Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Error Message Help

Status
Not open for further replies.
TalentedFool

TalentedFool

Programmer
Jul 23, 2001
214
GB
Hi,

I'm trying to put an SMTP server in my DMZ 10.200.1.3, I can telnet to the server from inside on port 25 but going from the DMZ to the inside I get the following error

106001: Inbound TCP connection denied from 10.200.1.3/33675 to 172.30.212.99/25 flags SYN on interface intf2


What do I need to put in my configruation to correct this? or do I not want to do this?


Thanks for any help you can give

~ Remember - Nothing is Fool Proof to a Talented Fool ~
 
Sort by date Sort by votes
You don´t want to do this ! I had a simlilar problem. The PIX doesn´t allow traffic that comes from the dmz to go to the inside !( exept the traffic that comes from inside)

When you have to let traffic from the dmz to go to the inside , use:" static (inside,dmz) ........"

but thats not very secure

Hope that helps..

Best regards
 
Upvote 0 Downvote
HI.

You can do it like this, but you should be carefull not to allow by mistake unwanted access from dmz to inside:

static (inside,intf2) 10.200.1.99 172.30.212.99
access-list fromdmz permit tcp host 10.200.1.3 host 10.200.1.99 eq smtp
access-list fromdmz permit udp host 10.200.1.3 host DNSSERVER eq 53
access-list fromdmz permit tcp host 10.200.1.3 host DNSSERVER eq 53
access-list fromdmz deny ip any any
access-group fromdmz in interface intf2

You should note that this blocks any other access from intf2, both to the Internet and to the inside. You will probably need to change it a bit to suite your needs.

An alternate and more secure method, is to pull mail instead of pushing - internal server initiates connection to mail relay every X minutes and downloads new pending incoming mail.
This can be done in several different ways, like POP3:
or using ESMTP protocol (but the pix fixup mignt interfer with that).

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks guys

I was only asking for testing purposes so if you recommend that I don't do thats good with me :)

Thanks

~ Remember - Nothing is Fool Proof to a Talented Fool ~
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
269
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
311
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
68
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
89
PauS0n
PauS0n
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
110
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top