dbafaf863e
: end
[OK]
Please help ,s any where iam doing wrong
Thanks